What affiliate marketers need to know about the GDPR
If you’re an affiliate marketer, you’ve probably heard a lot of talk recently about the GDPR. The GDPR or “General Data Protection Regulations” will come into force in the European Union on the 25th May 2018, and anyone who runs a business that collects personal information about people on the internet needs to ensure that they comply with them.
This means that the GDPR applies to affiliate marketers too, so if you’re running an affiliate business you have to make sure that you follow the new rules, to avoid falling foul of the law – and potentially, attracting a stiff penalty.
In this article, we will answer the question “what is the GDPR” and explain how the GDPR applies to affiliate marketers. We’ll also cover the basics of what affiliate marketers need to do for the GDPR before the 25th May 2018 to make sure that they comply with the new regulations.
What is the GDPR?
The GDPR or General Data Protection Regulations are a new set of rules that will come into force in the European Union on the 25th May 2018. Even if your business is not located in the European Union itself, if you serve customers in the EU – including both selling to them and capturing personal information like names and email addresses from them online – you will have to comply with the new regulations.
The GDPR will replace the EU’s current data protection regulations, and the new rules are intended to reflect the changing nature of the global market in the digital age when people buy and sell products and services over the internet all across the world.
Basically, the GDPR is intended to set out the rules for how the personal data of people in the EU can be collected, stored, and shared, offering individuals more say over who holds their personal data and how it is used.
The GDPR applies across all of the EU countries – including the UK, despite the forthcoming Brexit. It doesn’t matter if you as an affiliate marketer isn’t located in the EU yourself – if you sell to EU buyers or collect any personal information from people in the EU, the GDPR applies to you.
Does the GDPR apply to affiliate marketers?
The GDPR applies to every business and organization that is in the EU or that uses data from people in the EU – right through from huge multinational conglomerates to freelancers and one-man sole traders. It even applies to people who don’t sell things or make any money from collecting and using other people’s personal data – like people who run personal blogs, or anything else that captures personal information about others.
This means that the GDPR applies to affiliate marketers and their businesses too – unless you don’t offer goods or services to customers in the EU and vitally, don’t collect or monitor data about any people in the EU either.
What is personal data?
The foundation of the GDPR is based on regulating the collection, storage, use, and sharing of personal data. Personal data is defined as “information that can be used to either directly or indirectly identify a specific person.”
This includes a huge number of different things including names, addresses, email addresses, phone numbers, bank or payment details, website cookie information, IP addresses, and much more.
How does the GDPR affect affiliate marketers?
The chances are that like most businesses if you’re involved in affiliate marketing you’re going to have to make some changes to comply with the GDPR.
Here are some of the main things to bear in mind for affiliate marketers getting ready for the GDPR.
If you collect, process or store personal data about EU customers, how and why you are allowed to do this is about to change.
You’re only allowed to collect, process, and store this data if one of the following applies:
• The person who gives you the personal data opted in to allow you to use it.
• You need the data to fulfill a contract with the person that provides it (like selling them something).
• You have a legitimate or vital interest in the information.
• You have a legal obligation to have the data.
• The information will be used to perform a task that is in the public interest.
For affiliate marketers, the first two points mentioned above are those most likely to apply to you.
In practice, this means that any time you request personal information from a customer or website user, they have to opt-in to giving it to you. If you use a contact form to collect data for marketing purposes, as part of a sign-up, or to give access to content, the other person has to opt-in to give you permission. If you currently use a contact form that has to be ticked to opt out, or that is pre-ticked with an opt-in permission, you will have to change it so that the default setting is opting out, and that the customer has to opt-in instead.
The same rule applies to people who email you or give you their personal information in any other way – you can only request that information if one of the bullet points above apply to it, and you have to make it clear to those people why you need their personal data, and what you will do with it.
What do affiliate marketers need to do for the GDPR?
There’s quite a lot to do for most affiliate marketers when it comes to complying with the GDPR.
For both new customers or prospects and also, those whose information you already hold, you have to inform them of the basis under which you are collecting their data, why you are collecting it, and how you will use it.
One of the biggest ways in which the GDPR will potentially affect affiliate marketers comes down to your marketing activities themselves. Many successful affiliates rely on direct marketing to reach their buyers and boost sales, which previously, was often achieved with the use of personal data collected for other purposes – such as when making a sale or receiving a contact form submission.
When the GDPR comes into force, the rules surrounding how you attain consent to do this will become much stricter – it is no longer enough to have a statement saying something like “by filling in this form/giving us your details, you consent to our using it for marketing purposes” – or not saying anything at all.
You have to receive clear consent for using personal data for direct marketing. People that you market to have to opt-in. It is not enough to opt them in automatically and make them have to choose to opt out.
A simple GDPR checklist for affiliate marketers
• Think about how you collect, use, and store people’s personal data and assess what areas of your current systems will need changing or updating to comply with the GDPR.
• Offer transparency and honesty to your consumers (including people who use your website or otherwise give you personal information but don’t buy from you) and make it clear to them the legal basis for collecting their information, including how it is stored, used and shared – and how you keep their information safe.
• Don’t forget that the GDPR for affiliate marketers doesn’t just apply to new personal data you attain after the law comes into force – it also applies to information you already hold. This means that you need to update people whose personal information you already have, which may also mean requiring them to opt-in again to your mailing lists or marketing databases.
• Ensure that you’re taking all of the necessary steps to protect the personal information that you hold – which means using device encryption, and not storing, processing, or transferring data of EU service users outside of the EEA other than to other territories that have their own laws that comply with the regulations.
• Check with the affiliate scheme you work with that they are working on their own GDPR compliance because when you pass on personal data that you have collected to the scheme itself as part of running your affiliate business, the same rules apply at every stage of the process.
• Remember, getting your affiliate marketing GDPR compliance right is down to you, as the person who collects, stores, and uses other people’s personal information. This article is intended as a basic guide to the GDPR for affiliate marketers and doesn’t take the place of professional legal advice.
What happens if you don’t comply with the GDPR?
If you don’t comply with the GDPR and follow all of the rules in place to protect EU consumers, you might potentially face stiff penalties.
In a worst-case scenario, a business that hasn’t complied with the GDPR can potentially be fined up to €20 million or 4% of their annual turnover, whichever is higher.
The chances of being penalized to this extent are generally considered to be low – but if you deliberately or negligently fail to comply with the GDPR, or a serious data breach that you could have prevented compromises the integrity of your service user’s personal information and rights – you might be penalized.
Read about other affiliate marketing trends in 2018 on our blog.