GDPR Lawyers: Making a Case for Affiliate Networks as Controllers

Like all aspects of digital marketing, associate selling is going to be impacted by GDPR in suggestive ways. However, distinct a lot of other digital selling channels, associate selling is substantially improved versed to hoop those challenges.

Decision Making – Data Controller or Data Processor?

The initial thing to settle when doing any GDPR research is “Who is a controller and who, if anyone, is a processor?”. This is critical since a controllers have distant some-more obligations underneath GDPR than processors.

A controller determines since and how information is processed. They can do this alone or with other controllers. Processors can confirm how information is processed on seductiveness of a controller, yet this is singular to delegate aspects.  If a processor decides what information to process, for example, that processor can turn a corner controller with a initial controller. This will occur if they like it or not. It’s a doubt of fact, so it all comes down to what people are indeed doing during a time.

Some networks are arguing they are information processors, on a basement that their advertisers make all vital decisions about data. This is technically possible, yet we do not consider this reflects how associate networks unequivocally work.

Ordinarily, associate networks confirm technical aspects of a tracking and reporting, and also yield comment management, that customarily means determining what information to routine in sequence to grasp a advertisers’ objectives. The outcome is that they finish adult holding on a information controller purpose jointly with a advertiser.

Under information processor status, a network can never unequivocally make any critical decisions about information when regulating a business.  The network could make suggestions about information estimate to a advertiser and a advertiser might indoctrinate a network on a basement of that suggestion, yet equally, they might not. Practically, things like height or tracking upgrades afterwards turn really difficult, since all advertisers on a network would need to determine to a estimate of any new data. This unfolding flows down to publishers with a identical consequences. A publisher that acts as a network’s sub-processor loses many of a preference creation energy in honour of information when regulating a business.

With corner controllers, this problem does not arise. Another advantage of a corner controller attribute is that there is no need to enter information estimate agreements. From a network’s prove of view, they do not finish adult probable for publishers who would differently be behaving as sub-processors.

One thing is for certain if any network or publisher argues they’re a processor, they had improved get this right; If on a facts, they are deliberate to be a information controller by a regulator, they will find themselves in crack of many of a GDPR’s pivotal obligations germane to controllers.

Legal Basis – Legitimate Interest or Consent

I am utterly gentle that tracking, even when tracking is undertaken opposite devices, can be finished on a authorised basement of legitimate interest. This is poignant since it is a non-consent basement for official processing. The impact of this estimate on people is sincerely low and there are also lots of useful safeguards that can be put in place to strengthen people.

It is not nonetheless transparent what success websites will have in receiving consent, yet we have to assume that a poignant apportionment of a marketplace will decline. In my view, that is adequate of a reason to equivocate agree as a authorised basis.  From a authorised perspective, agree is some-more formidable than other authorised bases. Consents need to be managed, done revocable and they means people most larger rights. Processing pseudonymous information (i.e. information that relates to a singular person, yet doesn’t concede that chairman to be identified) on a basement of legitimate seductiveness brings minimal rights for people and therefore a most lighter correspondence weight for businesses.

If you’re deliberation doing both, I’d consider twice. It is not probable to mix agree and legitimate interest, for example, by regulating legitimate seductiveness as a delegate authorised basis. The regulators have done it transparent in their superintendence that this arrangement is astray on people because it creates a unfolding where a chairman who has not consented and as a outcome expects that they will not be tracked, is afterwards tracked anyway.

What about ePrivacy and cookie consent?

Probably a biggest area of difficulty that we have seen relates to a attribute between ePrivacy and GDPR because both have a agree judgment yet they’re essentially different.

Under GDPR, agree is one of a series of authorised bases for estimate personal data. Under ePrivacy, agree is a usually proceed to rightly set a cookie (unless that cookie is particularly required to broach a use requested by a individual).

It’s treacherous since cookies enclose personal data, so they are held by both laws – underneath ePrivacy’s law of cookies as a record and GDPR’s regulation of cookies as personal data. GDPR also has a outcome of ‘retrofitting’ a GDPR agree clarification into a existent ePrivacy laws, that raises a bar for receiving current consent.

However, this does not meant that a dual consents are indeed a same; ePrivacy agree is most easier to obtain and conduct and a risks, if we get it wrong, are distant less.

Under GDPR, there is most some-more information to be delivered to a particular in sequence to surprise them before they give consent. ePrivacy agree is also doubtful to need many of a additional obligations that come along with GDPR’s consent – a categorical change caused by focus of a GDPR agree customary into ePrivacy is to need a particular to do something to prove their agree (rather than usually omit a cookie banner).

Another engaging eminence between a consents of ePrivacy and GDPR is that a latest breeze of a new ePrivacy laws permits companies to exclude entrance to their websites if ePrivacy agree isn’t given by a individual. This is organisation to assistance agree opt-in rates – for GDPR consent, refusing entrance to those that don’t agree is specifically taboo – a website has to be offering anyway, that gives small reason for people to agree to information processing. For now, it isn’t transparent either this accede relates to existent ePrivacy law and it might not make it into a final content of any new ePrivacy laws.

If a agree is not performed scrupulously underneath ePrivacy, a odds of coercion is most reduce than a GDPR (for a accumulation of reasons that we won’t go into right now). Most significantly, ePrivacy fines sojourn capped during £500 K, since GDPR fines are adult to €20 million or 4% of organisation tellurian turnover, if higher.  

My recommendation is therefore always to use legitimate seductiveness instead of GDPR agree whenever possible, even yet we will all need to obtain ePrivacy agree to a aloft standard. In fact, we already do, yet it will shortly turn a some-more concerned process.

For some associate networks regulating legitimate seductiveness is unfit since they are creation use of tracking information for a second purpose, mostly associated to programmatic promotion and behavioural profiling. This puts networks in an awkward position because they count on publishers to obtain GDPR agree for them.  

A publisher that monetises essentially by CPA should consider twice before receiving agree for a third celebration to information estimate that might not advantage them. Not usually does a user knowledge suffer, yet if a agree is refused, a tracking required to explain a CPA isn’t probable and that income is lost.

When reading a recent network QA posted by PerformanceIN, we was astounded to see such a miss of consensus. This is not useful for publishers. As always, yet generally in a deficiency of any generally supposed attention practice, we would suggest publishers consider for themselves when deliberation that proceed to GDPR is best for them.

Agree or remonstrate with Eitan’s comments, or have something else to add? Let us know below, or if you’d like to post a reply, email us during

*Sheridans is a law organisation providing authorised recommendation to Awin; a opinions supposing in this square are not indispensably a views or interpretations of authorised experts advising other associate networks. 

It's only fair to share...Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInPin on PinterestShare on StumbleUponShare on TumblrShare on RedditFlattr the authorShare on YummlyBuffer this pageDigg thisShare on VKPrint this pageEmail this to someone