Are you tired of hearing about GDPR yet? How many emails did you get over the past couple of weeks with GDPR in the subject? How many new Privacy Policies or Terms of Service have you been alerted to?
But do you really understand what’s going on and how these are going to directly affect you?
You’ve probably heard the gist that it’s Europe’s fault and that it all has to do with “harmonizing data privacy laws across Europe” and “making privacy a human right”. But really, if you are being honest with yourself, you get the sense that it’s going to make your job, as a marketer, a whole lot harder (if you even choose to pay attention). However, you’ve also heard that you really probably should be paying attention because the fines are crazy! Something like 4% of gross revenue or was it $20M? …Is this the end of digital marketing in Europe? Is MarTech doomed?
Don’t worry, you aren’t alone — GDPR is confusing as F&%K! — but definitely not impossible.
Our goal with this post is to help clarify a few things, especially for you, a marketer who appreciates a well-crafted link, a solid link management platform, and knows that improved conversion rates come from sweating the details and paying attention to the long tail.
So, join us as we poke at the bear and try to understand if GDPR is worth the effort (spoiler: it is) or a marketing apocalypse (only if you let it be!). But first, a quick disclaimer that even though we asked for help from legal experts we are not lawyers and there is absolutely zero legal advice in this post so don’t even try!
Risk Based Regulation
First off it’s important to note that GDPR is “Risk Based Regulation” instead of a “Prescriptive Regulation”. GDPR sets forth general principles that a company must embed and follow, rather than prescribing specific means to compliance – where the later would be as simple as essentially just copying and pasting whatever specific requirements there may be).
The gist is that GDPR is a massive step forward and as such the writers realized they couldn’t possibly have all of the answers. So they wrote it in a way that the details could be worked out in the coming months and years as the bad apples are found and made an example of. For every company that is “caught” to be in violation, we will have a much more clear idea of what is and isn’t cool. This is referred to as “setting precedence.”
Yeah, this kind of sucks for you (and us too). It means that each of us needs to think about it really hard and make an interpretation of what GDPR means to our own businesses. Then put in the hard work to do what we think is right by the legislation. The good news is, at least as I understand it, best effort is fine for now — rumor has it that the authorities plan to use the “carrot” more than their “stick”, at least initially. But, remember doing something right the first time means you don’t have to do it again in the near future so as appealing as it is to cut corners you might want to think twice about that and give it your best effort.
TL;DR – The “Risk Based Regulation” starts to explain why you are hearing half a dozen different interpretations (it’s vague and people/companies have different levels of risk tolerance).
Defining “Personal” Data
The obvious “Personal” data is name, email, credit card, address, etc. Things that are specific to you or Sally Joe down the street. But as a marketer, you may only deal with name and email for when someone signs up for your mailing list but you likely don’t ever think of those things with regards to people clicking on your links. Yeah, neither did we.
But here is the kicker — an IP address is (potential) Personally “Identifiable” information (as it can be combined with other data)! Not the same as personally “identified” information but still something that can get you in trouble with GDPR if you don’t have a legal basis to store this information (more on this later). Yes, I know that it’s a bit of a stretch that I could track you just based off of your IP from clicking on a link, but that isn’t our decision, we (you as a marketer and us as link management service) have to treat an IP address the same way we’d treat someone’s credit card or home address. Uggg.
You can read the details in our recent blog about how GDPR is specifically affecting us, and our clients, but the gist is that we said “F&%K it!” and after dutifully collecting over 10 billion of the somewhat random looking collections of numbers we no longer store IP addresses. The risk vs. reward just wasn’t worth it. It’s safer for us and our clients, and ultimately the end user clicking on a link, if after processing the clicks we just drop the IP from our records. Yes, it’ll make our lives a bit harder to diagnose some of those sneaky little bots and to help diagnose issues with our clients but at the high level, we are better off not storing the data. But in the process of doing so, it allows the vast majority of our intelligent link management features to be GDPR compliant and allow you to keep doing the awesome things that you do without fear of GDPR.
First Party Cookies
What about setting cookies for tracking unique clicks? Good question and again it’s a vague answer as it’s in the grey area from what we’ve seen. From one perspective it’s an “essential” cookie for the service to provide you, the marketer, insights, so it might fit in the “Legitimate Interest” category but from the other perspective it’s a unique identifier (by definition – to track unique clicks) and a cookie so, therefore, falls into requiring consent.
TL;DR – If your (intelligent) link management platform isn’t storing IP addresses nor setting cookies and tracking unique visitors you should be good to go using the unique features of an intelligent link management service like targeting by geography, language, device, operating system, or date/time. However, if your link management service is setting cookies to track unique users you might want to ask them how that applies to GDPR and listen carefully to their response.
Third Party Cookies / Retargeting Pixels
Turns out that those pixels and cookies are “Personally Identifiable” and thus put you back under the GDPR scrutiny. And even worse bad news, this is actually one of the areas where GDPR is a little more clear – the only way you can set these pixels/cookies is if you get explicit consent from the consumer that you can do that (and you can’t hold something cool hostage in exchange for that consent!).
This really complicates things as while there are a growing number of “Consent Management Platforms” to ask a consumer for their okay, then make a record of it, they all require some coding and therefore are stuck to being implemented on YOUR website. This means all of those links that are in your emails, tweets, YouTube descriptions, and every other social media or messaging platform don’t have a (good) way of asking for and receiving consent.
So how do you deal with this? We’ve seen a couple options.
The first is to pop up a cookie consent box when your link, with a retargeting pixel embedded, is clicked on by someone in Europe. This box asks for consent for the various cookies then after consenting, or not, allows the user to be directed to the final destination.
The second option is to completely avoid firing retargeting pixels for clicks originating in Europe to completely avoid the problem.
TL;DR – Even with two solutions there is no easy solution for retargeting from within links for GDPR. While each solution has its proscons, in the end, post-GDPR, it’s going to be a lot harder to build retargeting audiences of EU based people.
It’s important to note that it seems that Facebook is looking to completely sidestep this issue, and remove themselves from as much liability as possible, by requiring that your retargeting pixels can only be used on a “website” (we read that as “domain”) that you own.
“You (or partners acting on your behalf) may not place pixels associated with your business manager or ad account on websites that you do not own without our written permission.” Section 3.1 of the Facebook Business Tools Terms
Controller vs. Processor
Another of the major frameworks of GDPR is assigning a “role” that you will take in dealing with personal data. This often boils down to who is the “Controller” and the “Processor”.
A Controller is an entity that decides the purpose and manner (or “means”) that personal data is used, or will be used. They also state how and why personal data is processed. Controllers are often the individual marketer, a SaaS company’s client. A Controller is ultimately the one who is responsible for the legal framework that is being used to legally save/use the personal data.
In contrast, a Processor is the entity that processes the data on behalf of the controller. Typically most SaaS companies are processors and its a less risky role of the two.
Black and white right? Unfortunately, it never is. Many companies, include yours truly and major affiliate networks are taking the role of “Joint Controller”. This means that they will spit the “Controller” obligations with their clients. For us, it means that while we get to decide how long data is held for and what is derived from it (aka which reports are provided), you ultimately decide where the link will be directed to and where the link will actually be placed.
So why does this matter? Well because buried deep in those new terms of services or privacy policies that you’ve been getting alerted to is probably some language about who takes the burden and it’s likely going to be you! In some cases that makes perfect sense but I’d encourage you to review those documents (at least now they are supposed to be “reasonably clear” and much easier to understand!) and make sure that you aren’t getting an unnecessary burden because the service you are using thought it was easier to dump all of the liability on you!
Pieces of the Puzzle
While GDPR is the acronym that is getting thrown everywhere it’s not the whole story (surprise surprise!). “ePrivacy” and for those based in the US, “Privacy Shield” are also important pieces to the headache puzzle.
It’s also important to note that updated ePrivacy regulation is in the works and should be out in the next year or two (how exciting, eh?).
“Privacy Shield”, replaces “Safe Harbor” and is a framework put out the US State Department to help businesses (self) certify that they are responsible enough to handle the personal data of European citizens. While it’s more of a test of patience in paperwork and process documentation it’s a whole lot better than having to warehouse all EU data in an EU based server/database (looking at you Russia!). Further, running through the activity of documenting all of your data processing is actually a really important step for the greater GDPR compliance piece and can be quite enlightening.
Curious if your US based tools are paying attention? You can look them up in the “Privacy Shield’ database.
TL;DR – Again, the devil is in the details and all “good” things come in threes.
One of the biggest pieces of GDPR is the requirement to have a “legal basis” for collecting personal data. There are six of these but only two are really relevant to you when you are using intelligent links – “Legitimate Interest” and “Consent”. But remember this only applies when you are collecting personal data!
Consent is the big one – both in that it is likely the way you are going to need to go for most anything having to do with cookies / retargeting and it also comes with a noticeable interruption in the user experience and a burden around logging those consents. It’s important to note consent cannot be tied with acceptance of other terms, such as clicking okay to a Terms of Service.
According to the UK’s ICO “Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build customer trust and engagement, and enhance your reputation”.
This means your description needs to be “unambiguous” and must be freely given and specific. Further, opt-out models (aka pre-checked boxes) will not fly. Finally, consent needs to be granular – meaning it needs to cover the various ways you process and use the personal data you collect (eg. for analytics or remarketing or…).
Legitimate Interest is the other popular option and allows you to collect data without needing to interrupt the user flow and ask for consent (“except where such interests are overridden by the interests, rights or freedoms of the data subject”). This would probably be the way to go for logging information when people click a link (for displaying the info in your dashboards) IF you were capturing and retaining IP addresses. But remember if your link management solution doesn’t retain IP addresses then there is nothing identifiable in the clickstream so therefore GDPR doesn’t apply to you!
Taking the Legitimate Interest path requires that you run through a “Necessity Test”, and carry out a “Balancing Test”. While they aren’t notable names, working through the tests is a good practice to confirm that what you are doing is actually in the legitimate interest of the end user.
While Legitimate Interest is easier to start off with, the problem arises when someone from Europe expresses an interest to exercise one of their “Data Subject Rights” — one of their six rights that has to deal with how their information is handled.
A quick aside – With GDPR a person should be able to access their data as easily as it was collected in the first place. Further, they should be able to request their data are free and have it within one month. These are the premise of the “Data Subject Rights”.
So while Legitimate Interest may be easy to start off with it may be incredibly burdensome to comply with these rights if you don’t properly catalog the information.
TL;DR – Consent is likely your best “legal basis” for marketing related activities but it has its own challenges for maintaining conversion rates as you are now interrupting the user flow and requiring an opt-in. However, Legitimate Interest requires (honestly!) working through two tests and then making sure you are in a good place to be able to support the Data Subject Rights. Ultimately, you might find that dropping any personally identifiable information is the best path forward, if that’s an option.
GDPR and its relation to the affiliate industry is another perfect instance of where a shrug is the most common answer as it’s riddled with nuances and not a ton of info. I was recently at the Affiliate Management Days conference and while this question came up a lot very few had specific answers. A few of the things I noted included:
In the Controller vs. Processor debate affiliate networks are split. Some side towards “Controller”, and others that identify more as a technology platform, such as AWIN, are going with the “Joint Controller” title, thus sharing the burden with both the affiliate publisher and the affiliate advertiser (aka Merchant). Others are siding towards “Processor” and claiming that the affiliate publisher is ultimately the “Controller” of the data.
It seems that “Legitimate Interest” was the preferred legal basis for storing personal info, however, affiliate networks like CJ and Rakuten, who have a big data component to their offering, likely won’t have that option and will need to go with consent.
Many of the affiliate networks are looking to combine and share consent via a tool that the iAB is working on in order to streamline the shopping experience.
Further, it was only today, May 21st, that the iTunes Affiliate Program got an update from Performance Horizon, their affiliate network and I have yet to see anything from the Amazon relating to the subject.
TL;DR – It doesn’t seem that the largest affiliate program in the world (Amazon’s Associates Program) is too worried while the affiliate networks seem to have little consistency in their approach.
Okay So How Do You Really Feel About GDPR?
Frustration – The lack of details has led to a lot of assumptions by a lot of people (us included). Unfortunately, this has created a lot of uncertainty. This is bad.
Relief – At the end of the day, after the Advil helps with all of the headaches, and we’ve had a moment to take a deep breath and look around, I think we’ll find that this is a big step in the right direction. At its roots GDPR is doing the right thing – protecting people. Hopefully that’s what actually happens after all the dust clears.
Take a deep breath. The deadline is here. You either made it or you didn’t. And if you didn’t then it’s probably not too late — I’ll be the first to admit that we will be continually adjusting our procedures as we see best practices develop.
From what we’ve read even the enforcement agencies responsible for policing GDPR aren’t ready! Reuters reports that “Seventeen of 24 authorities who responded to a Reuters survey said they did not yet have the necessary funding, or would initially lack the powers, to fulfill their GDPR duties.”
And if it makes you feel any better, or worse, here is a tool by Siftery that lets you see what services have crossed the finish line (and are indexed by Siftery) – GDPR Checker.
Good luck in the coming weeks and months. …But you probably aren’t going to need it – as long as you did some research (reading more than just our blogs!), applied some critical thinking, and put yourself in your customer’s shoes you are probably on the right track.
Hopefully, that was helpful. Let us know in the comments below.