Industry Chat: Guide to the fundamentals of User Privacy
User privacy is a hot topic, and has been for a number of years, since the advent of the GDPR (General Data Privacy Regulations) in May 2018. The purpose of the GDPR was to grant certain rights and controls to consumers in the EU and EEA (European Economic Area), over when and how their personal data is processed.
Affiliates, advertisers, networks and technology partners across Europe all need to adhere to the laws of the GDPR when it comes to how they collect, store and share data that is processed when a consumer uses the business’ website.
Our expert on User Privacy: The Compliance Engineers
Since the launch of The Compliance Engineers in 2020, they have created bespoke privacy and compliance solutions that address the challenges that businesses in the affiliate space face. In addition, The Compliance Engineers is one of APMA’s executive partners to offer their help and support to its members, along with other member partners such as Tradedoubler.
What’s the background to all of this?
The growth of the Internet rendered the previous Data Protection laws inadequate, and as understanding of consumers’ privacy rights have broadened, and regulatory frameworks matured and adapted, businesses have also needed to stay up to date with what they can and can’t do when it comes to data privacy and protection. Coupled with this is the issue of consent which has become centre stage and will continue to change as regulatory requirements mature.
Despite leaving the EU in January 2020, (Brexit), the UK is still governed by the UKGDPR, which is in practical terms almost identical to the EUGDPR, except for a few minor technicalities (such as the provision of a Data Protection Office is not obligatory, and Data Protection Impact Assessments are only mandatory where the processing activity is likely to result in a high risk to the individual). The bottom line is that if you are operating as a business in the UK then the GDPR still applies.
We’ll walk you through the fundamental principles to get you started on your journey to meeting the requirements of GDPR.
Principle #1 – You must get consent from users to collect data
As anyone regularly visiting websites will know, the cookie banner or Consent Management Platform (CMP) has become more prominent in terms of look and feel, and in terms of requirements when a visitor lands on the website for the first time. Consent is paramount, when businesses are looking to engage with consumers. By giving consent, users are giving permission for tracking code known as cookies to be used.
Cookies are small pieces of code that are stored on a browser when a user visits a website. They carry certain pieces of data about that user, such as location, IP address, operating system and sometimes other pieces of data depending on that user’s browser settings. Invariably, third parties have tracking functionality on these websites, in order to make the websites work. These are referred to as tags, and they store and share the user’s data and website usage with those third parties, thus known as third-party-data.
The debate centres on third party data, and what the website owner and the third parties do with it. In order to give consumers some level of protection, it is required that at the start of any new session, the cookie banner gives users three clear options about what the website owner will do with the user’s data:
a) Accept cookies
b) Reject cookies
c) Manage preferences
Managing preferences allows the user to choose what kind of cookies are activated or ‘fired’, which drives which parties get to see what. These are broadly split into what are known as:
a) Functional or essential cookies – required to make the website work – these can normally be disabled in the browser settings, but ‘can’ affect site functionality
b) Analytics cookies – allows website owner to see how a user has interacted with the website
c) Marketing cookies – used by third parties to market to the user at a later date e.g. remarketing
Depending on the CMP that the site is using, the ‘Manage Preferences’ section varies widely at present, but things are tightening up. Google have advised that any website that uses Google advertising products – Adsense, Ad Manager or Admob – in the EEA or UK will have to use a Google approved CMP as of January 16th 2024.
Principle #2 – You must get consent from users to market to them
With B2C it’s clear; if you want to sign up people to your newsletter, then consent is mandatory, without this, you can’t add their details to your database. You must ask explicitly for this information, and for them to actively tick a box or click “yes”. Explicit consent is what is required, nothing else will do.
With B2B it’s slightly different. Provided you know enough about the person you are trying to market to, you don’t need consent. You can’t blanket email (e.g. info@companywebsite), but you can email people if you know who they are.
Do these three things now
2. Register with the ICO – The ICO is the UK’s independent body set up to uphold information rights. If you have a website, it’s almost certain you are processing personal data, and if you are you’re obliged to pay the annual registration fee, which isn’t much, the fines are far higher. This fee has been around for a while, but the ICO don’t really market this. They are also ramping up things on the publisher side regarding CMPs and how they are presented, so expect to hear more from them.
3. Activate a cookie banner using a CMP – ideally a TCF accredited one. The TCF is the Transparency & Consent Framework, an initiative started by IAB Europe, designed to enable vendors and publishers to demonstrate they are transparent in their business dealings, and that they seek consent in the approved ways. It costs around £1,500 per year to get accreditation. Most CMP providers offer a free version, or you can pay for premium and populate your CMP using their tech, as well as create the policies above on the fly, and update each time things change. There is a cost for this. Which you choose will depend on how often you are changing supplier and vendors on your website.
Take the headache out of it with one of our self-service template kits specifically made for publishers and advertisers operating performance activities.
Other things to consider as an advertiser/a publisher
1. As a business are your working practices compliant? There are a number of obligations beyond website privacy under the GDPR.
2. Do you operate in one or more territories and where is your data stored? If you transfer data outside the EEA there are various regulatory frameworks and contractual considerations to bear in mind.
3. Do you have adequate data processing agreements and data sharing agreements in place?
4. Do your employment contracts have the requisite clauses and terminology around data processing activity?
5. Have you got sufficient vendor agreements in place with third party suppliers?
This can all feel onerous and overwhelming, but it needn’t be. Together with The Compliance Engineers, Tradedoubler will help you to address this challenge and take the pain away from you. The service of The Compliance Engineers is easy to understand, simple to integrate and cost effective.