Affiliate Compliance

Preparing For GDPR As An Affiliate

Published

6 years ago

May 11, 2018

Data collection has become an essential part of the operations of most organisations, especially those operating online. While it is effective, it has also given rise to a number of concerns surrounding how that data can both be misused, and become the target of theft.

This GDPR is a new legislative agenda that aims to improve the safety of individuals’ data, as well as regulate how that data is collected, processed and used.

As of the 25th of May, businesses of all shapes and sizes, will need to ensure that they are fully compliant with this new legislation if they serve customers (have traffic) originating from the EU – and affiliates are no exception.

The purpose of affiliate sites is to drive traffic to merchants and operators in order to earn a commission. The more savvy of affiliates, will collect data in numerous ways in order to be able to remarket to their users, if not only to understand their users better, improve customer journey, and in turn, conversion rates.

The data collected on those users most likely falls under the realms of GDPR, and with some heavy penalties of up to €20,000,000, or 4% of annual turnover, it isn’t just another ‘inconvenience’ that should be ignored.

How to Ensure Compliance

Understand what Personal Information is

Personal information includes obvious data such as name, email address and phone number. Many affiliates won’t collect this kind of data, unless they at least have a newsletter subscription form on their website. However, it’s likely that all affiliates have some kind of website tracking/analytics software installed on their website.

Under GDPR’s definition of personal data, it includes “any information relating to an identified or identifiable natural person”.

It then continues to explain that “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

Note the use of the terms “identification number”, “location data” and “online identifier”. Under GDPR, collection of IP addresses and the storing of cookies could be deemed to be deserving of consent from the individual prior to collection, if that data could be used to identify them. Note also, that it doesn’t necessarily mean personally identifying them – if cookies are being used to create a ‘profile’ on an individual, which is being processed on subsequent visits or across websites, then that is deemed as identifying them.

Obtain Consent

The key to the GDPR’s vision is the role of consent. Consent must be obtained from all individuals prior to collecting data on them that could be used to identify them “directly, or indirectly”, as well as an explanation as to the purpose for processing that data.

Consent must be “clear and distinguishable from other matters” and “provided in an intelligible and easily accessible form”. This means that it can no longer be hidden away in the midst of a website’s T&Cs, and in fact it must be entirely separate and written in clear and plain language.

The request for consent can be included in a Privacy Policy, however, a timestamp of when consent was given, as well as details of what the individual was consenting to (i.e. version of privacy policy), must be recorded for audit purposes. Therefore, an “opt-in” style checkbox or similar must be presented to users before any data collection can commence. Furthermore, pre-ticked boxes or “opt-out” options are no longer permitted, and as a minimum, a link to the full request for consent (privacy policy) must be presented.

All affiliates should review their privacy policies (or create one if they don’t already have one), and ensure it complies with GDPR. The request for consent must explain what data is being collected, why it’s being collected, how it will be used, and how long it will be kept for.

If affiliates’ privacy policies and “opt-in” practices don’t satisfy the condition of GDPR, then reconfirmation or re-permission must be obtained.

Users should also have the ability to easily opt-out or close their account with immediate effect if they no longer wish to be subscribed or for their data to be used. It must be “as easy to withdraw consent as it is to give it”.

What does this mean for cookies, and website analytics software?

If the cookies set by your analytics software are collecting data that will be used across websites (i.e. for advertising), then you must obtain consent from users before using it. The standard Google Analytics code doesn’t have Advertising Features turned on, and so technically it doesn’t even fall under the ‘Cookie Law’.

Affiliates should limit the features and data they collect to an absolute minimum. E.g. if they don’t need or use demographic reports in Google Analytics, then they should disable Advertising Features. Relying on consent should be avoided at all times where possible.

Provide Access to Data

Individuals will have the right to request a copy of the data held on them under GDPR. Requests must be fulfilled within 1 month, and the data supplied free of charge, in an easily accessible, understandable, and electronic format. They also have the right to correct or amend any information they see as inaccurate.

Affiliates should therefore prepare for the eventuality that one of their users exercises such a request.

Right To Be Forgotten

Individuals will also have the power to request that any information held on them be deleted. This will most certainly include personally identifiable data held in affiliates’ databases and 3rd party tools, but will also include any data which is ‘linked’ to from affiliates’ systems. For example, Google Analytics has a feature allowing the linking of User IDs and tracking cookies. The purpose is to track users across devices, and count them as the same user, rather than 2 or more unique users. Google have announced a tool which allows deletion of any data linked to such User IDs.

Improve Security

Security should be a top priority anyway, even a before GDPR was on the horizon. Nevertheless, affiliates should review their website security and ask themselves what they are doing to prevent a breach, as well as the ways in which data could be stolen/abused in the event of a breach. Historically only passwords were encrypted, however there is now more of a case than ever to encrypt other data too.

Notify Breaches

If an affiliate is unfortunate enough to suffer a breach, they will need to make the appropriate Data Protection Authority (DPA) aware of it. All organisations have 72 hours to report the breach, and organisations acting as data processors will be required to notify their customers (data controllers).

Appoint a Data Protection Officer

A DPO will only be required if your organisation handles a large volume of data, or is involved in monitoring this data on a large scale. In most cases this doesn’t apply to affiliates, however, they will still need to act responsibly, review their internal record keeping, and ensure that consent and data collected is auditable.

Be Paranoid about Privacy

Under the GDPR, failure to implement adequate precautions when it comes to data protection and privacy will result in the most serious penalties they have to offer. And this doesn’t only relate to online privacy.

Affiliates should review the existing safeguards they have in place to prevent data getting into the wrong hands, both online and offline i.e. in their home office or work premises. Staff should be restricted to accessing information that is absolutely critical to their role and thought should be given to what physical data would be at risk in the event of a physical break-in.

This article contains general information for affiliates to make their own informed decisions about the upcoming GDPR. You must not rely on the information in this article as an alternative to professional legal advice. The article has been contributed by Pavlos Sideris of Cashbacker – the leading gambling cashback community.

Up Next

DiceKings Launches Managed Affiliate Programme with Income Access

Don't Miss

Raketech Strengthens Its Operations Through New Acquisitions

Affiliate Compliance

Responsible Gambling Affiliate Association Announces Appointment of George Rover as Executive Director

Published

2 months ago

March 4, 2024

George Miller

Responsible Gambling Affiliate Association Announces Appointment of George Rover as Executive Director

Responsible Gambling Affiliate Association, the industry trade coalition that advocates for reasonable regulation, responsible advertising, and consumer protection has appointed George Rover as its first Executive Director to lead the organization. Comprising of six major players in the US online gambling affiliate sector, the Association includes Better Collective, Catena Media, FairPlay Sports Media, Gambling.com Group, Spotlight Sports Group, and XLMedia PLC.

As Executive Director, Rover will be responsible for executing the RGAA’s long-term mission to safeguard responsible gambling marketing and advertising practices. His duties as Executive Director will be pivotal in shaping the future of responsible affiliate practices, advocating the needs and interests of the Group’s members, promoting sensible regulation, fostering collaboration with industry stakeholders, and advocating for the highest standards of integrity.

“In the spirit of collaboration – whether it be with state regulators, politicians, legislators or online gambling operators, I look forward to working with key stakeholders and will champion the critical role affiliate companies play in the regulated online gambling ecosystem,” said Rover. “The formation of the RGAA will provide this essential segment of the industry with an important and constructive voice to promote responsible gambling, prioritizing the best interests of consumers through a unified set of high standards and guidelines to achieve long-term success.”

Prior to joining the RGAA, Rover held numerous senior positions with the New Jersey Department of Law and Public Safety, Office of the Attorney General and the New Jersey Division of Gaming Enforcement (NJDGE). At the NJDGE, Rover oversaw the agency’s Service Industry Licensing, Casino Prosecutions, Internet Gaming and Technical Services Bureaus. During his tenure, he directed the successful launch of Internet Gaming in New Jersey and supervised some of the NJDGE’s most complex licensing and organized crime investigations and prosecutions.

After his retirement from government service, Rover also worked closely with the industry’s leading gaming companies to form the Sports Wagering Integrity Monitoring Association (SWIMA), a national non-profit organization with the mission to detect and discourage fraud and other illegal activity related to betting on sporting events. In addition to his role with the RGAA, Rover will continue to support companies in the gaming industry through his strategic gaming advisory company, Princeton Global Strategies.

“We are thrilled to welcome George Rover to the RGAA family,” said Katie McCord, Chair of the Responsible Gambling Affiliate Association. “His unparalleled expertise, spanning decades in casino and sports betting law, will undoubtedly elevate our organization. George’s substantial contributions to the industry, including spearheading initiatives like SWIMA, showcase his commitment to integrity and innovation.”

Rover will participate in a fireside chat at the Next.io Online Gambling and Sports Betting Summit in New York on March 4 to discuss the dangers of the offshore and unregulated market which continues to target consumers in the US who still lack education regarding legitimate operators.

Affiliate Compliance

AFFILIATE QUALITY MARK LAUNCHED FOR 6 REGULATED MARKETS

Published

3 months ago

January 23, 2024

George Miller

QMRA to enter Belgium, Poland and Estonia: Game Lounge joins immediately with Belgian website, Place2bet as well

At XY Legal Solutions, founder of the Dutch ‘Keurmerk Verantwoorde Affiliates (KVA)’ (https://kva.nl/), we have decided to launch the Quality Mark Responsible Affiliates (QMRA, https://qmra.eu/) for 6 regulated markets:

Spain, Norway, The United Kingdom, Denmark, Germany and Sweden.

The procedure works as follows: the affiliate applies (per website) through our contact form, after which the QMRA Team will review the website. QMRA has Compliance Codes per market on which the reviews will be based. These QMRA Compliance Codes are a distillation of the law in the named markets, relevant for affiliates. The yearly fee for QMRA membership per website is set at 695,- Euro’s (VAT excluded), 595,- when a company offers three or more websites.

The decision to launch this new Quality Mark stems from the tremendous success of KVA. The Dutch situation has demonstrated the need for an affiliate quality mark. No country has a quality mark like KVA. We now aim to change that.

Compliance demands for iGaming are growing for all regulated markets. For affiliates, it is becoming more and more important to show they are able to keep up with compliance standards. A quality mark helps affiliates demonstrate to operators that they are trustworthy. Next to that, the QMRA compliance procedures will help the affiliate to understand relevant legislation.

Launching websites are: CasinoHawks.Com (Game Lounge) and BetterWorldCasinos.Com (Coherentes)

Affiliate Announcements

bet365 Strengthens Responsible Gambling Stance with Renewed Rightlander Partnership

Published

9 months ago

July 27, 2023

George Miller

bet365 Strengthens Responsible Gambling Stance with Renewed Rightlander Partnership

bet365 has announced the extension of their partnership contract with Rightlander, the foremost provider of innovative affiliate compliance solutions.

The agreement underscores bet365’s sustained dedication to promoting responsible gambling and ensuring the highest level of affiliate compliance. Since the partnership began, Rightlander’s cutting-edge compliance tools have been instrumental in assisting bet365 to maintain ethical advertising standards and abide by the strict regulatory landscape.

“We are excited to renew our contract with Rightlander,” said a spokesperson from bet365. “Their comprehensive compliance solution has become an integral part of our affiliate program. The extended partnership reinforces our commitment to responsible gambling and our dedication to providing a secure and fair environment for all our customers.”

The Rightlander platform offers a host of advanced features, and the technology is designed to facilitate compliance with evolving gambling regulations, a fundamental aspect of bet365’s operations.

Rightlander’s Head of Customer Success, Nicole Mitton, expressed her enthusiasm about the ongoing partnership, stating, “We’re delighted to extend our relationship with bet365. This renewed agreement is a testament to the effectiveness of our compliance solutions, and we look forward to continuing to help bet365 promote responsible gambling and adhere to regulatory requirements.”

The extended contract is expected to further strengthen the robust compliance infrastructure at bet365 and drive innovation in affiliate compliance within the online gambling industry. This strategic partnership will continue to provide an example for industry standards of affiliate compliance, further solidifying the companies’ shared commitment to promoting responsible gambling practices.