The Legal Side of Affiliate Marketing: What Do You Need To Know About GDPR?

Let me start by saying that this post does not constitute legal advice! This is for informational purposes only and you should seek your own legal counsel about your responsibilities under GDPR.

What is GDPR?

As of May 25, 2018, with the entry into application of the General Data Protection Regulation (GDPR), there is one set of data protection rules for all companies operating in the European Union (EU), also referred to as the European Economic Area (EEA), regardless of where they are based.

These rules aim to improve consumer data protection, allowing consumers to have more transparency and control over their personal data and helping businesses benefit from a better commerce ecosystem.

Personal data relates to the collection and processing of personal information, such as name, address, email address, and location, online identifiers, such as IP address, cookie ID, and device ID, and more sensitive data, such as health information, income, cultural profile, and religious and political affiliation.

Why was GDPR created?

GDPR aims to give back control over personal data to EEA citizens and residents. It is about trust! Based on a survey done by the European Commission, the majority of people felt that they do not have complete control over the information they provide online. This lack of trust impacts consumer confidence as well as the ongoing growth of the digital economy and online businesses. The rules are designed to reestablish and enforce the individual’s rights to the processingand protection of their personal data.

GDPR determines one set of rules according to which businesses must provide their users with full transparency about what personal data they are collecting, what they are doing with the data, and whether (and with whom) they are sharing it. Businesses also need to allow users control over what can be done with their personal data.

Who must comply with GDPR?

GDPR applies not only to organizations located within the EU but also to organizations located outside the EU if they offer goods or services within the EU or if they have traffic coming from the EU. It applies to all companies processing and holding the personal data of people residing in the EU, regardless of the company’s location. 

• If your blog offers any type of service, sells any type of product, or even just collects email addresses for the purpose of sending out a newsletter, you – like anyone who processes or stores personal data – need to comply with GDPR regulations.
• If you use affiliate marketing for monetizing your blog, most affiliate networks and affiliate programs have incorporated into their terms of use a requirement that their affiliates are GDPR compliant.

What should you do to be GDPR compliant?

If you have a website or a blog with traffic coming from the EU, you need to make a few adjustments to comply with GDPR (see the checklist at the end of this post). If you are affiliated to any affiliate network, most, if not all, of the networks have updated their terms of use to include requirements related to compliance with the regulations. Such terms generally include your obligation when collecting, processing, and using consumer data to:  

•  Make all necessary privacy, data collection, and data usage disclosures to your readers;
• Obtain specific and informed consent from any users of your website that cookies are being served by the applicable network (ShopStyle, eBay, Rakuten, etc.) to all who click through your affiliate links;
• Comply with the obligations relating to data processing;
• Take all necessary appropriate measures to protect personal privacy on your blog or other channels.

If this all sounds a little vague, let’s go over the basic principles for protecting collected data.

• Lawfulness, fairness, and transparency when collecting personal data.
• Purpose limitation – the data is collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
• Data minimization – the data collected is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
• Accuracy– the data collected is accurate and, where necessary, kept up to date.
• Storage limitation – the data collected is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which it is processed.
• Integrity and confidentiality – the data is processed in a way that ensures appropriate security.

Most of you probably collect mainly names and email addresses for the purpose of sending a newsletter. Provided you disclose this data, keep your records safe and confidential, and don’t use it for other purposes, there should be no problems. However, data collection is not only done by you. Some of the data is automatically collected by the browser your reader is using; Google Analytics, for example, collects certain information and provides you with information and insights about users’ patterns of behavior. If you use other services on your site, such as an advertisement service or any other kind of program that tracks your users’ habits, then the data collected is either personally identifiable or non-personally identifiable. This is why you may have come across terminology such as "log data,” "cookies,” and "beacons” on privacy policies. Because all this data is collected, you need to notify your users and get their consent.

What does GDPR mean for you?

1. Valid lawful basis for processing data

In order to process personal data, you need to have a valid lawful basis. There are six legal bases available for processing, but the following three may be more relevant for bloggers and influencers. 

• Consent– According to the Information Commissioner’s Office (ICO), consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation. Consent requires a positive opt-in, in other words, a very clear and specific statement of consent. Don’t use pre-ticked boxes or any other method of default consent. Keep your consent requests separate from other terms and conditions. Be specific, so that you get separate consent for separate things. Vague or blanket consent is not enough.
• Legitimate interests – According to the ICO, this means using personal data in ways that users could reasonably expect, that have a minimal impact on their privacy, or that have a "compelling justification.”
• Contract– This means having a contract with individuals and processing their personal data according to the obligations of your contract or specific steps they have asked you take before entering into the contract.
• Legal obligation – This is relevant if you need to process the personal data to comply with a common law or statutory obligation.

For more details on the valid lawful basis for processing data, check THIS link.     

2. Consent

The practical application of GDPR requirements for publishers involves the need to obtain consent related to users’ personal data for the following processes: 

• Sending Newsletters – When you invite your users to subscribe to your email, make sure your consent practices are very clear. If, for example, you offer a freebie on your blog, make sure users understand what they are signing up for. You cannot automatically add someone to your email list. Don’t make your consent practices vague, and make sure users understand how they can also withdraw consent. For EEA audiences, it is best to offer those who sign up for the freebie the option to sign up for your email list in the email in which you send the freebie.
• Using Cookies – For EU users, consent is required for the use of any cookies (except strictly necessary ones). This is an existing requirement of the ePrivacy Directive (Cookie Law), which is largely associated with the banners and pop-ups seen when viewing websites that inform consumers about the use of cookies to track online activity. However, with GDPR in force, the consent requirements for placing cookies fall under new, stricter standards. You should check to see if your cookie banner meets GDPR requirements. See below for more options.
• Implementing Affiliate Links – If you are using affiliate links, there are times when EU users need to grant you consent to process their data. Some major affiliate networks (such as Rakuten) require GDPR consent for affiliate links; without this consent, a link may not be tracked and potential commissions will be lost. Other affiliate networks do not require additional consent for affiliate links. See below for more options.

If you are an influencer from the EU, you should be checking that the affiliate program you apply to is GDPR compliant and available for EU influencers. If not, then any transaction originating in the EU will not be commissionable.

How should your consent request be presented and what information must be given to individuals whose data is collected?

A consent request needs to be presented clearly, using language that is easy to understand. It must specify what use will be made of the collected personal data and include contact details of the person/company processing the data. Consent must be freely given, specific, informed, and unambiguous.

Informed consent means that at the time of collecting their data, individuals must be clearly informed about:  

• Who you are? Company, organization, other, and your contact details;
• What you’ll be using their personal data for;
• What kind of personal data you are collecting;
• Your legal justification for processing their personal data;
• How long you will keep the data for;
• Who else might receive the data;
• Whether the data will be transferred to a recipient outside the EU;
• Their rights regarding the data (see below);
• Their right to lodge a complaint with a data protection authority (DPA);
• The existence, where applicable, of automated decision-making and the relevant logic and consequences.

3. Updating your privacy policy and cookies policy

In addition to the information detailed above, your privacy policy should also include users’ rights regarding the collected data.

What are individuals’ rights under GDPR? 

• The right to be informed about the collection and use of their personal data.
• The right to access their personal data.
• The right to rectify or complete any inaccurate or incomplete personal data.
• The right to erasure, have your personal data erased (also known as the "right to be forgotten”) and the right to withdraw consent at any time.
• The right to restrict processing, i.e., to request the restriction or suppression of their personal data.
• The right to data portability allowing individuals to obtain and reuse their personal data for their own purposes across different services.
• The right to object to the processing of their personal data in certain circumstances. For example, individuals have the absolute right to stop their data being used for direct marketing.
• The right not to be subjected to decisions based solely on automated processing, including profiling.

Another right, usually restricted by a business’ terms of use to individuals under EU law, is the right to complain to a data protection authority about the collection and use of  personal data. Local data protection authorities can be contacted for more information. You can find contact details for data protection authorities in the EEA, Switzerland, and certain non-European countries (including the United States and Canada) here.

Other Questions You May Be Asking Yourself

Are there any tools for obtaining consent?

You need a cookie notification that appears when someone lands on your site. This will allow you to inform users that your site uses cookies and to comply with the Cookie Law and GDPR regulations whenever data is collected automatically.

• If you are using Wordpress, there are many plug-in options. You can find many here. You can also install a GDPR Plugin which is meant to assist a controller, a data processor, and a data protection officer (DPO) to meet GDPR obligations and rights. Link for GDPR Plugin.


• There are various free and paid consent tools out there. These tools have pop-up boxes to obtain GDPR consent when someone visits your blog, which you can install by adding a line of code to your blog. One of the choices is Quantcast Choice (please note, we have no commercial relationship with Quantcast). It is free and GDPR compliant. Once you have set up your consent tool, you will need to choose which "purposes” to get consent for. Once a user grants consent, this is stored, usually for 12 months, and consent is not needed again until then (unless the user deletes their cookies or withdraws consent).


• Rakuten has created a few Consent Management Platform tools that you can install on your website. You can find them here.

Do you need a Data Protection Officer (DPO)?

According to the ICO, DPOs must be appointed in the case of: (a) public authorities; (b) organizations that engage in large-scale systematic monitoring; or (c) organizations that engage in large-scale processing of sensitive personal data. If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.

Do you need to register with the ICO and pay the annual fees?

Anyone processing personal information needs to register with the ICO and pay this fee, unless they are covered by one of the exemptions. An exemption that might be relevant for bloggers is:

"Advertising, marketing and public relations (in connection with your own business activity). You only hold the personal information of the people you need to for your own advertising, marketing and public relations – for example information about past, existing or present customers or suppliers. The information is restricted to what is necessary for your advertising, marketing and public relations – for example, names, addresses and other identifiers. You only advertise and market your own goods and services."

In other words, if you are only processing personal data for core business purposes, you are not required to pay ICO fees; you are, however, still required to comply with all GDPR principles and requirements. If you do in fact use personal data to advertise or market the products and services of others, you may want to consider registering and paying the fee. If you are still not sure whether you need to register, you can fill in this quick self-assessment questionnaire.

Should you demonstrate that you are GDPR compliant?

The principle of accountability is the cornerstone of GDPR. Regarding showing proof of your GDPR compliance, see here.

Quick checklist for GDPR compliance – are you ready?

1. Evaluate– Think of your blog or business and assess what could be GDPR impact. Do you only collect email addresses? What kind of services or plug-ins are you using on your site? Who are the third parties you work with that might be collecting data directly or indirectly on your behalf? Consider the measures you could take to comply with the rules.

2. Notify– Consider what is the most appropriate legal basis for collecting and processing personal data from your users and notify them clearly about what kind of data you are collecting. Transparency should be your guiding principle. Use a cookies notice and inform users of the way to manage the cookies and direct them to your privacy and cookies policy for more information if necessary.

3. Obtain consent – Check your consent practices and your existing consents. Consider what consent you should be obtaining based on your business, the services you offer, other offerings, and the data collected. Which cookies and plug-ins are you using on your website and which third-party services that may be using cookies (such as affiliate marketing)?

4. Update your legal terms – First you should seek legal advice for how to update your site’s legal terms. These include: terms of use, privacy policy, cookies policy, disclosure policy, and a disclaimer when relevant. The legal terms should refer to many of the principles and individual rights discussed in this post: who you are; why and what you are collecting (yourself or through third parties); how you use the collected data; how it is stored and for how long; what your users’ rights are; and how users can contact you.

5. Affiliate networks terms – Refer to your individual affiliate networks or independent programs for any specific guidance or requirements about complying with GDPR.

A Final Word…

As stressed above, the information provided in this post should NOT be taken as legal advice. It was gathered through my own research and is for informational purposes only. I strongly encourage you to do your own research and/or to seek your own legal counsel to determine whether you are taking all the steps needed to be GDPR compliant.

Useful Links

• The General Data Protection Regulation from the Official Journal of the European Union
• EU GDPR Formal Site
• European Commission site – Find out what your organization must do to comply with EU data protection rules
• Here is a guide to help you look for more information (ICO site)
• Data Protection Authorities in the EEA
• European Commission site – rights for citizens, how users’ personal data is protected
• A GDPR Hub for updates: The Internet Advertising Bureau (IAB) UK and ePrivacy Directive IAB factsheet