Data protection has always been a cornerstone of our business, and we have been working diligently to ensure our compliance with the General Data Protection Regulation (GDPR).
Understanding the GDPR
The GDPR goes into effect on May 25, 2018, with a goal of harmonizing data protection across the member states of the European Economic Area (EEA), which includes the 28 member states of the European Union (EU), plus Iceland, Norway, and Lichtenstein. This regulation is replacing the EU Data Protection Directive (Directive 95/46/EC). The GDPR seeks to inform and empower consumers by providing transparency and control over their personal data. It will affect organizations worldwide that collect and/or process personal data of individuals working, visiting or residing in the EU—regardless of where an organization is located. The new regulation impacts how companies collect, process, retain, and delete personal data, and creates additional accountability.
We are one of the industry leaders working closely with the Interactive Advertising Bureau EU (IAB EU) to establish digital marketing best practices and advocating for a consistent consumer experience in accordance with the GDPR. The following key concepts are important to understand:
The GDPR Broadens the Definition of Personal Data
At CJ and Conversant, we do not collect or retain any consumer personally identifiable information (PII). This means our data does not directly identify any individuals (i.e. name, email address, or billing information). That said, the GDPR broadens the definition of personal data to include the data we collect.
The GDPR introduces the term “pseudonymous data”, which is a subset of “personal data”. Pseudonymous data is data that does not directly identify the individual without the use of additional data. This includes data that can be used to understand a consumer’s behavior (including cookie IDs, device IDs, and other individual identifiers). The GDPR recommends that companies pseudonymize personal data whenever possible as part of their Privacy by Design approach to ensure that companies are only collecting data that is needed, while still protecting the privacy of consumers.
Collecting and Processing Personal Data Under GDPR
The GDPR allows for six legal bases for processing personal data. The two most relevant bases to the digital marketing industry are “legitimate interest” and “consent”. For the services that we provide, we believe that legitimate interest is an acceptable legal basis in which to process personal data.
That being said, there is an additional law that also impacts online data processing: the ePrivacy Directive (Directive 2002/58/EC). Under this law (Article 5, Section 3), individuals must provide consent before a company can read or write any information to or from their devices, such as reading and/or writing cookies.
The ePrivacy Directive references the Data Protection Directive (Directive 95/46/EC) for the definition of consent. On May 25, 2018, the Data Protection Directive will be replaced by the GDPR. This means the definition of consent under the ePrivacy Directive will reference the definition of consent under GDPR, which requires that consent be “unambiguous”.
It is our interpretation that the GDPR-defined “unambiguous” consent is required to read or write any information, such as cookies, to or from a consumer’s device. Legitimate interest, however, allows us to process and retain personal data collected via those cookies.
In alignment with this viewpoint, and in light of these upcoming changes, the IAB EU has created a framework for digital advertising companies to easily inform each other when unambiguous consent has been granted. This shared knowledge allows all parties involved in a consumer interaction to know when a request for consent is needed allowing for a more conscientious customer experience (including only requesting consent when one or more parties need it).
Understanding “Unambiguous” Consent
As mentioned above, unambiguous consent will be required in order to read or write information to or from a consumer’s device. Unambiguous consent requires clear and affirmative action be taken by the consumer. The GDPR (Recital 32) states that “silence, pre-ticked boxes or inactivity should not … constitute consent.” Later, the recital states that consent can be given through “conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data.”
This means, that by taking an action, such as clicking a box or link to accept, or continuing to browse, the consumer is providing consent—as long as it is clearly and prominently disclosed that this consent allows us to drop cookies, process consumer information, and states the intended uses. Companies are required to provide consumers with the option to revoke consent at any time.
Data Controllers and Data Processors
Article 4 of the GDPR defines a Data “Controller” as an entity that, solely or jointly with others, determines the purpose and means of processing personal data. A Data “Processor” is an entity which processes personal data purely on behalf of the Data Controller and only according to the Data Controller’s instructions, as described in Article 28. These definitions determine what data a company can process and the responsibilities the company is assuming to ensure it is providing consumers with appropriate control of their personal data. While there are additional responsibilities that a Data Controller takes on, one key requirement is providing consumers with the ability to request to access and delete their personal data.
We are a Data Controller and we will continue to offer our clients cutting-edge, data-driven solutions that deliver meaningful results.
Our GDPR Commitment
We believe in the data protection principles of the GDPR and are committed to providing more transparency to individuals over how their data is being processed.
Data protection has always been a cornerstone of our business, and we have been working diligently to ensure our compliance with the GDPR. Our future-focused approach sets our clients up for long-term, data-driven success within Affiliate Marketing. We will provide our clients with free options for gathering unambiguous consent for ourselves, themselves, and any additional vendors. We will consider consent valid for 13 months unless the consumer changes their preferences. We will continue providing GDPR compliant technologies and, as a Data Controller, we accept full responsibility for our compliance with the GDPR.
We urge our clients and partners to review and understand their responsibilities under GDPR, as compliance is a collective responsibility. We will continue to lead industry efforts by providing GDPR best practices and working closely the IAB EU, IAB UK, and other industry leaders. If you have any questions or feedback, please reach out to us through your account team or through our Support Center.
CJ and Conversant
1995 Data Protection Directive
Information Commissioner’s Office (ICO UK Data Protection Authority)
Overview of the General Data Protection Regulation (GDPR)
Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now
Guidance: What to Expect and When
Interactive Advertising Bureau (IAB)
IAB Content Information
IAB UK GDPR Checklist
IAB Europe GIG: Working Paper on the Definition of Personal Data
IAB GDPR Webinar Recording
Direct Marketing Association (DMA)
Legitimately using Legitimate Interests – New Guidance