The number of regulations that igaming-related businesses have to deal with has been rising in recent years. There are country-specific regulations governing what gambling brands and affiliates are allowed to do, and then there are general regulations like GDPR that affect everybody, igaming included.
Country-specific regulations run the whole gamut from making life more difficult (see the recent UK regulation requiring igaming sites to avoid child-friendly content, something that’s left operators wondering how to verify the age of their site visitors before showing them any content) to making life impossible (like, well, banning online gambling altogether)..
Cover your bases
The key to dealing with country-specific regulations is keeping an eye on current developments and being prepared. Typically, discussions take place before something becomes regulated between those forces pushing for a regulation and those opposing such a measure. These voices are normally heard before any legal action takes place, so if you’re watching the current developments in a country you’re targeting, any regulation should not come as a surprise.
The kind of decisions an affiliate usually has to deal with if there are rumours of an upcoming regulation involve whether to scale back activities in the affected country. Is it really worth shelling out on advertising or marketing, for example. A big mistake is to wait till the very last moment without doing anything, or not devote sufficient time to consider your scenarios depending on the outcome of the regulation. A lot also depends on the current business model of an affiliate. For example, if your main source of traffic in a certain country is PPC and you know the regulation would ban or seriously limit PPC (ie only allow operators to run paid ads), then your options are either to withdraw from that country altogether or consider other sources of traffic.
Also, depending on the size of their operation, affiliates may be more or less risk-averse when it comes to complying with regulations – but that’s where the affiliate programmes step in. If an operator is no longer rewarding a certain kind of traffic from its affiliates, then there is no incentive for the affiliates to drive this traffic to said operator.
There may well be some rogue operators choosing to work without complying with the regulations, but if the consequences of this behaviour leads to the operator being prosecuted or closed down, they will not be able to honour their affiliate obligations. This in turn will lead to affiliates losing out on their due commissions, so working with non-compliant operators may not be worth the risk.
However, in the case of regulations being introduced for a market, it’s often a question of risk vs. reward. By this I mean that if a country is particularly lucrative and the chances of a regulation being enforced are relatively low, there will be those willing to take a punt. Just think of all the brands and affiliates still targeting online casino players in the US, even though online casinos have been banned there since 2006. Sometimes, regulations lead to new technologies being used as a way to get around a ban – look at the rise in cryptocurrency casinos, which are being used as a way to bypass payment processors’ gambling transaction limitations.
For the affiliate programmes, the right question to ask the affiliates is not “where are you from?” but “where does your traffic come from?” More often than not, the two are different. Any experienced affiliate trying to leverage potential risks will likely be running multiple sites targeting different countries. When an affiliate applies to an affiliate programme, then, it’s a very lazy approach for the programme operator to decide whether to approve the affiliate based on where they are located.
The question of GDPR
Now, as if these industry-specific regulations have not been enough trouble, we also have other stuff to deal with. The EU’s General Data Protection Regulation, which specifies how the personally identifiable data of EU citizens should be treated online, has been in place since May 25, 2018. It’s important to note that it does not only apply to EU-based businesses, but rather any websites an EU citizen may be using, no matter where these sites are hosted, where the companies running them are registered, or even where the said EU citizen is at the time of using a site. Effectively, this makes GDPR a global regulation.
GDPR is still in its early days so we’ve yet to see how it is going to be enforced, especially when dealing with non-EU based businesses. There has been a lot of criticism of GDPR and a lot less understanding of what it is and how to comply with it. There has also been a lot of opposition to it, especially from US businesses not understanding why they have to comply with an EU regulation. Some have gone as far as blocking all traffic from the EU, which is absolutely the wrong way to handle GDPR. After all, an EU IP does not equal an EU citizen, and this does not help secure your business against any GDPR compliance complaints. A much better solution is to think about the way you handle your visitors’ and customers’ data, even if you don’t think your business should care about GDPR now.
GDPR may not be ideal, but it’s definitely a big step forward in terms of online privacy. It’s a good idea for users if companies are held accountable as to how they obtain users’ personal data and how they treat it, whether they sell it or use it for unintended purposes. Businesses do need to care about their customers’ personal data, about storing and handling it securely and asking for their permission regarding what can be done with that information.
In the igaming industry, the situation with GDPR adoption and compliance is mirroring that of the rest of the internet. Affiliate programmes are certainly under pressure from the operators who do not want to get in trouble over their poor compliance with the regulation. That said, there appears to be very little understanding in evidence. The end result is that affiliate programmes are often presenting unreasonable demands to affiliates, while not being able to fully comply or correctly implement the required changes themselves.
Sometimes, issues arising are not even the affiliate programmes’ fault. One prominent example is what happened to a lot of affiliate programmes powered by NetRefer, after affiliates were met with a password reset screen out of the blue one day. In most cases there was no explanation as to why they had to reset their passwords, and in many others the password-reset request was followed by a screen demanding that they accept the updated terms and conditions. The problem here was that the actual update summary was an empty text box, leaving affiliates wondering what it actually was that they had to accept. Considering how nervous affiliates are about affiliate programmes’ terms of service changing, and how some of these changes have in the past affected affiliates’ payouts, this is a disastrous way of handling things. In an ideal world it should have cost NetRefer a lot of lost business.
Some affiliate programmes have also been putting affiliates’ accounts on hold until they show proof of GDPR compliance, regardless of what said affiliates do and whether they really need to do anything to comply. Affiliate managers need to discern between their affiliates’ different operating models: for those using email marketing, one set of requirements should apply, while another should be in place for those affiliates only displaying banners and getting traffic from organic search. In the meantime, many affiliate programmes themselves are hardly held accountable for how they handle their affiliates’ PII.
Finally, one important note about GDPR implementation on websites, regardless of whether these are operators’ sites, affiliate programmes or affiliates’ sites. If you are currently getting any organic SEO traffic at all and care about not losing it, make sure your terms of service notification does not interfere with the search engines’ ability to crawl and index your site.