GDPR resets the operator/affiliate relationship
The General Data Protection Regulation (GDPR) – for those who have been living under a bridge for the last 12 months – is new EU legislation which comes into force on 25 May, 2018. The GDPR will bring about stricter requirements for all companies in the EU that process personal data (and for those companies outside the EU that process the data of EU citizens).
The new regulation will affect the gambling industry and how it uses the personal data of its players and prospective players.
This article discusses the impact that the GDPR will have on affiliates, the relationship between operators and affiliates, and what measures can/ should be taken by operators as a result of GDPR to assist it in its GDPR-compliance.
The GDPR retains the concept of a data controller (now called a controller). This is the party that determines the purposes and means for processing personal data. The concept of a data processor (now a processor) is also retained and refers to those who process personal data on behalf of another.
Affiliates are most likely to be controllers in their own right and this position is probably the preferable one for operators because it would mean that any data protection breach by the affiliate should bring liability solely on to the affiliate
It is, therefore, important to begin any discussions between operators and affiliates by determining their roles.
Affiliates aim to drive individuals to an operator’s site/app with the aim of such individual signing up to become players. This means that the operator will be a controller in respect of such players once they have entered the operator’s site/ app, but prior to this the operator has no relationship with the traffic that is being driven towards its site.
This brings into question the role of the affiliate, reviewed as follows:
- Affiliate as a processor: The affiliate carries out its operation solely to drive traffic towards an operator and without an operator the affiliate would not be processing personal data. The affiliate acts solely on behalf of the operator.
- Affiliate as a controller: Although the affiliate’s aim is to provide customers to the operator, the way in which the affiliate fulfils this task and the means in which the affiliate reaches out to prospective players is entirely up to the affiliate. The affiliate has autonomy over its processing.
Although an argument could be made either way, it is likely that affiliates (acting in their usual capacity) will be controllers.
This is corroborated by the ICO’s guidance note on controllers and processors where the example of an organisation that determines the precise data collected and the manner in which processing is carried out to be a controller, which is the case with affiliates.
GDPR will actually lessen the impact on whether or not an affiliate is a processor or a controller as GDPR introduces liability for both. This will mean that an affiliate who is solely responsible for breaching GDPR will be liable, rather than the operator potentially being liable and then having a contractual remedy against the affiliate (as would currently be the case if an affiliate is a processor).
There are two points to note, however: (i) it is still important to address if the affiliate is a controller or processor as controller-processor contracts (which would include affiliate T&Cs) must contain certain provisions under Article 28 of the GDPR; and (ii) regulators and/or affected customers may pursue the operator rather than the affiliate under the assumption that the operator is the controller, because of the greater brand presence of operators.
It is also important to note that being a controller or a processor is a question of fact not of contract and so the precise role of an affiliate will be determined by a regulator, regardless of what may be stated in the affiliate T&Cs (although the contract may be used to help a regulator reach its decision).
On the whole, affiliates are most likely to be controllers in their own right and this position is probably the preferable one for operators because it would mean that any data protection breach by the affiliate should bring liability solely on to the affiliate.
Of course, there may be related liability or liability under other regulation for operators to consider, as well as potential harm to the brand. In any event, it would be advisable, accurate and advantageous for operators to review and update, if necessary, their affiliate T&Cs to set out the fact that the affiliate will be a data controller in respect of processing personal data and driving traffic towards the operator’s site/app.
Another consideration for operators and affiliates in relation to GDPR is how an affiliate, as a controller, complies with the GDPR. GDPR retains much existing data protection law but also brings about new rights, new obligations and stricter compliance requirements for those areas that are carried over. Some of the key provisions for an affiliate to comply with under GDPR are:
Personal data should be processed in a fair, lawful and transparent manner (Article 5(1)(a)). This includes providing individuals whose personal data is being processed with certain information about how their data will be processed and their rights regardless of whether the controller collects personal data directly (Article 13) or from a third party (Article 14).
Controllers shall be responsible for and able to demonstrate compliance with the GDPR principles (Article 5(2)).
Demonstration of consent
Where processing is based on consent, the controller shall be able to demonstrate the data subject gave their consent (Article 7(1)).
Right to object to marketing
Where personal data is processed for direct marketing purposes (including profiling related to direct marketing), individuals shall have the right to object at any time (Article 21(2)).
Record of processing
Each controller shall keep a record of its processing activities (Article 30(1)). This also applies to processors (Article 30(2)). The records should contain information about the purposes of the processing, the categories of data subjects, the recipients of such personal data and a general description of the technical and organisational measures in place to keep personal data secure.
As these provisions will apply to operators, it makes sense that operators should consider being more specific in their affiliate T&Cs and in any due diligence they carry out over affiliates.
A compliance warranty in respect of applicable data protection laws may cover all aspects but it does not demonstrate much thought by either party in relation to data protection.
A warranty that affiliates shall comply with all data protection laws, including (without limitation) those listed above would demonstrate the operator’s commitment to ensuring that its affiliates are compliant with GDPR as well as both parties’ desire to process personal data lawfully and fairly.
Moreover, the accountability, demonstration of consent and record of processing provisions mean that operators could be including a right to request written evidence of an affiliate’s compliance with GDPR. This will
allow operators to easily identify those affiliates who take their data protection obligations seriously and, more generally, their legal obligations.
Given the role of affiliates and their use of operators’ brands, it is vital that operators ensure that their affiliates are sending direct marketing only where the person has given their consent
The final point to note on affiliates is that much of what they do will constitute direct marketing, particularly those that send out text messages and emails. Direct marketing is governed by separate legislation in the UK (the Privacy and Electronic Communications Act 2003) and this is being revised across the EU by the ePrivacy Regulation (currently in draft form).
The current law and the draft new law require consent to be obtained prior to sending unsolicited direct marketing. In addition to this, there are rights under this legislation (as well as GDPR) to allow recipients of direct marketing to object.
Given the role of affiliates and their use of operators’ brands, it is vital that operators ensure that their affiliates are sending direct marketing only where the person has given their consent, that the affiliate
is able to demonstrate such consent, that opt-out/unsubscribe options are included in all direct marketing, and that opt-out/unsubscribe options are respected.
As mentioned, it is the operators whose brand regulators and individuals will be most familiar with that increases the chance of claims/ investigations being brought against an operator for the actions of affiliates.
GDPR will affect operators and affiliates and will bring about changes that both will need to consider in respect of their relationship. It is highly likely that operators should be updating their affiliate T&Cs to include stricter measures on affiliates complying with GDPR and marketing legislation.
In addition, however, operators should be mindful to not simply rely on contractual protection with affiliates. Affiliates should be monitored and due diligence carried out where possible. GDPR actually offers operators more scope to easily carry out diligence of its affiliates given the accountability requirements that will be imposed on affiliates and this is something operators should be looking to take advantage of.