Affiliate Marketing uses third-party cookies to display ads and track user behavior. Affiliate Networks generate unique links for each publisher to display on their websites. By clicking on such a link the user is redirected to the advertiser’s website. During the clicking process, the affiliate network places a third-party cookie on the user’s device.
Who needs a cookie banner?
The GDPR has an extraterritorial scope in Art. 3 GDPR. The GDPR Cookie banner requirement applies to publishers and advertisers doing Affiliate Marketing that have an establishment in the European Union. It also applies to publishers and advertisers that don’t have an establishment in the European Union when the targeted data subject is in the European Union and they offer goods or services to users in the European Union or they monitor user behavior that takes place in the European Union.
This means if a publisher that is established outside of the European Union has a website like a blog, a social media profile or a channel, and directs his or her content to users in the European Union, the website needs a cookie banner.
What are the GDPR requirements for a cookie banner?
The GDPR regulates that the processing of personal data is only lawful if the user has given his or her explicit consent.
What does this mean for cookie banners?
- Active, opt-in consent
A cookie banner has to give the user the option to opt-in. You cannot use a cookie banner forcing the user to opt-out. Cookies cannot be used by default. The user has to make an active choice by clicking and selecting cookies.
You cannot use pre-checked consent boxes and require the user to opt-out by deselecting the box.
Only the opt-in option fulfills the requirement of specific and explicit consent.
- Freely given consent
- Separate consent
The cookie banner has to be separated from other consents, e.g. for contracts or services. You cannot integrate the consent to cookies in other legal documents. You need a separate cookie banner giving the option to explicitly opting-in. The cookie banner has to be displayed in a way that users can see it immediately when visiting your website. Most websites place their cookie banner in the middle or on the bottom of their website.
- No assumption of consent
- Clear and comprehensive information
Clear and comprehensive information implies that a user is in a position to be able to easily determine the consequences of any consent he might give. The user must be able to assess the effects of his or her actions. The information given must be clearly comprehensible and not be subject to ambiguity or interpretation. It must be sufficiently detailed so as to enable the user to comprehend the functioning of the cookies actually resorted to.
Keep your users informed of the types of data you are processing and the purposes and duration for which it is done. In addition to asking what data each cookie holds and whether it is linked to any other information held about the user, you must consider the lifespan of the cookie and whether this lifespan is appropriate in light of the cookie’s purpose.
If third parties have access, their identity must be disclosed.
What happens if a Publisher or Advertiser does not have a cookie banner?
Websites not complying with cookie banner requirements risk a fine under the GDPR. The violation of basic principles for consent can be subject to administrative fines up to 20 Mio Euro or in the case of an undertaking up to 4% of the total worldwide annual turnover of the preceding financial year.