iab affiliate marketing council consumer transparency ......iab affiliate marketing council |...
TRANSCRIPT
14 Macklin Street
020 7050 6969 London WC2B 5NF
IAB Affiliate Marketing Council Consumer Transparency Framework: A Guide for Publishers / Affiliates
ePrivacy guidance across the affiliate marketing industry
V 1.2 | May 2013 | Produced by the IAB Affiliate Marketing Council
Produced by the IAB Affiliate Marketing Council
IAB Affiliate Marketing Council | Consumer Transparency Framework V1.2 page 2
A Guide for Publishers / Affiliates | May 2013
Introduction
The IAB Affiliate Marketing Council (AMC) developed the Consumer Transparency
Framework („the Framework‟) in the spring of 2012 following the introduction of the
revised Privacy and Electronic Communications Regulations (PECR) 2011. Primarily it
offers helpful guidance to publishers/affiliates regarding addressing aspects of online
privacy and transparency particularly where the usage of cookies is concerned.
Within this (May 2013) update the Framework remains largely unchanged and is based on
the Information Commissioner‟s Office guidance, which we encourage everyone to read.
There are some minor additions including clearer examples of how publishers and
institutions have approached compliance since the laws were introduced.
Perhaps most significantly, since the Framework was first issued, the ICO has clarified
that „implied consent‟ is a valid form of consent, and has adopted measures on its own
website that support this (this example is illustrated in the Framework).
Overall, the IAB AMC message remains consistent – we believe it is important for the
affiliate marketing sector to demonstrate a responsible approach to online privacy and
transparency. Despite it being increasingly the norm for publishers to address compliance
on their sites we are still stressing the importance that all publishers / affiliates take
compliance seriously as a legally enforceable requirement.
It is difficult not to see this Framework and the collective efforts to comply with the current
rules without factoring in current EU proposals for additional changes to data protection
regulation. By demonstrating an ongoing commitment to consumer privacy and
transparency the IAB and the industry as a whole is in a stronger position to present
plausible alternative options. In turn, this addresses the privacy concerns but also allows
for the economic arguments essential to our continued policy representation.
While we believe the Framework offers a robust approach to addressing
compliance, it does not constitute legal advice and should not be viewed or applied
as a definitive blueprint for achieving compliance. Ultimately, everyone must take
the measures they believe best fit their own situation in accordance with the rules
and the ICO guidance.
IAB Affiliate Marketing Council | Consumer Transparency Framework V1.2 page 3
A Guide for Publishers / Affiliates | May 2013
We encourage networks, agencies and affiliate managers to communicate and share this
Framework with all publishers / affiliates. Publishers / affiliates are encouraged to consider
this Framework when deciding which measures are most appropriate to their specific
circumstances.
The guidance covers:
1. The Consumer Transparency Framework – what do you need to think about?
2. Cookie audits – What do you need to do?
3. Background to the revised PECR law
Extensive references and links are included in the appendix section at the back of the
document. We will continue to make further updates as necessary and recommend that
you keep checking back on this Framework. We also value your feedback so please send
any comments to [email protected].
Please note: This Framework does not constitute legal advice. We recommend that
businesses take their own legal advice for their own circumstances.
Nathan Salter, Chair, IAB Affiliate Marketing Council Legislation Committee and COO, OMG
IAB Affiliate Marketing Council | Consumer Transparency Framework V1.2 page 4
A Guide for Publishers / Affiliates | May 2013
What is Affiliate Marketing? Advertisers and retailers (merchants) use affiliate marketing to drive consumers to their
website as part of their sales activities. Many of these merchants and advertisers are
small businesses using affiliate „networks‟ to manage their online sales channels. Affiliates
and publishers are essentially their „online sales forces‟ and they use a variety of ways to
encourage consumers to a website to make a sale via links generated by a network on
behalf of a merchant or advertiser. These methods include (but are not limited to) search
marketing, social media, vouchers, cashback and price comparison. Affiliates are paid on
a Cost Per Acquisition (CPA) basis and sales are tracked back to the relevant affiliate
through the use of cookies. For further information on affiliate marketing see
www.iabuk.net/disciplines/affiliate-marketing.
The IAB Affiliate Marketing Council (AMC)
The IAB‟s AMC is made up of many of the affiliate marketing industry‟s key publishers,
advertising and technology service providers as well as numerous large consumer facing
brands. For further information on the Council‟s activities see
www.iabaffiliatemarketing.com.
* ICO Half Term Report 2011
IAB Affiliate Marketing Council | Consumer Transparency Framework V1.2 page 5
A Guide for Publishers / Affiliates | May 2013
The Affiliate Marketing Consumer Transparency Framework
1. Audit first – To achieve transparency publishers need an understanding of both
their use of first party and third party cookies that operate as part and parcel of
their other activities, especially around affiliate advertising and marketing. This
requires an audit and how this is carried out will vary from organisation to
organisation. The aim is to establish a clear assessment of where you may have
issues to address.
We‟ve created a more detailed guide at the back of this document to help you. See
Appendix I.
2. Document your activities – Ensure you have effective documentation and
organisation in place to be confident that your efforts to offer transparency are
reliable and accurate. Every organisation will take a different approach depending
on the size and complexity of the business.
You will certainly need to document your audits and resulting actions. You might
need to go further to include any associated business policies, processes and who
is responsible for compliance in your business.
3. Identify prominent customer/user touch points – The ICO has said that it is not
the intention of the Regulation to result in a pop-up consent culture.
Nevertheless the ICO stresses the importance of consent for non-essential
cookies and states that “implied consent is a valid form of consent and can be
used in the context of compliance with the revised rules on cookies”.
(http://www.ico.org.uk/news/blog/2012/updated-ico-advice-guidance-e-privacy-
directive-eu-cookie-law.aspx)
Accordingly one of the key measures of transparency will be how accessible the
information is and how the requirement for consent is approached.
The following examples draw from ICO published material and illustrate different
but simple ways of addressing consent and improving on site visibility in non-
interruptive ways:
IAB Affiliate Marketing Council | Consumer Transparency Framework V1.2 page 6
A Guide for Publishers / Affiliates | May 2013
Fig 1 Cookie/Privacy Bottom Notification Panel
The above example is taken from the ICO Website (www.ico.org.uk)
This notification panel circled in red appears on the first visit to the ICO site.
Fig 2 Cookie/Privacy Top Notification Panel
The above example is taken from the ICO Enforcement Activity Report (Dec 2012)
The ICO report states that the site provides a clear consent banner on entry with links to further
information.
Fig 3 Formatting changes – font, colour or size - can bring greater prominence (source: ICO
Guidance on the use of cookies and similar technologies)
Fig 4 Prominent Positioning - ensuring links to relevant information is placed in prominent
positions. For instance at the top of the page rather than in the footers (source: ICO Guidance on the
use of cookies and similar technologies)
IAB Affiliate Marketing Council | Consumer Transparency Framework V1.2 page 7
A Guide for Publishers / Affiliates | May 2013
Fig 5 Making the link/s more explanatory – Using wording in the links that makes it clear to users.
(source: ICO Guidance on the use of cookies and similar technologies)
4. Produce effective communication material – for the material you make
available to consumers to be effective it must be:
Easy to understand – plain English where possible;
Honest and accurate – users mustn‟t be misled in any way and
information should not seek to deliberately mislead; and
Helpful and empowering – the aim is to put the consumer in control and
provide them with the information and means to achieve this. Information
presented must satisfy this requirement.
5. Include relevant subject matter and ‘headings’
These examples are illustrative only.
What are Cookies?
Example only description: Cookies are small, usually randomly encoded, text
files that help you navigate through a website. They are generated on the sites
that you visit as well as by third-parties that websites work with to manage key
elements of their business (user functionality and advertising, for instance). In
most cases they do not involve or use personal information in any way.
They are extensively used online and have become part of the fabric and
make-up of what has made the internet work so effectively for consumers and
businesses. Without cookies many areas of functionality for example, user
logins, shopping baskets and other customisation features will not work.
Is it just about cookies?
Describe other technologies that are used with advertising and affiliate sales.
Examples may include:
o Flash Locally Stored Objects (e.g. „Flash‟ cookies) – these follow the
same principle as normal standard cookies in the respect that they
allow information to be stored on a user‟s machine.
IAB Affiliate Marketing Council | Consumer Transparency Framework V1.2 page 8
A Guide for Publishers / Affiliates | May 2013
For further Information about cookies you can also visit www.
aboutcookies.org
Controlling Cookies
Describe how you can you can prevent, delete and control cookies on your
computer by using the relevant settings within your browser options etc.
Explain how this may affect the overall experience with the website.
What are our responsibilities?
Describe the need to provide transparency to consumers and sign-post to the
revised law.
What is our policy as a business?
Explain to consumers what your approach is to providing transparency and
protecting privacy.
How do we use cookies on our website?
Describe first and third party cookie usage within your advertising, analytics
activities etc.
Describe the affiliate marketing model briefly, being clear about advertising and
sales revenues. It is important to keep this information easy-to-understand for
the average internet user.
Information about the cookies used
There are many examples available on the internet to provide assistance on
how this can best be formatted. You might use a simple table providing clear
information. Something like:
Cookie Name Purpose, characteristics and privacy
How to delete and prevent
XYZ-adv This is a first party cookie which is used to ensure that we are able to provide users with / track advertising etc… The information stored does not include any personal data. It includes anonymous identifiers.
Describe how the cookie can be deleted, blocked and provide any opt out functionality (e.g. links)
IAB Affiliate Marketing Council | Consumer Transparency Framework V1.2 page 9
A Guide for Publishers / Affiliates | May 2013
Third party solutions may need to be summarised, perhaps with a short
section for each provider, e.g.:
Name of Provider: Example X
Description of Cookies: Example X tags are used by our advertisers to
measure the effectiveness of their online marketing campaigns and to
provide anonymous transaction data.
Privacy / deleting cookies: You can read more about Example X here.
IAB Affiliate Marketing Council | Consumer Transparency Framework V1.2 page 10
A Guide for Publishers / Affiliates | May 2013
Appendix I: Building your cookie audit
These steps follow the advice of the ICO:
1. Conduct a comprehensive audit of cookies (and other technologies) and how they are used. How this is carried out depends on your organisation. The aim is to establish a
clear assessment of where you may have issues. We have highlighted a set of
useful questions for audit – see below.
While many of the cookies are linked to the advertising displayed on your site, they
will NOT be in your control. These are controlled by the ad servers like Microsoft /
Atlas, Goolge / Doubleclick, Valueclick / Mediaplex, etc. It‟s strongly advised you
understand how these work so they can be incorporated into your audit. The
networks and agencies you work with will be able to direct you to relevant
information regarding these third-party providers.
2. Assess intrusiveness As part of the audit, the ICO advices businesses to make an assessment on how intrusive cookie (or other technology) use is. The ICO recognises that many cookie uses – such as for functional or analytical purposes - do not have an impact upon user privacy.
3. Where you need consent Decide what solution to obtain consent will be best in your circumstances. The
ICO has stated that “implied consent” is a valid form of consent. Regarding
assessing privacy intrusiveness the ICO has said:
“It might be useful to think of this in terms of a sliding scale, with privacy neutral
cookies at one end of the scale and more intrusive uses of the technology at the
other. You can then focus your efforts on achieving compliance appropriately
providing more information and offering more detailed choices at the intrusive end
of the scale”.
IAB Affiliate Marketing Council | Consumer Transparency Framework V1.2 page 11
A Guide for Publishers / Affiliates | May 2013
Audit Question Examples
Date of audit
Who was the audit carried out by?
Cookie Name
Cookie Type – Persistent, Temporary, Flash
Is it first or third party?
Cookie Purpose
Cookie Duration
What data is held in the cookie?
Is there any personally identifiable data or is it all anonymous?
If there is any personally identifiable data, state what it is and why it is there
Is the cookie used to provide targeted advertising?
Where is the cookie used? (How would a user be exposed to it?)
What country users is the cookie aimed at (e.g. UK users)?
Where is the websites‟ published policy that explains the cookie?
Is the user provided with an explanation of how to delete the cookie?
Is the user provided with an explanation of how to prevent the cookie?
What measures are needed to address compliance issues? Describe how the
measure benefits the user (for instance how it provides greater transparency and
offers a greater ability for the user to control their privacy).
IAB Affiliate Marketing Council | Consumer Transparency Framework V1.2 page 12
A Guide for Publishers / Affiliates | May 2013
Appendix II: The New Law - background and more detailed reading
The revised ePrivacy Directive is part of a broader piece of European legislation – the EU
Electronic Communications Framework - that comprises a total of five Directives, and was
required to be implemented into all national laws by 25 May 2011.
It amends the existing Directive, replacing the existing „notice and opt out‟ provisions
with a requirement to obtain consent for „the storing of information or the gaining of
access to information stored in the terminal equipment of a subscriber or user… having
been provided with clear and comprehensive information‟ (Article 5.3).
It applies to all technologies used for this purpose, including cookies, and impacts on a
wide range of online services, including affiliate marketing. The only exemption the
revised Directive makes is when uses are “strictly necessary”. See ICO guidance for
further information.
The new law came into force in the UK on 5 May 2011. The Regulation can be read
here: http://www.legislation.gov.uk/uksi/2011/1208/contents/made
The UK Government has set out its view on how the law is to be implemented in an
„open letter‟ of 24 May 2011 (see URL below). The letter – drafted in consultation with
the ICO – states that the UK implementation should be “light touch [and] business-
friendly” and concludes that its approach is “good for business, good for consumers
and addresses in a proportionate and pragmatic way the concerns of citizens with
regard their personal data online.”
The ICO‟s most recent guidance can be found at:
http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_g
uide/cookies.aspx. The ICO has stated that used within the context of the rules, implied
consent is a valid form of consent (see: http://www.ico.org.uk/news/blog/2012/updated-
ico-advice-guidance-e-privacy-directive-eu-cookie-law.aspx) Further guidance may be
published in due course.
IAB Affiliate Marketing Council | Consumer Transparency Framework V1.2 page 13
A Guide for Publishers / Affiliates | May 2013
Further References:
DCMS open letter www.dcms.gov.uk/images/publications/cookies_open_letter.pdf Emphasising the pragmatic, flexible and business friendly approach supported by
the UK Government.
ICO News Release http://www.ico.gov.uk/news/latest_news/2011/must-try-harder-on-cookies-compliance-says-ico-13122011.aspx
Affirming the need to take measures to achieve compliance but also recognising the complexities involved especially with third-party cookies.
ICO Half Term Report , December 2011 http://www.ico.gov.uk/news/latest_news/2011/~/media/documents/library/Privacy_and_electronic/Practical_application/guidance_on_the_new_cookies_regulations.ashx
Indications are provided regarding the regulator‟s attitude towards enforcement
(“…the Regulatory Action Strategy makes clear that any formal action must be a
proportionate response to the issue it seeks to address”). Whilst enforcement is
not precluded, the level of intrusiveness and risk of harm to individuals appears
likely to be a relevant factor. Likewise, the measures taken to inform users
regarding the use of cookies and their associated choices also appears to be an
important factor in determining whether compliance has been adequately
addressed.
ICO blog: Updated Advice and guidance on changes to the EU Cookie Law (May 2012) http://www.ico.org.uk/news/blog/2012/updated-ico-advice-guidance-e-privacy-directive-eu-cookie-law.aspx
A video and blog within information on “implied consent” and answering questions including:
1. How can UK organisations comply with the new cookies changes? 2. Is the ICO concerned that many websites aren‟t yet compliant? 3. What approach will the ICO be adopting to enforcing the amended cookies laws? 4. What are the benefits of complying with the new cookies regulations? 5. What should members of the public do if they are concerned about cookies being placed
on their device? 6. How is the ICO working with web browsers and third party advertisers to ensure they
comply with the changes?