Please note that all my articles are for informational purposes only and not legal advice. I assume no liability for the content of my articles. The articles may be out of date, the legal situation may have changed, or the specific situation in a case may need to be assessed differently. A binding consultation can only be given by me directly in the individual case. Take advantage of my free brief consultation!
Affiliate/CPA Advertising: Attention to cookies by banners and links
In the last time I have already written some things about the cookie decision of the ECJ. Many clients or potential clients asked me which area was still affected when running a website. And one of them is advertising, which many websites finance themselves.
And this is a problem that should not be underestimated, because in the vast majority of cases agencies or networks are used for this purpose, which integrate the advertising banners or affiliate links via Javascript code into the website. With these advertising banners, the website operator usually has no influence on the exact contents of the advertising banners and certainly not on the technical details. Many of these advertisers may also be in the U.S., so caution should be exercised when it comes to what data is transferred to these providers. Many smaller providers may not have thought about how and which data is simply transferred to the USA by German/but also European users. That, in any case, is my experience.
CPA marketers in particular affected
I can say this quite certainly, for example, for some providers in the computer game and IT sector, who have not yet problematized whether things like an equivalent GDPR data protection standard are guaranteed by these providers. In this case, the transfer of data such as IP addresses to the USA is likely to be at least highly problematic, if not inadmissible. For larger providers such as Adsense, the problem is less, as they often have EU branches that are officially responsible for EU websites. In addition, larger companies such as Google make every effort to comply with the requirements of the GDPR and, for example, also oblige the site user to provide extensive information in their own data protection declarations. This also applies to cookies that are set.
But back to cookies: Such cookies may no longer be set without the express consent of the users, because cookies for the purpose of user tracking, retargeting or other marketing functions are certainly no longer technically necessary cookies. This also applies to cookies of most providers, which store how many times a certain person has already clicked on a banner or link, how many times they have seen a banner and many other functions. The site operator would be responsible for the lack of information and consent of the users, be liable and could be warned in the future.
Affiliates Cookies problematic
By the way, this is particularly true for cookies, regardless of the technical nature, which enable success-based advertising, i.e. which are used to determine whether a user who has clicked on a banner/link has a specific act on the landing page, such as logging in to a service, has carried out. The user must be informed about the setting of such cookies, which makes the use of affiliate links/banners (in the area of gaming also called CPA (cost per action) advertising, at least very difficult, but in any case much more unprofitable. It is irrelevant whether the users are brought to the landing pages via banners, videos or links, because as a rule, appropriate cookies should already be set when displaying the advertising material (or the automatic insertion of the affiliate links). But even if these cookies are only set when clicking on the advertising media, courts are likely to assume a responsibility of the site operators in the future. For the site operator, the only problem should be the version, in which cookies cookie will only be set on the landing page and the user is sent to the destination with a special affiliate link, which contains the ID of the affiliate as a parameter. At the latest, however, the landing page must then set cookies subject to consent, which are expected to be rejected by many users in the future, which in turn should have a direct impact on the profitability of such advertisements. Because if a user is not tracked, the commission cannot be assigned to the website.
There are no warnings yet
I am not aware of any warnings at the moment, but that does not have to mean anything. The legal situation is probably quite clear at the moment and every website operator is advised to check their own advertising media and providers for conformity, because especially affiliate/CPA advertising is only possible with restrictions. Since this is likely to make some business concepts, such as offering SEO-optimized product collections (whether for hardware, online games, etc.) very difficult, it is advisable to consult here in case of doubt. As an entrepreneur who has overseen a marketing agency in the field of computer games for 10 years, I can give helpful tips and advice to my clients here.
Advice is recommended
However, it is also advisable for agencies to seek comprehensive advice, as only GDPR-compliant services will be operated safely in the EU in the future and can be used by customers. It can also be assumed that in the future, data protection supervisory authorities will also target providers who consistently ignore the GDPR and transfer data to the US or illegally store data in the EU and impose fines. These could then be enforced, depending on the legal construction and manner of appearance, also to European representatives, partners or other related entrepreneurs.
Since affiliate/CPA advertising is a very important economic factor for the marketing of products, software or services in many areas, such as computer games, I will deal with some other special features in the near future.
Marian Härtel is a lawyer and entrepreneur specializing in copyright law, competition law and IT/IP law, with a focus on games, esports, media and blockchain.
