Affiliate Guide to Cookie Compliance From Moonpull

We take a look at cookie consent and what it means for the average publisher using affiliate tracking.

We All Know What Cookies Are

Everyone knows what cookies are – or think they do. Put simply a cookie is an alphanumeric file stored on a user’s device to identify them and their online behaviours. In fact most computers will have hundreds or thousands saved into a browser. For most people, their interaction starts and ends with the ‘Accept All’ or deny buttons on landing on a website.

The fact is that cookies are and will continue to be an essential element in any on-site tracking for the foreseeable future. Even simple website functionality relies on this simple and unobtrusive device. It has been the way cookie data has been shared and even misused that has become the issue.

There’s also been a lot of talk about the death of cookies and cookieless tracking across digital channels. There have been big changes in the way cookies are handled, with announcements from Apple, Google and others laying out their visions of a digital future with the internet user having more control over what they see.

The introduction of the GDPR regulations way back in 2018 was a wake up call for businesses selling to European consumers. It is now crucial that companies have documented procedures for dealing with personal information and consent is explicitly given for data to be stored. That of course includes all affiliate cookies.

Third Party Cookies Will Disappear

In response to the changes and announcements from Apple and Google, the affiliate industry has been in conversation in most markets. Many leading global affiliate companies have joined together to tackle this; the affiliatepartnertracking website provides a useful downloadable guide, created and endorsed by many of the leading networks.

Most affiliate networks are moving over to using just first party cookies or have a thorough plan in place. So from an affiliate perspective, all should be covered. However, along with the changes in tracking there has been a steady movement towards more rigorous cookie compliance.

There are an increasing number of global regional and local regulations following on from the European GDPR rules. In the USA, variations on California’s CCPA are being rolled out across other states; many other countries are also strengthening regulations for online activity.

What is the GDPR?

The General Data Protection Regulation (GDPR) is intended to formalise consumer protection for internet users against having their data stored without consent, across all EU markets. That includes the simple information included in cookies – and more importantly to any website that can be accessed by European users.

Most people have read that fines of up to 20 million euros, or up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher. That applies for any organisation globally where an EU resident reports a breach. That should concentrate the mind of any business, anywhere.

In November 2017 the Interactive Advertising Bureau (IAB) Europe announced a technical standard for online consent. The GDPR also means programmatic advertisers must seriously reconsider their strategies going forwards. The focus needs to move from data volumes to effectively communicating the value of data to its subjects.

Of course apart from publisher websites with memberships such as cashback or forums, the average affiliate won’t be processing personally identifiable data, though of course, all consumer data should be managed according to the best practice in these and other regulations such as the EU-US privacy shield.

It should also be remembered that California’s CCPR is in place along with similar regulations in other states, so US-based advertisers or publishers can’t ignore it. Similarly, other territories around the world are starting to introduce their own regulations.

What is PECR?

The basic thrust of the Privacy and Electronic Communications Regulations (PECR) is that if your websites use cookies you must:

say what cookies will be set
explain what the cookies will do – and
obtain consent to store cookies on devices
ensure the consent is explicit and not just an “I’m OK with cookies” button.

Compliance for Affiliates

Most responsible web properties now incorporate a Consent Management Platform (CMP) to give users the choice to accept or deny cookie use before the website content is shown. Moonpull has identified that how this is applied and how it is implemented can have a significant bearing on the effectiveness of affiliate tracking.

Publishers will need to understand how this all impacts their business; and it doesn’t just cover European affiliates. US affiliates will need to ensure compliance with the CCPA legislation as well. As an example, Partnerize advises that it’s important to note that unambiguous consent is required for the use of many cookies because the GDPR only considers consent sufficient if it is “unambiguous”.

Using broadcast techniques such as mailing to acquired email lists has already been tightly controlled for some time. Services such as Mailchimp and Hubspot require close management of lists and user consent to ensure continued service and helping publishers to be compliant. The principles need to be adhered to in all communications.

For most smaller websites there are free tools and WordPress plugins, though it may be necessary to upgrade to paid services for higher volume publishers. There are of course plenty of mainstream options available, with the most commonly applied in the affiliate industry being OneTrust, Tealium and Quantcast.

The Advantages for Compliant Advertisers

As Moonpull has identified, CMPs aren’t always implemented correctly, or even ideally. In some cases it can cause issues with tracking, on occasions breaking it completely, as has been covered in the recent blog article. When everything is implemented correctly, there should be few problems.

Based on our findings in the Moonpull/1000 analysis, implementation of cookie consent is by no means consistent. In fact well over 50% of commercial websites are operating with either no CMP or a simple ‘I get this’ type message. That can fall leave operators vulnerable to issues or sanctions for contravention of GDPR, the CCPA or any other privacy regulations.

Advertisers have to tread a difficult line between ensuring complete legal compliance and their commercial needs; and ensuring that consumers aren’t being blocked or put off entering a website.

Legally over-zealous CMP implementation can lead to cookies and affiliate tracking failing at the landing page. It can even fail on a page refresh or following a user navigating away from the landing page.

Ian Miller in Total Retail argues that online retailers that put privacy first will have a competitive advantage. However, it goes without saying that from the publishers’ perspective, advertisers who have implemented their cookie compliance most effectively are likely to have more robust affiliate tracking – and, with that, a better conversion rate.

It is those advertisers which will attract and retain the best affiliate partnerships. So it should be a central focus of any advertiser to ensure all is implemented correctly with the least interruption of a user’s navigation on their website.

Seven Key Points for Affiliates

Most networks have issued guidance for publishers but there are a few key points that any affiliate needs to put in place:

Assess the impact of GDPR, PECR and CCPA on their websites and business
Ensure transparency for website visitors – including of course an affiliate disclosure
Ensure any personal user data is securely stored where strictly necessary and processes documented
Upgrade privacy policies and include a cookie consent capture
Anonymize user data where practical
Keep up to date via affiliate networks’ latest information
Assess the advertisers being promoted to ensure that their CMPs are compliant and don’t interfere with affiliate tracking

Publishers also need to be aware of changes in how a program tracks to ensure commissions aren’t being eroded. It’s great advice to keep a log of EPCs and conversion rates over time to spot inconsistencies.

Moonpull Reporting

The Moonpull platform is uniquely configured to give affiliates that analysis in granular detail. The outputs also provide a comprehensive picture to pass through to an advertiser, which helps them implement a fix more quickly and ensure that tracking is not compromised and the advertiser / publisher partnership damaged.

Moonpull puts the tools in the hands of affiliates to understand this and let the networks and advertisers know how to fix it. It is also a step towards reclaiming the commission erosion and add 5% extra revenue to everyone’s bottom line.