14 Macklin Street

020 7050 6969 London WC2B 5NF

IAB Affiliate Marketing Council Consumer Transparency Framework: A Guide for Publishers / Affiliates

ePrivacy guidance across the affiliate marketing industry

V 1.2 | May 2013 | Produced by the IAB Affiliate Marketing Council

Produced by the IAB Affiliate Marketing Council

IAB Affiliate Marketing Council | Consumer Transparency Framework V1.2 page 2

A Guide for Publishers / Affiliates | May 2013

Introduction

The IAB Affiliate Marketing Council (AMC) developed the Consumer Transparency

Framework („the Framework‟) in the spring of 2012 following the introduction of the

revised Privacy and Electronic Communications Regulations (PECR) 2011. Primarily it

offers helpful guidance to publishers/affiliates regarding addressing aspects of online

privacy and transparency particularly where the usage of cookies is concerned.

Within this (May 2013) update the Framework remains largely unchanged and is based on

the Information Commissioner‟s Office guidance, which we encourage everyone to read.

There are some minor additions including clearer examples of how publishers and

institutions have approached compliance since the laws were introduced.

Perhaps most significantly, since the Framework was first issued, the ICO has clarified

that „implied consent‟ is a valid form of consent, and has adopted measures on its own

website that support this (this example is illustrated in the Framework).

Overall, the IAB AMC message remains consistent – we believe it is important for the

affiliate marketing sector to demonstrate a responsible approach to online privacy and

transparency. Despite it being increasingly the norm for publishers to address compliance

on their sites we are still stressing the importance that all publishers / affiliates take

compliance seriously as a legally enforceable requirement.

It is difficult not to see this Framework and the collective efforts to comply with the current

rules without factoring in current EU proposals for additional changes to data protection

regulation. By demonstrating an ongoing commitment to consumer privacy and

transparency the IAB and the industry as a whole is in a stronger position to present

plausible alternative options. In turn, this addresses the privacy concerns but also allows

for the economic arguments essential to our continued policy representation.

While we believe the Framework offers a robust approach to addressing

compliance, it does not constitute legal advice and should not be viewed or applied

as a definitive blueprint for achieving compliance. Ultimately, everyone must take

the measures they believe best fit their own situation in accordance with the rules

and the ICO guidance.

IAB Affiliate Marketing Council | Consumer Transparency Framework V1.2 page 3

A Guide for Publishers / Affiliates | May 2013

We encourage networks, agencies and affiliate managers to communicate and share this

Framework with all publishers / affiliates. Publishers / affiliates are encouraged to consider

this Framework when deciding which measures are most appropriate to their specific

circumstances.

The guidance covers:

1. The Consumer Transparency Framework – what do you need to think about?

2. Cookie audits – What do you need to do?

3. Background to the revised PECR law

Extensive references and links are included in the appendix section at the back of the

document. We will continue to make further updates as necessary and recommend that

you keep checking back on this Framework. We also value your feedback so please send

any comments to clare@iabuk.net.

Please note: This Framework does not constitute legal advice. We recommend that

businesses take their own legal advice for their own circumstances.

Nathan Salter, Chair, IAB Affiliate Marketing Council Legislation Committee and COO, OMG

IAB Affiliate Marketing Council | Consumer Transparency Framework V1.2 page 4

A Guide for Publishers / Affiliates | May 2013

What is Affiliate Marketing? Advertisers and retailers (merchants) use affiliate marketing to drive consumers to their

website as part of their sales activities. Many of these merchants and advertisers are

small businesses using affiliate „networks‟ to manage their online sales channels. Affiliates

and publishers are essentially their „online sales forces‟ and they use a variety of ways to

encourage consumers to a website to make a sale via links generated by a network on

behalf of a merchant or advertiser. These methods include (but are not limited to) search

marketing, social media, vouchers, cashback and price comparison. Affiliates are paid on

a Cost Per Acquisition (CPA) basis and sales are tracked back to the relevant affiliate

through the use of cookies. For further information on affiliate marketing see

www.iabuk.net/disciplines/affiliate-marketing.

The IAB Affiliate Marketing Council (AMC)

The IAB‟s AMC is made up of many of the affiliate marketing industry‟s key publishers,

advertising and technology service providers as well as numerous large consumer facing

brands. For further information on the Council‟s activities see

www.iabaffiliatemarketing.com.

* ICO Half Term Report 2011

IAB Affiliate Marketing Council | Consumer Transparency Framework V1.2 page 5

A Guide for Publishers / Affiliates | May 2013

The Affiliate Marketing Consumer Transparency Framework

1. Audit first – To achieve transparency publishers need an understanding of both

their use of first party and third party cookies that operate as part and parcel of

their other activities, especially around affiliate advertising and marketing. This

requires an audit and how this is carried out will vary from organisation to

organisation. The aim is to establish a clear assessment of where you may have

issues to address.

We‟ve created a more detailed guide at the back of this document to help you. See

Appendix I.

2. Document your activities – Ensure you have effective documentation and

organisation in place to be confident that your efforts to offer transparency are

reliable and accurate. Every organisation will take a different approach depending

on the size and complexity of the business.

You will certainly need to document your audits and resulting actions. You might

need to go further to include any associated business policies, processes and who

is responsible for compliance in your business.

3. Identify prominent customer/user touch points – The ICO has said that it is not

the intention of the Regulation to result in a pop-up consent culture.

Nevertheless the ICO stresses the importance of consent for non-essential

cookies and states that “implied consent is a valid form of consent and can be

used in the context of compliance with the revised rules on cookies”.

(http://www.ico.org.uk/news/blog/2012/updated-ico-advice-guidance-e-privacy-

directive-eu-cookie-law.aspx)

Accordingly one of the key measures of transparency will be how accessible the

information is and how the requirement for consent is approached.

The following examples draw from ICO published material and illustrate different

but simple ways of addressing consent and improving on site visibility in non-

interruptive ways:

IAB Affiliate Marketing Council | Consumer Transparency Framework V1.2 page 6

A Guide for Publishers / Affiliates | May 2013

Fig 1 Cookie/Privacy Bottom Notification Panel

The above example is taken from the ICO Website (www.ico.org.uk)

This notification panel circled in red appears on the first visit to the ICO site.

Fig 2 Cookie/Privacy Top Notification Panel

The above example is taken from the ICO Enforcement Activity Report (Dec 2012)

The ICO report states that the site provides a clear consent banner on entry with links to further

information.

Fig 3 Formatting changes – font, colour or size - can bring greater prominence (source: ICO

Guidance on the use of cookies and similar technologies)

Fig 4 Prominent Positioning - ensuring links to relevant information is placed in prominent

positions. For instance at the top of the page rather than in the footers (source: ICO Guidance on the

use of cookies and similar technologies)

IAB Affiliate Marketing Council | Consumer Transparency Framework V1.2 page 7

A Guide for Publishers / Affiliates | May 2013

Fig 5 Making the link/s more explanatory – Using wording in the links that makes it clear to users.

(source: ICO Guidance on the use of cookies and similar technologies)

4. Produce effective communication material – for the material you make

available to consumers to be effective it must be:

Easy to understand – plain English where possible;

Honest and accurate – users mustn‟t be misled in any way and

information should not seek to deliberately mislead; and

Helpful and empowering – the aim is to put the consumer in control and

provide them with the information and means to achieve this. Information

presented must satisfy this requirement.

5. Include relevant subject matter and ‘headings’

These examples are illustrative only.

What are Cookies?

Example only description: Cookies are small, usually randomly encoded, text

files that help you navigate through a website. They are generated on the sites

that you visit as well as by third-parties that websites work with to manage key

elements of their business (user functionality and advertising, for instance). In

most cases they do not involve or use personal information in any way.

They are extensively used online and have become part of the fabric and

make-up of what has made the internet work so effectively for consumers and

businesses. Without cookies many areas of functionality for example, user

logins, shopping baskets and other customisation features will not work.

Is it just about cookies?

Describe other technologies that are used with advertising and affiliate sales.

Examples may include:

o Flash Locally Stored Objects (e.g. „Flash‟ cookies) – these follow the

same principle as normal standard cookies in the respect that they

allow information to be stored on a user‟s machine.

IAB Affiliate Marketing Council | Consumer Transparency Framework V1.2 page 8

A Guide for Publishers / Affiliates | May 2013

For further Information about cookies you can also visit www.

aboutcookies.org

Controlling Cookies

Describe how you can you can prevent, delete and control cookies on your

computer by using the relevant settings within your browser options etc.

Explain how this may affect the overall experience with the website.

What are our responsibilities?

Describe the need to provide transparency to consumers and sign-post to the

revised law.

What is our policy as a business?

Explain to consumers what your approach is to providing transparency and

protecting privacy.

How do we use cookies on our website?

Describe first and third party cookie usage within your advertising, analytics

activities etc.

Describe the affiliate marketing model briefly, being clear about advertising and

sales revenues. It is important to keep this information easy-to-understand for

the average internet user.

Information about the cookies used

There are many examples available on the internet to provide assistance on

how this can best be formatted. You might use a simple table providing clear

information. Something like:

Cookie Name Purpose, characteristics and privacy

How to delete and prevent

XYZ-adv This is a first party cookie which is used to ensure that we are able to provide users with / track advertising etc… The information stored does not include any personal data. It includes anonymous identifiers.

Describe how the cookie can be deleted, blocked and provide any opt out functionality (e.g. links)

IAB Affiliate Marketing Council | Consumer Transparency Framework V1.2 page 9

A Guide for Publishers / Affiliates | May 2013

Third party solutions may need to be summarised, perhaps with a short

section for each provider, e.g.:

Name of Provider: Example X

Description of Cookies: Example X tags are used by our advertisers to

measure the effectiveness of their online marketing campaigns and to

provide anonymous transaction data.

Privacy / deleting cookies: You can read more about Example X here.

IAB Affiliate Marketing Council | Consumer Transparency Framework V1.2 page 10

A Guide for Publishers / Affiliates | May 2013

Appendix I: Building your cookie audit

These steps follow the advice of the ICO:

1. Conduct a comprehensive audit of cookies (and other technologies) and how they are used. How this is carried out depends on your organisation. The aim is to establish a

clear assessment of where you may have issues. We have highlighted a set of

useful questions for audit – see below.

While many of the cookies are linked to the advertising displayed on your site, they

will NOT be in your control. These are controlled by the ad servers like Microsoft /

Atlas, Goolge / Doubleclick, Valueclick / Mediaplex, etc. It‟s strongly advised you

understand how these work so they can be incorporated into your audit. The

networks and agencies you work with will be able to direct you to relevant

information regarding these third-party providers.

2. Assess intrusiveness As part of the audit, the ICO advices businesses to make an assessment on how intrusive cookie (or other technology) use is. The ICO recognises that many cookie uses – such as for functional or analytical purposes - do not have an impact upon user privacy.

3. Where you need consent Decide what solution to obtain consent will be best in your circumstances. The

ICO has stated that “implied consent” is a valid form of consent. Regarding

assessing privacy intrusiveness the ICO has said:

“It might be useful to think of this in terms of a sliding scale, with privacy neutral

cookies at one end of the scale and more intrusive uses of the technology at the

other. You can then focus your efforts on achieving compliance appropriately

providing more information and offering more detailed choices at the intrusive end

of the scale”.

IAB Affiliate Marketing Council | Consumer Transparency Framework V1.2 page 11

A Guide for Publishers / Affiliates | May 2013

Audit Question Examples

Date of audit

Who was the audit carried out by?

Cookie Name

Cookie Type – Persistent, Temporary, Flash

Is it first or third party?

Cookie Purpose

Cookie Duration

What data is held in the cookie?

Is there any personally identifiable data or is it all anonymous?

If there is any personally identifiable data, state what it is and why it is there

Is the cookie used to provide targeted advertising?

Where is the cookie used? (How would a user be exposed to it?)

What country users is the cookie aimed at (e.g. UK users)?

Where is the websites‟ published policy that explains the cookie?

Is the user provided with an explanation of how to delete the cookie?

Is the user provided with an explanation of how to prevent the cookie?

What measures are needed to address compliance issues? Describe how the

measure benefits the user (for instance how it provides greater transparency and

offers a greater ability for the user to control their privacy).

IAB Affiliate Marketing Council | Consumer Transparency Framework V1.2 page 12

A Guide for Publishers / Affiliates | May 2013

Appendix II: The New Law - background and more detailed reading

The revised ePrivacy Directive is part of a broader piece of European legislation – the EU

Electronic Communications Framework - that comprises a total of five Directives, and was

required to be implemented into all national laws by 25 May 2011.

It amends the existing Directive, replacing the existing „notice and opt out‟ provisions

with a requirement to obtain consent for „the storing of information or the gaining of

access to information stored in the terminal equipment of a subscriber or user… having

been provided with clear and comprehensive information‟ (Article 5.3).

It applies to all technologies used for this purpose, including cookies, and impacts on a

wide range of online services, including affiliate marketing. The only exemption the

revised Directive makes is when uses are “strictly necessary”. See ICO guidance for

further information.

The new law came into force in the UK on 5 May 2011. The Regulation can be read

here: http://www.legislation.gov.uk/uksi/2011/1208/contents/made

The UK Government has set out its view on how the law is to be implemented in an

„open letter‟ of 24 May 2011 (see URL below). The letter – drafted in consultation with

the ICO – states that the UK implementation should be “light touch [and] business-

friendly” and concludes that its approach is “good for business, good for consumers

and addresses in a proportionate and pragmatic way the concerns of citizens with

regard their personal data online.”

The ICO‟s most recent guidance can be found at:

http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_g

uide/cookies.aspx. The ICO has stated that used within the context of the rules, implied

consent is a valid form of consent (see: http://www.ico.org.uk/news/blog/2012/updated-

ico-advice-guidance-e-privacy-directive-eu-cookie-law.aspx) Further guidance may be

published in due course.

IAB Affiliate Marketing Council | Consumer Transparency Framework V1.2 page 13

A Guide for Publishers / Affiliates | May 2013

Further References:

DCMS open letter www.dcms.gov.uk/images/publications/cookies_open_letter.pdf Emphasising the pragmatic, flexible and business friendly approach supported by

the UK Government.

ICO News Release http://www.ico.gov.uk/news/latest_news/2011/must-try-harder-on-cookies-compliance-says-ico-13122011.aspx

Affirming the need to take measures to achieve compliance but also recognising the complexities involved especially with third-party cookies.

ICO Half Term Report , December 2011 http://www.ico.gov.uk/news/latest_news/2011/~/media/documents/library/Privacy_and_electronic/Practical_application/guidance_on_the_new_cookies_regulations.ashx

Indications are provided regarding the regulator‟s attitude towards enforcement

(“…the Regulatory Action Strategy makes clear that any formal action must be a

proportionate response to the issue it seeks to address”). Whilst enforcement is

not precluded, the level of intrusiveness and risk of harm to individuals appears

likely to be a relevant factor. Likewise, the measures taken to inform users

regarding the use of cookies and their associated choices also appears to be an

important factor in determining whether compliance has been adequately

addressed.

ICO blog: Updated Advice and guidance on changes to the EU Cookie Law (May 2012) http://www.ico.org.uk/news/blog/2012/updated-ico-advice-guidance-e-privacy-directive-eu-cookie-law.aspx

A video and blog within information on “implied consent” and answering questions including:

1. How can UK organisations comply with the new cookies changes? 2. Is the ICO concerned that many websites aren‟t yet compliant? 3. What approach will the ICO be adopting to enforcing the amended cookies laws? 4. What are the benefits of complying with the new cookies regulations? 5. What should members of the public do if they are concerned about cookies being placed

on their device? 6. How is the ICO working with web browsers and third party advertisers to ensure they

comply with the changes?