Data Protection: Affiliates and Marketing

On  November 2016, the Information Commissioner’s Office revealed that it is looking at more than 400 companies believed to be processing personal data to promote gambling websites and services.  This investigation serves as a reminder to operators of the importance to conduct appropriate due diligence when appointing marketing providers and affiliates, and to ensure that the contract with such providers and affiliates clearly sets out each party’s responsibilities.

One of the key factors for operators to consider when appointing affiliate and marketing providers will be whether:

  1. they will be collecting data about individuals themselves; or
  2. they are processing information provided by the operators.

In the first example, operators should ensure that such collection by marketing providers and affiliates is fair and lawful and in accordance with both data protection and electronic marketing legislation, including applicable guidance and codes of practice.   Additional provisions should be included to ensure that consent for marketing is obtained, opt-out and unsubscribe options are provided (and complied with) and that there are appropriate technical and organisations measures in place to ensure that personal data is kept secure.

In the latter example, operators must include written provisions that marketing providers and affiliates will only process personal data in accordance with the operators’ express instructions as well as again ensuring that opt-out and unsubscribe options are provided (and complied with) and that there are appropriate technical and organisation measures in place to ensure that personal data is kept secure.

In addition to these provisions, in each scenario we would advise operators to impose obligations on marketing providers and affiliates to notify the operators in the event of a breach of the contract or where a communication is received in respect of personal data or marketing (whether by an individual or a competent regulator).

The steps set out above will not only assist in ensuring that the personal data of customers and prospective customers is treated fairly and lawfully, but will also help operators to strengthen the goodwill in their brand – particularly given the increased interest shown by the ICO in this area.