Disclaimer
The information provided in this article is for general informational purposes only and should not be construed as legal advice. While we strive to provide accurate and up-to-date information, laws and regulations can change, and the application of the law can vary based on individual circumstances. Therefore, you should not rely solely on the content of this article for making legal decisions. If you have any questions or concerns regarding your specific legal situation, we strongly recommend that you consult with a qualified attorney or legal professional who can provide personalized advice tailored to your needs.
Introduction
The General Data Protection Regulation (GDPR) is the legal framework governing the use of personal data across all markets in the EU and the UK. It is a set of data laws for the digital age designed to give consumers more control over their personal information.
Significantly, organizations that breach the EU GDPR can be fined up to €20m or 4% of annual turnover, whichever is greater. Under the UK GDPR, that amount is £17.5m or 4%.
Due to the importance of complying with the regulations, we want to ensure you receive clear guidance and a consistent message from Rakuten Advertising. At the time of writing in March 2025, the UK GDPR broadly mirrors the EU GDPR, though there are some differences, of which there likely will be more in the future. This article addresses aspects of the EU GDPR (referred to herein as just "GDPR") we believe may be most relevant to the digital advertising industry. However, it is important to familiarize yourself with the full details, as there are many more implications.
Key Rules
You must understand your obligations as a business regarding the GDPR and demonstrate effort and measures to comply with the following key rules; click the + for more information:
Consumers' personal data sits at the heart of the GDPR. It is defined as any information related to an identified or identifiable living individual. This can be, for example, cookie IDs, customer numbers, IP addresses, and device IDs. These are identifiers that many networks and platforms capture as part of their standard tracking and retargeting efforts.
Advertisers using tracking have an obligation to ensure they are legally compliant with the regulation.
Businesses require a lawful basis to process personal data. Six lawful bases are available. In the digital advertising sector, the two most used are consent and legitimate interest.
Legitimate interest is distinct from consent. According to the Information Commissioner's Office (ICO), which is the UK's supervisory authority for the GDPR:
It is likely to be most appropriate where you use people's data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
Should a business choose a legitimate interest, it must be confident in demonstrating this as an appropriate lawful basis.
Where consent is considered necessary, the ICO states:
Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build customer trust and engagement, and enhance your reputation.
The EU GDPR states:
'Consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Contract is also a legal basis that may be applicable in some cases. It refers to specific contract agreements between a business and its customers or data subjects that allow the business to collect and process personal data.
The EU's ePrivacy Directive, or cookie law, is largely associated with banners and pop-ups seen when viewing websites that inform consumers about the use of cookies to track online activity. The Directive also applies to email, SMS, and call marketing consent, which are applicable to some businesses.
The UK's Privacy and Electronic Communications Regulations (PECR) are derived from this Directive.
Both are leges speciales, meaning they govern specific subject matters, similar to the GDPR. This means that the ePrivacy Directive must be applied where its rules are more specific than those in the EU GDPR, and the PECR must be applied where their rules are more specific than those in the UK GDPR.
The ePrivacy Directive and PECR require controllers to obtain consent for the use of cookies (with certain exceptions) and for direct marketing communications.
The revision aims to enhance consumer transparency and enforce stricter cookie consent. Consent is essential for "cookies and similar technologies." This means that the ePrivacy Directive and PECR remain in place regardless of which legal basis is used for processing personal data under GDPR rules. Consent must be unambiguous for the use of many cookies, as the GDPR only considers consent sufficient if it is unambiguous. You should assess your consent practices and align them with the regulations.
Given the potentially significant impact on all forms of online advertising, the industry has collaborated to create general standards and approaches. The Interactive Advertising Bureau (IAB) Europe provides a technical standard for online consent, and industry stakeholders are building a consent tool to ensure GDPR and ePrivacy Directive compliance.
Various options and tools are available online. We advise that you assess solutions to ensure they can be implemented to comply with the regulations.
Loyalty Cookies
The ICO considers a cookie to be “strictly necessary” when the purpose for which it is used is essential to provide the service the subscriber or user requests. Cookies used to track activity referred by loyalty publishers for cash back could therefore be considered “strictly necessary” and would be exempt from the consent requirements outlined by the PECR.
It is up to you and your advertiser partners to arrive at this designation based on the guidelines set forth by the ICO and PECR. You can find more information on the ICO website.
Our Loyalty Exemption Signal allows loyalty publishers to append a parameter to their links that indicates to advertisers’ websites that the user they referred is a loyalty customer for whom cookies are “strictly necessary” and thus can be exempt from consent.
Next Steps
We recommend you take the following actions:
- Assess how the GDPR impacts your business and document the measures you have taken to comply with the rules.
- Ensure transparency to consumers and decide on the most appropriate legal basis for collecting and processing personal data from site visitors.
- Include and assess your privacy policies and cookie notices to provide transparency and upgrade consent capture.
- Seek your own legal advice.
- Refer to your individual affiliate networks and platforms for further, specific guidance or requirements regarding GDPR compliance.
- Sign the data processing agreements (DPAs) sent by Rakuten Advertising.
We are also available to support you through the GDPR process to ensure you comply.
Additional Resources
We recommend you review these links for more information:
Comments
Please sign in to leave a comment.