GDPR(General Data Protection Regulation) aims to strengthen data privacy and data protection for European Union(EU) citizens and must be followed by all companies that have customers from the EU. GDPR will come into effect in May 25th, 2018 and if you have EU customers, you will need to become compliant.
Yes. FirstPromoter achieved compliance with GDPR prior to May 25th, 2018.
One of the biggest changes produced by GDPR is the requirement for obtaining explicit consent for processing and storing personal data. In the next paragraphs we will provide more details about how FirstPromoter tracking works and when consent is required.
FirstPromoter does the tracking in three steps:
We will examine these three steps individually and explain how and if they are affected by GDPR.
When someone clicks on a referral link, our script sends the referral ID(taken from the link) and a randomly generated ID to our server. After we register the visitor ID successfully, we set up a cookie containing that ID. The cookie is NOT a third party cookie(like the ones set by Facebook or Ad networks), so you can handle the consent for it just like you handle all your other cookies (your own cookies, Google Analytics cookies, etc). You should add FirstPromoter cookies _fprom_track, _fprom_code, _fprom_signup to your cookie policy.
We DO NOT STORE the IP address of the visitor or any other personal identifiable data at this step. The random ID used to track the visit can not be associated with any individual(directly or indirectly) until they sign up to your service and the signup is tracked by FirstPromoter(at which point you should already have the consent). If the visitor does not sign up, that visitor record remains anonymous meaning it is not affected by GDPR regulations.
If an affiliate cookie is set(visitor clicked a referral link) and you implemented our signup tracking script or signup Tracking API, when a sign up occurs, FirstPromoter will receive some information about the lead(or user) that generated the signup. By default, the information consists of the visitor ID(saved in the cookie), the IP(used only for fraud analysis), the email(optional) and another ID(called "uid").
In this case, FirstPromoter works like any data processor you use (CRM, marketing automation tools, etc). Assuming the user gives you consent to process their data(including from third party data processors) when they sign up for the trial or makes a purchase, there are no other steps to take.
Note: We DO NOT send any emails, social media messages or other notifications to the leads registered in FirstPromoter. We also DO NOT SHARE or RESELL the data we store about the leads to any third parties.
Eventually, you can avoid sending us the email address associated with the user, if is not really required by your affiliate program setup. You can send only the "uid"(without email), which is the identifier required to track the sales and commissions generated by that customer.
If you already have data processing consent from the user on signup(see previous step), this step doesn't require any other consent from the user. We do not store any other personal data, besides the data sent when the user signed up. We do store order/charge ID and sale amount + calculated commission, but this information is not subject to GDPR.
There are three type of entities we store personal data for:
* for all three parties we do store the IP address for fraud analysis and data security to:
We take data protection and security very seriously at FirstPromoter. We constantly monitor for security flaws and unauthorized access and we will take action immediately if something suspicious is been detected. In an unlikely case of a data breach, we willl notify all of our customers within 72 hours after the breach was detected.
Some of the preventive measures we take include:
All individual rights regarding GDPR will be enforced by our FirstPromoter team. We already have API endpoints and functions in the UI that covers most requests, however we have a special web form found here where users can exercise their GDPR rights including:
We act as a data processor for our customers(see "Information we hold") which means we need to provide a signed Data Processing Agreement on request. If you are a customer(paid user) of FirstPromoter and you need the DPA, please contact us via Intercom chat widget(bottom right) and we'll send it to you ASAP.
We also requested and signed DPAs from our sub-processors and made sure they are GDPR compliant.
We updated our privacy policy and cookies policy to be GDPR compliant. We also added cookie consent plugins to our website to make sure we store cookies only after consent is given.
As you probably know, FirstPromoter can send notification and egagement emails to your promoters(affiliates, partners and/or brand ambassadors) on your behalf, based on the rules set by you. Even though these emails can be considered as non-marketing related, we decided to add a marketing consent checkbox field to the sign up forms and "marketing_consent" parameter to the Promoters API.
Since you are the data controller, you are responsible for getting the consent or decide if it is required or not. We give you the option to disable this checkbox if you consider the consent is not required and the emails will be sent as usual(giving the promoter the option to opt-out).
This field is not added by default to existing campaigns sign up forms (prior to May 23th, 2018), so for the campaigns created before this date you need to log in to FirstPromoter, go to Campaigns > Configure promoter dashboard > Signup page and check the "Marketing consent" checkbox on "Required fields" section. On the "GDPR & Marketing Consent" section you can edit the label of the checkbox and include a link if required.
From the same place, you can enable "Affiliate privacy and terms of service agreement" checkbox. Like on the marketing consent checkbox, you can edit the checkbox label and link to your own affiliate terms and privacy pages(these documents are not provided by us).
Besides many internal changes, increased security and the ones already presented, there are two other major changes we made to help with GDPR compliance: