What do I need to know about GDPR and ShopStyle Collective?
- What exactly is GDPR?
- Does GDPR affect me?
- Updated ShopStyle Collective terms of service and its requirements
- When is consent required for EU end-users?
- What do I have to do to be compliant with GDPR?
- Retailer Changes for the EU
This guide does not constitute legal advice: You should seek your own legal counsel on your responsibilities under the GDPR.
1. What exactly is GDPR?
A regulation from the European Union that came into action on May 25, 2018. It’s about the management of personal data and privacy for any European user. Find out more here.
Think about GDPR from your visitor’s perspective and this basically breaks down to two concepts: transparency and control. You need to give your visitors transparency about what personal data you are collecting, what you are doing with it, and if you are sharing it (and with whom). And, you need to allow them control over what you can do with their personal data (, let them decide to what level they are comfortable with you using their personal data). If you get these two things right, you are on the path to GDPR compliance.
2. Does GDPR affect me?
We are anticipating you will be GDPR-compliant by May 25, 2018 if you reside in the EU and/or have any EU traffic, which involves a number of changes to your blog.
3. ShopStyle Collective Terms of Service Update
We updated our terms of service on May 14, 2018. You can read the updated terms policy here (Section 14 covers Data Regulations and GDPR).
- Data Regulations. You shall take all necessary and proper measures to protect personal privacy on your Creator Properties, including, without limitation, making all appropriate privacy and data collection and/or data usage disclosures in accordance with Applicable Laws. You will comply with the obligations under applicable data protection, privacy or similar laws that apply to data processed in connection with this Agreement. If your Creator Properties include visitors from the European Union (“EU”), you will comply with any regulations implementing the Data Protection Directive 95/46/EC and the Privacy and Electronic Communications Directive 2002/58/EC (collectively, “Data Regulations”). You shall obtain prior, freely given, specific and informed consent from any visitors to your Creator Properties that cookies are being served by ShopStyle on the visitors who click through the Authorized Links on your Creator Properties. You will cooperate with ShopStyle as reasonably requested to enable the compliance with this Section.
4. When is consent required for EU end-users?
In the interests of transparency, the GDPR requires you to obtain user consent for some processes related to the user’s personal data. Please see below for common examples of where this is required.
(a) Cookies: For EU end-users, consent is always required for the use of any cookies (except strictly necessary ones). This is an existing requirement of the ePrivacy Directive, which creators have historically used “cookie banners” for. However with GDPR in force, the consent requirements for placing cookies fall under the new stricter standards. You should check to see if your cookie banner sufficiently meets GDPR requirements. For more information on consent requirements, please click here.
(b) Affiliate links: If you are using ShopStyle Collective/affiliate links, there are times when consent is required to be granted by EU end-users to capture their data. Some major affiliate networks require GDPR consent for affiliate links, and if consent is not captured, a link may not be tracked and potential commissions will be lost. Other affiliate networks do not require additional consent for affiliate links.
5. What do I have to do to be compliant with GDPR?
If you don’t have a way of capturing consent, there are several free and paid consent tools out there for you. These tools pop-up boxes to capture GDPR consent when an end-user visits your blog, which you can install just like a ShopStyle Collective widget by adding a line of code to your blog.
We recommend Quantcast Choice. It is free, GDPR compliant and has no catch for using their tool (we have no commercial relationship with Quantcast).
Once you set up your consent tool, you will need to choose which “purposes” you get consent for.
If an end-user grants consent, this is stored usually for 12 months, so the request does not need to happen again before then (unless the end-user deletes their cookies or withdraws consent).
6. Retailer Changes for the EU
As of May 25th, 2018, Macy’s will suspend their EU affiliate relationships and will no longer be available to our EU creators. This also means that any transaction originating in the EU will not be commissionable.
Nordstrom is currently working through GDPR compliance and will not be available to EU creators until further notice. This also means that any transaction originating in the EU will not be commissionable. Nordstrom is hoping to resolve this quickly and we will continue to update you.