Social media ad in the GDPR area

This article was written in collaboration with Mojca Zove at Super Spicy Media.

Big ad platforms like Facebook and Google are in their final stretch to roll up their privacy friendly policies.

Facebook ads system

In this article we’ll focus on Facebook Ads platform since it’s widely used amongst Saas business.

On the one hand, you can publish ads using Facebook interests to target people by interest, demographic, and other categories that Facebook provides.

In this case, you’re using data Facebook collected from its platform, not your own, so you don’t need to worry about GDPR at this point.

Facebook is the data controller— and you’re using the service as a client.

Using Custom Audiences

If you’re an advertiser that takes full advantage of the features Facebook Advertising platform offers, you’re probably using Custom Audiences and uploading your list of contacts to the system.

Here you are the data controller and you should check if the processing you’re undertaking has a legal ground.

Let’s be straightforward there are only two grounds you can rely on:

1. consent,
2. in some case: legitimate interest.

Under GDPR most marketing activities rely on consent.

You must inform people what you are doing with their data, ask for their permission to use the collected data and to disclose it to other services (which is what you do when you upload a list of contact in your Facebook Ad Manager), and give them a way to withdraw their consent at anytime.
In addition, these people can ask you to access, rectify or delete their data.
In the case of deletion, you must ask Facebook to remove them from your custom audiences.

Removing data from custom audiences

As soon as you are collecting contact data from a person and are intending to use these in a Facebook custom audience, you must present a way to:

1. ask for their consent (contacts data to be disclosed to FB)
2. inform of their rights ( link to your privacy policy)

This is for the public facing part.

On the back-end, you’ll want a timestamp recorded for the consent, along with a reference or a version of the form used for the consent and the link to the version of the privacy policy.
Yes, this means that you can’t sneak your newsletter subscribers data to Facebook without getting their approval to do so.

Facebook consent tool

Facebook is working on a tool —soon to be released— to make sure that you have consent from the people whom you’re uploading data.

However, regarding your customers, you may rely on the legitimate interest legal ground.

Customers and legitimate interest

This is one of the cases described by the DPN in its document

As a matter of fact, since you’re in a customer/ vendor relationship, you customer can reasonably expect that you’ll be advertising to her through social media. But, relying on this legal ground means further investigation on your side and additional rights on your customer side.

On your side you must balance your interests against your customer interest and yours must not override his. This means conducting a Legitimate Interest Assessment.

And this gives your customer two more rights: the right to object to the processing and the right to ask to stop the processing.

So, we’ve covered the contacts data you upload to Facebook Ad Manager.

Facebook pixel

Now, what about the data you disclose through the Facebook Pixel?

Cookies, trackers, beacon, fingerprinting and any other browser stuff which send data through a person’s browser are also covered by the GDPR.

One can argue that since this is the browser’s behavior, you’re not responsible.

But you are the one who embeds the code in your web page to make the browser load the tracker and broadcast pieces of information.

So back to square one: you need consent.
And no, the stupid cookie banner is not sufficient.

The WP29 has made it clear that the consent must be freely given, for a specific purpose, asked in an easily accessible form in clear and plain language and as easy to withdraw as it was given.
In conclusion, you must wait for the consent of your visitor before setting any cookie/tracker in his/her browser.

Advanced Matching

Another point you may want to check: advanced matching
A facebook Pixel can collect and transfer a lot of data to Facebook, such as an email, name, telephone number, etc.
Although this data is hashed before being transmitted to Facebook, you should still inform people that you are doing so.

In conclusion:

Facebook is a very powerful tool to reach people. But that does not give you a free pass ​​to do what you want with other people’s data.

Be mindful of what you do, evaluate the consequences for privacy and give people information.

Also, Facebook has been very actively preparing for the GDPR; a lot remains to be seen and surely the EDPB will continue to publish recommendations and guidelines along with continuing scrutiny on Facebook and Google doing.