A version of this post first appeared on WordStream
If you’re based - or advertise to customers - in Europe, there’s a good chance you’re familiar with the General Data Protection Regulation (GDPR). Since Facebook is one of the world’s most popular advertising platforms, they felt it necessary to put together a release regarding how advertisers (you) can use their data moving forward and - more importantly - how these sweeping protections will impact the way we use Facebook to create audiences, store data, and target prospects.
But Facebook is a little different from your average Spanish law firm or Lincoln, Nebraska-based SaaS company looking to advertise to prospects in one of the European Union’s 28-member countries. That’s because they are at once a data controller (they handle personal data) and a data processor (they process personal data for other data controllers). Odds are, your business only falls into bucket A, but that doesn’t mean you’re off the hook.
Today, we’re going to dive into Facebook’s latest release regarding GDPR compliance and, most notably, what it means for the 3 million-plus businesses that advertise on Facebook. First, though, a bit about the GDPR.
What Is the GDPR?
According to its own website, the GDPR is "the most important change in data privacy regulation in 20 years."
Basically, if you’re based in the EU or you "offer goods or services to, or monitor the behavior of, EU data subjects," the GDPR will force you to be more transparent regarding the kinds of personal data you collect and what you do with it. Furthermore, prospects must give their expressed consent in order for you to harvest and utilize that data. No tomfoolery. No shenanigans. Only the utmost transparency.
As you can imagine, this gives consumers waaaay more power over their personal data. It also bolsters their rights to know about breaches, to see exactly what you know about them on-demand, and to be “forgotten.” If they don’t want you to have their data, you must respect their authority. Failure to comply will result in lofty fines (like, 4% of global annual revenue lofty).
Businesses the world over have been scrambling to become GDPR compliant before the regulation takes effect on May 25, 2018. Facebook is one of those businesses.
What Does Facebook Have to Say?
Unless you’ve been living under a rock for the last month or so, you’re well aware of Facebook’s recent woes regarding the handling of user data. As such, they’re making a concerted effort to be transparent and proactive in regard to GDPR protections.
Per the aforementioned Facebook release, the social network’s GDPR preparations are focused on three cornerstone commitments: transparency, control, and accountability.
While that sounds vague and buzzwordy, in reality it’s pretty straightforward: Facebook is going to make it easier for people to figure out what Facebook knows about individuals based on the data they share on their Facebooks, and they’re going to make a concerted effort to care a bit more about how other entities - namely advertisers - handle said data. Woo!
With that, here are some of the key ways in which Facebook’s response to the GDPR - and thus, the GDPR itself - will impact you as an advertiser.
The Responsibility of Each Advertiser Is…
To do exactly what Facebook’s doing!
You need to inform your prospects about the kinds of data you’re collecting, what you’re doing with it, and who else will see it. Now, if you’re using Facebook’s baked-in targeting methods, you don’t need to worry about much here; things are a little different in the event you’re using Facebook Pixel or Custom Audiences (more on that in a minute). You can learn more about how to become GDPR compliant (or learn the answers to more nuanced questions) on the EU’s FAQ page, but it boils down to this:
You need to ensure “a relevant legal basis (for example, consent, contractual necessity or legitimate interests)” for your use of consumer data.
In the event you’re non-compliant come May 25th, don’t try to pass the buck off to Facebook. As they clearly state, "Each company is responsible for ensuring their own compliance with the GDPR, just as they are responsible for compliance with the laws that apply to them today."
Will The Facebook Pixel Be Impacted?
Per Facebook, anyone using a Facebook Pixel "will have obligations under the GDPR." In their "Guide to Consent," Facebook lists examples of instances where you might need to obtain consent from prospects such as...
- Retail websites that collect data about the products people view for the purposes of ad targeting
- Blogs that use cookies to collate aggregate demographic data about readers
- Facebook advertisers who install Facebook Pixel to measure ad conversions or retarget prospects on Facebook
Acquiring consent is pretty simple. You need to tell people on your site what, how, and why you track their data, and they need to agree to it. This can happen through the use of a cookie bar (sounds like some sweet-toothed hipster mecca) or requesting consent at sign up, a la Facebook:
For more information on this and GDPR compliance, I strongly recommend visiting the EU and Facebook links above, respectively.
What About Instagram?
The other day, I heard the following statistic float out of a gaggle of WordStreamers sauntering past my desk. "60% of people don’t know that Instagram is owned by Facebook." If you previously fell into that massive group, you can officially count yourself among the informed. Congratulations!
And since Facebook owns Instagram, Instagram will be as GDPR compliant as Facebook is at all times. You don’t need to do anything extra in order to use Instagram ads or acquire additional consent to leverage consumer data as a targeting method on the photo-centric platform. The same goes for Messenger and WhatsApp.
An Extra Step for Custom Audiences
This is where things get tricky. Time to revisit that whole “data controller vs. data processor” thing.
When you place the Facebook Pixel on your site, Facebook - not your business - is the data controller; this means that they are responsible for informing your prospects of the fact that their personal data is being processed and leveraged as targeting across their various properties.
Conversely, when you upload a custom audience to Facebook using a data file, Facebook is merely a data processor. As such, you will be responsible for complying with GDPR standards before that information is uploaded to Facebook for use as a targeting method.
How?
Facebook is in the process of developing a Custom Audiences permission tool that will require you to provide proof (it isn’t currently known what "proof" entails) that you acquired consent. We’ll update you with more information when it’s officially released.
Leads Ads Are A Tricky Proposition
Facebook Lead ads are a fantastic business tool; in some accounts, they’re the most powerful weapon in your advertising arsenal.
As such, they come with their own very special red tape!
Per Facebook, "In the case of lead ads, both Facebook and the business are data controllers, thus, both parties are responsible for ensuring compliance." How fun!
Basically, this means that both you and Facebook need to let your prospects know that you’re processing their data. Luckily, Facebook makes it pretty simple to link your lead ad to your privacy policy, allowing you to collect consent in real time.
Final Thoughts
For any business attempting to reach prospects in the EU, ensure GDPR compliance across the board is necessary. But while it isn’t required for you to extend the same courtesy to prospects in the US, doing so would go a long way to assuage the privacy-related concerns of your potential customers (and help your business avoid a month like Facebook just had).