Targeted social media ads: new guidance on doing it lawfully
The European Data Protection Board has published draft guidelines, for feedback, on targeting of social media users.
If you use targeting features offered by social media platforms, it's worth taking a look through these, even though:
- they are draft guidelines, for consulation, and so may change
- they are guidelines, and not the law (and so may "goldplate" the actual legal requirement)
Those lawyerly caveats aside, this guidance is still pretty helpful, in my view.
Here are my key points:
"Targeting" is broad — it's not just uploaded audience lists
The EDPB sets out four different types of targeting:
- Data provided by the user to the social media provider
- for example, profile information or other information disclosed by the user as part of their usage of the platform
- Data provided by the user of the social media platform to the targeted
- for example, Facebook's Custom Audiences system, which relies on the targeted uploading hashed identification lists (based on each targeted user's phone number or email address). This basis would also, in my view, cover "Lookalike Audiences", since the targeter is still uploading data, even though the data are used to determine who else gets to see the targeter's ads
- Targeting on the basis of observed data
- for example, pixel-based targeting, cookie-based targeting, and geo-targeting
- Targeting on the basis of inferred data
- for example, inferred interests, or other characteristics of the user
In other words, almost any type of online targeting is in scope of this guidance.
Targeters and social media companies are "joint controllers"
Many social media companies have set up their operations as the targeter is a controller, and they are merely a processor.
Not so, according to this guidance: in the EDPB's view, the parties are joint controllers in all of the targeting scenarios they discuss.
This is significant:
- as I say, many social media companies offer terms of service which do not align with these. Instead, they adopt a target-as-controller, site-as-a-processor model.
- if social media companies agree with this guidance, expect a change in contractual terms soon .
- if they do, read these through very carefully — you don't want to find that they impose compliance obligations on you which are not expecting, or which do not make commercial sense to you. But, realistically, your chances of negotiating these terms are, in the vasty majority of cases, absolutely zero.
- if the social media company's internal governance is aligned with the contractual positioning as a processor, they might have quite a lot of work to do to make sure that they meet the numerous obligations of a controller under the GDPR.
- joint controllership comes with a specific set of obligations under the GDPR, which will need to be met by both parties — this is something which the targeting companies will need to think about, and not just the social media companies. In particular:
- joint controllers need to have a written "arrangement" (it doesn't have to be a contract; it could be a non-contractual protocol or similar) setting out which company is taking on which responsibilities.
- they need to make the "essence" of this arrangement available to all data subjects.
They do not rule out legitimate interests as the lawful basis. Mostly.
There has been a lot of debate as to whether targeting social media users can be carried out by a controller on the basis of "legitimate interests". Some commentators have been quite insistent that only "consent" is good enough.
In this guidance, the EDPB recognises that both "legitimate interests" and "consent" are potential options. I am emphasising "potential" here, since the guidance — paragraphs 44-49 — set out what the EDPB expects of a controller looking to rely on legitimate interests.
It's not necessarily the easier option that you might be hoping.
In particular, it notes — paragraph 50 — that legitimate interests is not, it its view, always an option:
the controller needs to keep in mind that there are clearly situations in which the processing would not be lawful without the valid consent of the individuals concerned (Article 6(1)(a) GDPR). For example, the WP29 has previously considered that it would be difficult for controllers to justify using legitimate interests as a legal basis for intrusive profiling and tracking practices for marketing or advertising purposes, for example those that involve tracking individuals across multiple websites, locations, devices, services or data-brokering
I say "in its view" because, again, this is just guidance and, ultimately, it will be a matter for the relevant regulator, or even the relevant courts, to determine what is appropriate or not.
However, I would treat this as a clear warning sign, that you should be prepared to have a very robust legitimate interests assessment available, if you intend to rely on legitimate interests as your lawful basis for processing which the EDPB thinks should require consent.
(If you are using cookies as part of your advertising or targeting, you need consent for these. Only consent will do; legitimate interests is not an option.)
Check if you are sufficiently transparent about your targeting
Controllers need to be transparent about their processing activity. The EDPB opines that:
to ensure full transparency, controllers may want to consider implementing a mechanism for data subjects to check their profile, including details of the information and sources used to develop it. The data subject is entitled to learn of the identity of the targeter, and controllers must facilitate access to information regarding the targeting, including the targeting criteria that were used, as well as the other information required by Article 15 GDPR.
(Have a look at our post on privacy notices and transparency.)
Check if you need to do a data protection impact assessment
Organisations need to do data protection impact assessments if they are carrying out processing which is "likely to result in a high risk" to data subjects.
They'll also need to check the relevant regulatory authority's list of identified high profile activities, as DPIAs for those things are mandatory too.
The guidance does not say that DPIAs are needed in every situation, but calls out some specific activities, including products targeted at vulnerable people, which is fair enough.
(Check out our post on data protection impact assessments.)