If you’re based in, or advertise to users, in Europe, then the General Data Protection Regulation (GDPR) will affect how you create and publish ad campaigns in Facebook. Being one of the most popular advertising platforms, Facebook has been doing a lot in order to stay in front of the legislation that will change how so many people use their software. It’s important that you as the advertiser understand how this will change how you create audiences, store data, and target prospects.
What is the GDPR?
It is a regulation approved by the European Parliament in 2016. There has been a grace period of two years in effect, and that grace period ends May 25, 2018. What the GDPR does is force businesses to be more transparent about collecting and processing personal data from Facebook users. In addition, it will require that users give express consent in order for their personal data to be harvested and stored.
This gives users a lot more power and view into how businesses store and use their personal data. Failure to comply with the GDPR will result in sizable fines (€20 million or up to 4% of a company's global annual revenue, whichever is greater).
Disclaimer: This website and blog post is neither a magnum opus on EU data privacy nor legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand how some companies have addressed some important legal points. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding. We encourage you to speak to an attorney for your specific situation.
What is Facebook doing about it?
Due to the heat of the recent Cambridge Analytica scandal, Facebook is being rather cooperative with this law and stressing three different topics: control, transparency, and accountability.
What that means is that Facebook is going to make it easier for people to know exactly what the social platform knows about them and how it uses that data. They will also be allowing people to understand what Facebook knows about them in regards to what they share, watch, and type within their accounts. In addition, Facebook will be regulating how businesses that advertise on Facebook utilize that user data. This is where you come in.
What do you need to do about it?
As an advertiser, just use Facebook’s example and aim to do everything that they are doing (these are requirements anyway, so you’ll need to regardless of whether you want to).
You’ll need to let your prospects know what you’re collecting from them, what you’re doing with that data, and who else will see the data collected. If you’re using the Facebook ad engine, this will be done for you. But if you’re creating Custom Audiences, or using a Facebook Pixel then you’ll need to ensure GDPR compliance. To learn more about how to be compliant, visit the EU’s Frequently Asked Questions page.
Not to scare you, but if you fail to comply you can’t just point a finger a Facebook. They state in their policy that, “Each company is responsible for ensuring their own compliance with the GDPR.”
What about the Facebook Pixel?
This is where you’ll need to acquire consent if you’re collecting data from your prospects. Examples of these, in Facebook’s “Guide to Consent,” include:
Acquiring consent isn’t rocket science, you’ll need to choose which would be the most effective way for your website to be compliant. Common approaches to this are the “cookie banner,” a prominent message that is displayed when the page loads for the first time. Or, you can obtain consent using a “registration flow,” when users have to create an account and accept terms of use before using the website or app.
But Facebook owns Instagram, so what about them?
Well, it’s no surprise that everything you post to Instagram will now also be required to be GDPR compliant at all times. Since Instagram’s only targeting feature is baked-in, you won’t have to do anything extra to post on this platform. Instagram will take care of that for you.
Even though this is a good start on being GDPR compliant, we urge your company to visit the links above and also to reach out to your legal team to thoroughly understand the regulations going into effect later this month and to brainstorm how your particular business will need to adapt to move forward.
Austin Walker