What Does GDPR Mean for Facebook Advertising

GDPR, you may not know what it stands for, but you have most likely heard it a million times in the last couple months and know that it is important. GDPR stands for General Data Protection Regulation and it is going to be changing things up in the digital world.  In this blog post we will be covering everything you need to know for GDPR in regards to Facebook advertising. If you are looking for how GDPR will be affecting your website, check out this blog.

Before we get into the nitty gritty effects that GDPR will have on Facebook, lets go over what GDPR is in general.

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union. Although the regulation was passed in the EU, it still has effects on the rest of the world because the internet is not bound to government borders. If you are collecting information of a citizen of the EU, you are responsible to follow these regulations regardless of where you live. Due to the widespread effect, platforms such as Facebook are going to be making changes as well to ensure they are compliant.

GDPR’s Effects on Facebook:

In Facebook’s press release, they claim throughout the process of becoming GDPR compliant they are going to be focusing on 3 main pillars. They are going to be committed to Transparency, Control, and Accountability.  They go on to explain how they will execute on these 3 pillars:

Transparency:

“Our Data Policy defines how we process people’s personal data. We’ll provide education on our Data Policy to people using Facebook Company Products. We’ll do this through in-product notifications and consumer education campaigns to ensure people understand how their data is being used and the choices they have.”

Control:

“We’ll continue to provide people with control over how their data is used. We’ve launched a new control center to make privacy settings easier to understand and update. We also remind people as they use Facebook about how to view and edit their settings.”

Accountability:

“We have Privacy Principles that explain how we think about privacy and data protection. We have a team of people who help ensure we are documenting our compliance. Additionally, we meet regularly with regulators, policymakers, privacy experts and academics from around the world to keep them apprised of our practices, get feedback and continue to improve how we protect personal information.”

So that is what Facebook is committing to while making their business GDPR compliant, but what does that mean for the advertiser? Well, they go on to explain a very important concept in this whole relationship. The concept is the “Data Controller v. the Data Processor”.

Data Controller

A company is a data controller when it has the responsibility of deciding why and how (the ‘purposes’ and ‘means’) the personal data is processed.

• Under the GDPR, data controllers have to adopt compliance measures to cover how data is collected, what it’s used for and how long it’s retained. They also need to make sure people can access the data about them.
• Data controllers must ensure data processors meet their contractual commitments to process data safely and legally.

Data Processor

A company is a data processor when it processes personal data on behalf of a data controller. Under the GDPR, data processors have obligations to process data safely and legally.

While Facebook operates the majority of our services as a data controller, there are some instances in which we operate as a data processor when working with businesses and other third parties. When Facebook processes data on an advertiser’s behalf, the advertiser must have an appropriate legal basis for Facebook to process this data.”

The “instances” that they refer to as the Facebook Advertiser being the Data Controller and Facebook being the Data Processor are what will be affecting Facebook Advertising.

The main thing that will be affected our Custom Audiences. If you capture an email in a custom audience for Facebook, the user has to be notified that their information will be captured and used for remarketing on Facebook. If the user has not been notified prior to May 25th, 2018 the user information will have to be deleted from your Custom Audience that you are marketing to. Also, moving forward Facebook is in the process of developing a Custom Audiences Permission Tool that will require you to provide proof that you acquired consumer intent.  

Another thing that will be impacted is the Facebook Pixel. This one is a pretty simple fix. You simply have to notify consumers on your website that you are collecting data to be remarketed on Facebook.

The final thing that will be directly impacted by GDPR is Facebook Lead Forms. This one is a little more tricky because according to Facebook, “In the case of lead ads, both Facebook and the business are data controllers, thus, both parties are responsible for ensuring compliance.” This simply means, that both Facebook and the Advertiser need to let prospects know that you are collecting their data. This should be relatively easy to implement because you are able to put your privacy policy within Lead Form Ads, which should be updated to be GDPR compliant anyways.

Closing Thoughts

If you have any online presence associated with the EU, it is imperative that you are GDPR compliant by May 25th, 2018. If you don’t do any business in the EU, it is only a matter of time before this rolls out as a global trend. I would suggest getting ahead of it now. The work to put in is not outrageous and the pain it will save you if you get caught breaking regulation will be tremendous. The fees associated with not being compliant are hefty and you also do not want to be on the wrong end of data privacy news. It is not a good look for your brand.