EDPB guidelines on targeting social media users published in September 2020 bring new GDPR compliance obligations that social media service providers and targeters need to adopt.
Before we take a deeper look at the new requirements, the key takeaways you need to know are;
- You will be considered a joint data controller under the GDPR if you operate in the social media service provider and adtech industries.
joint controllership is when there is the participation of two
or more entities in the determination of the purposes and means of a processing operation
- You can process personal information for ad targeting based on consent or legitimate interest. Which one applies depends on the purpose of processing.
- Performance of contract will no longer be applicable as a legal base for processing personal data under the GDPR
The new guidelines follow the rulings made by Europe’s top court, the CJEU, in high profile cases involving the practice of social media targeting with the notable ones being Wirtschaftsakademie and Fashion ID:
- In the Wirtschaftsakademie case, The CJEU concluded that an administrator of a fan page hosted on a social network must be regarded as a controller as described by the Data Protection Directive.
- On the other hand, the CJEU ruled that Fashion ID and Facebook Ireland are joint controllers when it comes to the collection and transmission of data made possible by the Facebook ‘LIKE’ button plugin on Fashion ID’s website.
The court stated that the means of processing are determined jointly because even though the plugin is provided and made available by Facebook, Fashion ID added it on its website with full knowledge that it enables the collection and transmission of its website visitors’ data to Facebook Ireland.
Following up from these judgments, The EDPB guidelines on targeting social media users seek to shed more light on your responsibilities when you are handling the personal data of your users while providing a social media service or targeting ads. Read more on the EU Cookie Guidelines.
EDPB’s guidelines;
- Assess the potential risks your ad targeting may pose to the data privacy rights and liberties of your users
- Review your duty as an advertiser or publisher, in addition to the relevant GDPR legal bases you should comply with when executing certain targeting strategies
- Give you a summary of the main GDPR requirements and offer clarity on joint control arrangements between social media providers and targeters.
Therefore, this article highlights 4 quick compliance tips you need to know to comply with EDPB Guidelines on Targeting Social Media users.
Table of Contents
- Who needs to comply with the EDPB guidelines on targeting social media users?
- What types of personal data are subject to EDPB guidelines on targeting social media users?
- What are the key requirements of the EDPB guidelines on targeting social media users?
- How to Comply with the EDPB guidelines on targeting social media users
- EDPB guidelines in targeting social media users and Secure Privacy
Who Needs to Comply with the EDPB Guidelines on Targeting Social Media Users?
According to the EDPB, the following entities take part in the targeting process on social media;
1. Social media providers
According to the EDPB guidelines on targeting social media users, you are a social media provider if;
- you provide a digital platform where users can build networks or communities where they share personal information and content.
This definition covers any online platform that has a social function ranging from Facebook, Twitter, LinkedIn, Instagram, to online dating sites, video-streaming services, and gaming service providers.
The EDPB notes that social media service providers collect large volumes of personal data about the behavior of your users, both on and outside the platform, which needs to be handled in a way that does not violate the privacy rights of the users.
2. Targeters
The EDPB guidelines on targeting social media users, categorize you as a targeter if;
- By way of microtargeting, you use social media to reach out to users and convey specific messages to them.
The aim of microtargeting is to achieve among others, political or business interests such as increasing brand awareness.
3. Users
Users are persons who either:
- have user accounts on social media, or;
- has no user account on social media, but has partial or full access to the service (example: watching videos on YouTube without signing in).
4. Other Actors
In this case, the scope of the EDPB guidelines on targeting social media users may be relevant depending on the type and structure of targeting.
For Example: it may extend to participants in the adtech industry such as ad networks and ad exchanges.
What Categories of Personal Data do the EDPB Guidelines on Targeting Social Media Users Apply To?
The new guidelines from the EDPB on targeting social media users define the categories of personal data that will require you to comply with the GDPR if you decide to use the information for your online targeting activities.
a). Provided data: this is the personal data that a user actively surrenders to you such as their email address, location, age, or name.
b). Observed data; this is the personal information a user passively gives you by using your social media service e.g based on their activity on your website or the devices he/she uses to access your service.
c). Inferred data; If you decide, as a data controller, to generate insights from either the provided or observed data from your users, the resulting insights are described as inferred data.
For Example: you can make a comprehensive conclusion that a user is interested in a specific product based on their behavior on your website or how they interact with other users in your network.
What Did the EDPB Guidelines on Targeting Social Media Users Clarify?
i). Joint Controllers
The guidelines clarify that you are a joint controller under the GDPR if you are a social media service provider or targeter who ;
- Identifies the audience to be targeted
- Sets the targeting criteria
- Shows ads to the target audience and generate programmatic advertising targeting campaign reports
It does not end there. In some cases you can be considered a joint data controller even in scenarios where you do not have direct access to the personal data of your users according to the new EDPB guidelines on targeting social media users.
ii) Legal Bases
When it comes to the processing of personal data, the EDPB guidelines on targeting social media users direct that you can only rely on two legal bases defined by Article 6 of the GDPR. They are;
- Legitimate interest
- Consent
Concerning legitimate interest, you should allow your users to reject the display of targeted advertising when they first come to your website just before you start processing their data.
Additionally, you should also give them assurance that you do not process their personal data for ad targeting reasons once they decline to give consent for it.
Concerning consent, the EDPB guidelines on targeting social media users consider it valid if;
- you give your users control and free choice over being targeted for ads
- You give your users a way to reject or opt-out of targeted advertising without any consequences
If a user gives you consent to process their data for ad targeting, it can only be valid if it is;
- Specific
- Active
- Informed
- Unambiguous
You can check out our blog to learn more about the EDPB’s guidelines on valid GDPR Cookie Consent here.
You need to be aware that even in cases where you rely on cookies and other similar technologies for your targeting activities, the cookie consent you receive must satisfy the conditions listed above.
If you process special categories of personal data from a user such as their race, political views, health status, or sexual preference, You need to comply with an additional legal base referred to as explicit consent in line with Article 9 of the GDPR.
iii). Transparency and Data Subject Rights
Since targeters can rely on provided, observed, or inferred user data from social media platforms, there is always a risk that you may end up processing this data in ways your users do not expect.
Similarly, the EDPB guidelines on the targeting of social media users acknowledge that there is a general lack of transparency when social media service providers or targeters process some categories of personal data for targeted advertising and who should be held accountable.
To ensure you do not violate the EDPB guidelines on targeting social media users, you must make it easy for users to exercise their data subject rights especially, the rights to access, objection, and erasure.
iv) Data Protection Impact Assessments (DPIA)
The EDPB guidelines on targeting social media users clarify that before activating the intended targeting activities, you need to;
- Evaluate the type of product or service you will be advertising and the kind of personal data you will need for targeting, including whether you will process sensitive personal data.
- Determine the level of risk your personal data processing activities possess, and whether you need to conduct a Data Protection Impact Assessment (DPIA).
How Do I Comply with the EDPB Guidelines on Targeting Social Media Users?
The Joint Controllership Requirement
As a social media provider or targeter, you must enter into a joint controller agreement that specifies all the obligations and liabilities for all the parties involved in processing your users’ data.
Ensure that this agreement covers all the processing activities for which you are jointly accountable.
Without a clear and complete agreement, you will end up in trouble with your Data Protection Authority (DPA) for GDPR violations that will result in unnecessary fines for your business.
The Legal Bases Requirement
As a joint controller, you must determine each purpose of processing personal data and identify the relevant legal base for this type of processing individually.
While the GDPR does not stop you from using a variety of legal bases, it is advisable to apply the same basis for a specific targeting strategy and purpose whenever it is practical.
Overall, you should ensure;
- You carry out a detailed legitimate interest assessment and documentation before processing any personal data from a social media user
- You have implemented relevant consent notices and mechanisms of targeting where applicable
The Transparency and Data Subject Rights’ Requirement
To comply with the EDPB guidelines on targeting social media users, you must ;
- Have clear and easily understandable privacy policies
- Provide clear information to your users about the targeting and its implications to them. Using the word ‘advertising’ only is not sufficient to alert users that their activities are being tracked for targeted advertising purposes.
- Inform users whether you will profile them based on their online activities and the kind of personal data you collected to build such a profile.
- Provide a simple way for users to exercise their data subject rights of access, erasure, or objection under the General Data Protection Regulation. In your joint controller contract you can define who is responsible for handling Data Subject Access Requests (DSARs).
Compliance with DPIA Requirement
To comply with this requirement, you need to evaluate whether conducting a DPIA is necessary before you start any data processing activity.
Once this is done, you should also ensure whether you need to carry out a DPIA alone or whether your joint controller needs to execute the same..
Your DPIA needs to;
- Resolve any potential risks that may arise from the targeting
- Document the safety measures implemented to address the potential risks and secure user data.
EDPB Guidelines on Targeting Social Media Users and Secure Privacy
Secure Privacy is the #1 Consent Management Platform (CMP) in the market with powerful and reliable enterprise features that help both social media service providers and targeters comply with GDPR requirements.
The features you can leverage to comply with the EDPB guidelines on targeting social media users include;
- Transparency
As your CMP, Secure Privacy ensures that consumers are aware of what data is processed and for what purpose, such that they know what they are giving their consent to by helping you generate a GDPR-compliant privacy policy.
Our powerful privacy policy generator also allows you to customize your privacy notices to your unique business.
Adding a privacy policy to your website with Secure Privacy is a breeze. Adding a privacy policy button on your website is equally easy. And if you use Magento and need Magento cookie compliance with a privacy policy, or you use Hubspot, we’ve got you covered.
- Express Action
Our solution ensures you give your users a way to give consent to the use of cookies based on true choice as opposed to coercing them into accepting their placement, which can attract GDPR fines.
- Affirmative Consent
Using Secure Privacy as your CMP ensures that cookie consent is provided through affirmative and unambiguous action in accordance with both GDPR and the ePrivacy Directive.
- Notice
Our solution also ensures that you can send an alert to your users before the initial data processing occurs.
- Ability to Withdraw Consent
According to the GDPR, you must make it easy for consumers to withdraw consent. Secure Privacy’s Universal Preference Center gives users control over their consent choices and ensures that they can withdraw consent as easily as they gave it.
If you have additional questions or need further clarification, get a free assessment of your website and have all your concerns answered by a data privacy expert by booking a 30-min call.
Alternatively, you can sign up for your 7-day free trial of our IAB-certified CMP.
Learn more about the other EDPB Guidelines you may need to comply with here;
Schrems II Decision: Privacy Shield Invalid for EU-US Transfers
EDPB Schrems II Guidance: GDPR Data Transfers to Third Countries
GDPR Cookie Consent: The Latest EDPB Guidelines on Cookie Walls
Also, Learn about the EU Digital Markets Act (DMA) and its impact on digital markets in the European Union. Understand its benefits, key provisions, and how it compares to the Digital Services Act (DSA). Find out what the DMA means for consumers and businesses and how it will reshape the digital landscape in the EU.
