GDPR for facebook ads

 GDPR Opt In

GDPR (General Data Protection Regulation) comes into force May 25th 2018, and here we look at how it relates to Facebook, Facebook Messenger and Instagram ads, and the potential impact on marketers. 

Remember, these are just some best practice ideas, and you should always seek advice from your legal counsel on the correct approach for your business.

The ICO also has detailed guidance on staying compliant here

GDPR - The Background

In the majority of cases, as a brand you will be deemed a Data Controller. This means, under GDPR Regulations, you will have to demonstrate:

  • how the data is collected
  • what exactly you are using the data for
  • that people have explicitly agreed to you holding and using their data
  • you can show how long it will be held on record for
  • you give people the ability to easily opt-out
  • that people have the right to access the data that you hold on them

While Facebook provides you with the tools to reach your audiences on the platform, generally it is you, the advertiser that has responsibility as the Data Controller.

Conversely, a Data Processor handles personal data on behalf of a data controller, in the majority of cases, this will be Facebook, or tools like Driftrock if you use them.

You are the Data Controller for your Facebook Custom Audiences, therefore you have responsibility for it's collection and use. Facebook in turn, are the data processor, in that they provide the tools to enable you to process these audiences on their platform.

 Facebook Ads and GDPR

Facebook Audiences and GDPR

With a wealth of targeting available, each different Facebook audience type is classified differently under GDPR.

There are audiences that are reliant on your using first party data, pulled from your CRM. Then there is audience data that Facebook make available to advertisers 'out of the box'.

Below are various Facebook, Facebook Messenger and Instagram targeting methods, and how we believe they currently relate to GDPR. 

However, make sure you also check Facebook's own guidelines on GDPR for Businesses. 


Facebook Custom Audiences

  • Data Controller: YOU

  • Data Processor: Facebook
  • Responsibility for Data: YOU
  • Solution ideas: Automatically sync custom audiences from CRM, using a tool like Driftrock Audiences. Opt-outs from your CRM are automatically removed from Facebook custom audiences.

Facebook Lookalike Audiences

  • Data Controller: YOU

  • Data Processor: Facebook
  • Responsibility for the seed audience data and consent: YOU
  • Solution: Automatically sync custom audiences from CRM, using a tool like Driftrock Audiences. Opt-outs from your CRM are automatically removed from Facebook Custom Audiences, that are used to build your Lookalike. 

Facebook Detailed Targeting

  • Data Controller: Facebook

  • Data Processor: Facebook
  • Responsibility for Data: Facebook
  • Solution: No action required

Instagram

  • Data Controller: YOU (unless you are using detailed targeting)
  • Data Processor: Facebook
  • Responsibility for Data: YOU
  • Solution: Automatically sync custom audiences from CRM, using a tool like Driftrock Audiences. Opt-outs from your CRM are automatically removed from Facebook custom audiences.

Facebook Analytics

  • Data Controller: YOU

  • Data Processor: Facebook
  • Responsibility for Data: YOU
  • Solution: Facebook Analytics allows you to use User IDs to identify users, and therefore remove them also. It's worth taking a look to see how you can use these features. 

Facebook Lead Ads

  • Data Controller: YOU

  • Data Processor: YOU
  • Responsibility for Data: YOU
  • Solution: You are responsible for the lead data you collect, and ensuring you have the adequate consent. Makes sure you store the exact consent that people opt-in with in your CRM or other systems. 

GDPR - Next Steps

  • Its a good idea to study the GDPR guidelines by the ICO here
  • Every business is different, so seek legal advice to make sure you are compliant. 
  • Ensure you have the right tools in place for Custom Audiences and Lead Ads to help stay compliant. Driftrock Audiences and Lead Sync can help with this. 
  • GDPR regulation is a brilliant way to both protect consumers, and deliver better marketing. Here's some more reading from Driftrock on why we think GDPR is a great thing for both consumers and marketing