Verification Email List Upload Custom Audiences Facebook

Facebook Custom Audiences is a valuable tool for many online marketers, but the muddy petty secret is the difficulty in making it compliant with the GDPR and ePrivacy rules. I explicate the issues and how to overcome them.

1 Summary

Facebook Activity and GDPR/ePrivacy Compliance Custom Audience Created from:
Customer List or Pixel/App Tracking
Custom Audition Created from:
Direct Facebook Date
Is it compliant to CREATE a Custom Audition? Probably yes, if you nerveless the personal data in a compliant fashion in the first place. Yes, if your Facebook presence is GDPR compliant.
Is it compliant to Annunciate to a Custom Audition on Facebook? Yes, needs consent (which few advertisers have). Yeah, if your Facebook presence is GDPR compliant.
Is it compliant to create a "Lookalike Audition" on Facebook? Yeah, needs consent (which few advertisers have) . Yes, if your Facebook presence is GDPR compliant.
Is it compliant to Advertise to a "Lookalike Audience" on Facebook? Yes, but just if y'all can create the Lookalike Audience in a compliant mode in the first place. Yes, but simply if you tin can create the Lookalike Audience in a compliant way in the first identify.

ii Scenario

Your visitor ACME Widgets Ltd (the "advertiser") wants to promote its wellness widgets to people using online advertising, due east.m. in Facebook and Google ads, and through traditional email marketing.

A news organization named Global News Ltd (the "publisher") provides a free website and app to provide news and is funded past the adverts it displays.

Ads on the Global News Corp website/app are chosen and presented in real-time by a tertiary party "ad network", such as Facebook or Google.

3 What is a Custom Audience?

A Facebook Custom Audience is a grouping of Facebook user accounts that accept been matched to a dataset that an advertiser provides, e.one thousand. ACME Widgets Ltd uploads a listing of 100 client email addresses for which Facebook matched 75 Facebook accounts which becomes a Custom Audience to apply inside Facebook.

There are really iii types of Custom Audience based on where the information comes from:

  1. Customer List – A list of contact data that you supply to Facebook (Facebook names this a "client list"), east.k. email addresses of customers who may or may not exist Facebook users.
  2. Pixel/App Tracking – People that have interacted with your website (pixel) or app (SDK), who may or may not be Facebook users.
  3. Facebook Appointment – Facebook users that have interacted with your Facebook/Instagram presence, eastward.g. liked your Facebook Page or accessed your Instagram profile.

4 How do I create a Custom Audience?

An advertiser uploads to Facebook a list of contact information or selects a cohort of previously tracked pixel/app/Facebook interactions. Facebook matches the data for the advertiser and creates the Custom Audience list of Facebook users.

5 Is it compliant to CREATE a Custom Audience?

5.i Client List and Pixel/App Tracking Users

Summary – probably yes, if you collected the personal data in a compliant fashion in the commencement place.

For the sole human activity of creating a Custom Audience (and not actually using it still), a number of processing activities have to occur:

  1. Advertiser collects the personal data from the user, e.thou. email, phone, Pixel result.
  2. Advertiser stores the personal data.
  3. Advertiser sends the personal data to Facebook (in a hashed form).
  4. Facebook matches the personal data against Facebook user data it already controls.
  5. Facebook creates a list of matched Facebook user accounts (the "Custom Audience").
  6. Facebook retains this Custom Audition within the Advertiser'due south account.

For each of these processing activities we first need the Advertiser (the Data Controller here) to establish a lawful footing. Probable examples are shown below in bold.

  1. Advertiser collects the personal data from the user, due east.g. e-mail, phone, Pixel. [Consent, Legitimate Involvement or Contract]
  2. Advertiser stores the personal data. [Consent, Legitimate Interest or Contract]
  3. Advertiser sends the personal data to Facebook (in a hashed class). [Possibly Consent or more probable Legitimate Involvement]
  4. Facebook matches the personal data against Facebook user data it already controls. [Legitimate Involvement]
  5. Facebook creates a listing of matched Facebook user accounts (the "Custom Audition"). [Legitimate Interest]
  6. Facebook retains this Custom Audience within the Advertiser'south Facebook account. [Legitimate Interest]

We now demand to examination whether those stand up to scrutiny.

The first and most common issue is with collecting the personal information in the first place, such as when an email list has been purchased without the users knowing or if the user has not given affirmative consent to Facebook Pixel tracking. In the case of an advertiser non having gained cookie consent, retargeting based advertisement is off the tabular array, whether that be through Facebook, Google or whatsoever other cookie integrated provider.

The adjacent large question is whether the personal data may be sent to Facebook. In this narrow instance of solely creating the Custom Audience, Facebook states that it acts as a Data Processor and has no additional rights over using the created information, e.g. it is not allowed to enrich its dataset with this new matched noesis that a user has purchased from ACME Widgets Ltd. On the basis of a Data Controller to Data Processor relationship (Top Widgets Ltd to Facebook), legitimate interest is the likely option for a lawful ground. Consent is also an option for the Controller, but realistically few Controllers want to ask a customer if they are permitted to send their data to Facebook.

Subsequently uploading the data, Facebook will then perform the matching of your data confronting their own users and create a list for y'all to use later. These processing actions are well defined past Facebook and ones that you have specifically requested. Facebook are acting as a Data Processor for yous here, but in parallel are acting every bit a Data Controller in the matching of their own data for which they have permission via Facebook users' understanding with their Terms of Service (past being a Facebook user you concur to being "matched" with advertiser information).

Facebook states that as a Data Processor, "Facebook will not give access to or information near the Custom Audience(s) to third parties or other advertisers, use your Custom Audience(s) to suspend to the information that we accept virtually our users or build involvement-based profiles, or use your Custom Audience(south) except to provide services to you lot, unless we have your permission or are required to do so past police force." Once more, legitimate interest would be the obvious selection for this data processing.

With legitimate interest in mind, is it valid and is it off-white?

This assessment volition depend on many factors and judgement calls of how well Facebook can be trusted. You may take the view that Facebook should be taken on its word that it will purely act as a Data Processor. You lot may accept the view that Facebook has repeatedly shown poor privacy behaviour and that with no way to inspect Facebook's use of your data they should not be trusted.

If you follow Facebook'south stance then yous would rely on legitimate interest to upload your data to Facebook and have them create your Custom Audience.

(Merely having a Custom Audition is pointless if you lot're not going to employ it, so we need to explore the compliance of the various uses cases.)

five.2 Facebook Engagement Users

(Reminder – here we're talking well-nigh users of Facebook that are direct engaging with a Facebook holding, eastward.g. Facebook.com)

Summary – yes, if your Facebook presence is GDPR compliant.

When a visitor such as Elevation Widgets has its ain corporate Facebook presence, due east.g. a Facebook Page, information technology is acting equally a Joint Controller with Facebook (meet 2018 ruling). In turn, ACME must treat its Facebook presence like its website by providing a Privacy Notice and explain its collection and use of personal data. With those in place, Height is able to work with Facebook in a fair and transparent way to build up a detailed understanding of its audience in a defined list of Facebook users.

6.1 Customer Listing and Pixel/App Tracking Users

Summary – aye, but only if you have consent, which you probably don't take.

This question is best split into two parts, compliance against the GDPR and compliance against ePrivacy Laws (PECR/ePrivacy Directive/Eu state'south implementation of the ePrivacy Directive).

GDPR Compliance

When advertising through Facebook, Facebook acts equally both a Data Processor and Information Controller of the information. Facebook states that 1 of the ways is acts as a Data Processor for advertisers is when, "Facebook processes data on an advertiser'due south behalf in order to measure the functioning and reach of advertising campaigns and report dorsum insights about the people who saw and interacted with the ads." Annotation how narrow this processing action definition is – specifically providing analytics back to the advertiser when they run an advertizing campaign. Facebook states that in most scenarios it is a Data Controller, and through the omission of any other mention of acting as a Information Processor within ad campaigns we must assume that Facebook is indeed the Data Controller for the running of ad campaigns for advertisers. This seems logical, with Facebook using its own decisions on when and how to advertise to users, and how it volition use all the meta information around the ad campaign for enriching its own dataset (such equally whether a user actually likes widgets).

We've previously covered the validity of using legitimate interest equally a lawful basis for Facebook acting as a Data Processor. But at present we must also consider a lawful ground for letting Facebook annunciate with our information when interim as a Data Controller. As soon equally you tell Facebook to advertise to a Custom Audition y'all are authorising Facebook to use your information for their own purposes and "learn" from your data. Since this is unlikely to be a purpose you tell your users well-nigh, or one that they would look, yous would likely fail whatever tests of transparency or fairness and autumn short in any legitimate interest balancing exam.

At that place is the view that by having a Facebook account together with its configurable advertising settings, a user agrees to receive retargeting from Facebook and any of its advertisers. This is just half true, with the user like-minded to receive the retargeting, just not authorising just any advertiser to share that information with Facebook in the first place.

Facebook Ad Settings
Facebook User Ad Settings

An example of a problematic scenario would be if a teenage girl purchased a pregnancy testing product from ACME Widgets. She might accept blocked the Facebook Pixel cookie on ACME's website as she didn't want her website buy to exist tracked by Facebook, even though she is a big fan of Facebook. Superlative uses her email to create a Custom Audition within Facebook, and later she receives targeted ads on Facebook for more pregnancy testing kits. In principle she was happy to see ads on Facebook, simply did not want her Facebook contour to include anything sensitive, such as her pregnancy test and certainly didn't want to see ads for it. And the only manner Facebook knew this sensitive data nearly her was through an activity that Meridian took. Facebook was not to blame here. She is now seeing related ads for birth command and motherhood wearable and is fifty-fifty more unhappy.

Since legitimate interest may be hard to demonstrate here, consent would exist the answer to ensure the user was happy with Facebook advertising to them.

ePrivacy Compliance

In parallel to the data protection requirements of the GDPR we must consider the rules around eCommuncations, such every bit those on cookies and Directly Marketing. Assuming that we already take consent for whatever cookie tracking (such as with a Facebook Pixel), the question is whether Facebook advertising is a form of Direct Marketing.

Traditional retargeting where an advertising is shown to a cookie tracked device with virtually no understanding of the user's identity is generally non seen as Direct Marketing. Only Facebook is substantially dissimilar, with Custom Audiences existence a list of known real people whose data y'all already possess. Advertising to a Custom Audition is most identical to e-mail marketing, where a promotional message is being sent to known individuals with whom you have a relationship. Every bit such, I would argue that the rules around Directly Marketing do employ to Facebook advertizement to a Custom Audience.

These rules require either affirmative, informed consent from the user (as higher up with the GDPR) or a "Soft Opt-in" utilise of legitimate interest. A major result here is the marketing channel being used. When choosing to consent or not opt-out of directly marketing, an individual should be given a choice of what marketing channel they agree to, due east.grand. email marketing, SMS marketing, social media marketing. If an advertiser is relying on consent or Soft Opt-In but does not specifically have permission for marketing via Facebook, then it won't be valid for that communications aqueduct. Back to the case above, the girl may take been happy receive email marketing from Pinnacle for future promotions on pregnancy testing kits, and thus consented to email marketing, but she did not give consent for marketing via Facebook.

The only existent way of making Facebook advertising to Custom Audiences compliant is through an affirmative, informed expression of consent to Facebook advertising (along with detail in the Privacy Notice of what that means for further processing past Facebook). Sadly, few data controllers e'er gain this user consent, and thus are on dangerous ground with their Facebook ad to Custom Audiences.

6.2 Facebook Engagement Users

Summary – yep, if your Facebook presence is GDPR compliant.

In this scenario Height Widgets is acting as a Joint Controller with Facebook, and your users have all accepted both Facebook'south Terms of Service/Privacy Settings and your Privacy Discover. To and so target known Facebook users for advertising within Facebook would require a lawful ground, for which Legitimate Interest would exist likely to suffice, if your Privacy Notice explains you lot would exercise this.

7 What is a "Lookalike Audience" on Facebook?

Advertisers can find similar people to their existing audiences past using Facebook's "Lookalike Audience" feature. Advertisers cull a "source audience" which is a Custom Audience y'all ascertain, east.k. fans of your Facebook Page. Facebook then tries to notice other Facebook users that are unknown to the advertiser, e.g. those that share similar interests and demographic profiles.

8 Is information technology compliant to CREATE a "Lookalike Audition" on Facebook?

All the processing activities that take place within the Lookalike Audition feature accept Facebook in the Data Controller office. We can split up these into two buckets of Facebook activity, understanding the shared attributes within the Custom Audition, and and so matching these to individual Facebook user profiles for creating a new listing. The commencement stage requires some intelligent piece of work by Facebook to determine what similarities your Custom Audition has, since essentially you take supplied a list of 1,000 random Facebook users and simply told Facebook that you believe they belong together. Information technology's at present for Facebook to make up one's mind why – something many marketers struggle to calculate solitary and gladly turn to the likes of Facebook for automated assistance. Again, this is the advertiser giving new information to Facebook and letting Facebook utilise the data for its own enrichment.

For example, you supply a list of 1,000 Facebook users in a Custom Audience that y'all know are meridian purchasers of your baldness curing widget. Facebook analyses the 1,000 user profiles and finds a preference amid these users towards motor racing events and home renovation Facebook Pages. This is a theory that Facebook can utilise in future matches and test in future ad campaigns, e.g. by targeting baldness related products at members of a DIY company'south Facebook page, or in reverse past targeting DIY advert campaigns at your very ain Facebook Folio members. Marketers are generally happy with this approach, since they get the new audition to target and they take helped enrich the Facebook "graph" to hopefully do good them in the hereafter.

8.1 Customer List and Pixel/App Tracking Users

Summary – yep, but just if you have consent, which you lot probably don't have.

Since we're in the same situation as advertising to a Custom Audience (where we are giving Facebook our data, enriching its data set and letting Facebook exercise anything it wants with it), legitimate interest as a lawful basis is a stretch, and consent from the users involved our only existent option.

8.2 Facebook Engagement Users

Summary – yes, if your Facebook presence is GDPR compliant.

In this scenario ACME Widgets is acting as a Articulation Controller with Facebook, and your users accept all accepted both Facebook'southward Terms of Service/Privacy Settings and your Privacy Find. To then perform the shared aspect analysis would crave a lawful footing, for which Legitimate Interest would be likely to suffice, if your Privacy Notice explains you would practice this.

8.iii Lookalike User Matching

Facebook's matching of its theoretical profile against other Facebook users to create the Lookalike Audience is exterior of your control and doesn't involve whatever of your personal data. So we don't actually demand to care about this phase. But nosotros do need to consider how nosotros advertise to this new Lookalike Audience nosotros possess in a compliant fashion.

Summary – yes, but only if y'all can create the Lookalike Audience in the first place in a compliant way.

The key difference betwixt a Lookalike Audience and a Custom Audience is that equally an advertiser you have no ability to identify individuals within a Lookalike Audience but tin can within a Custom Audition. Every bit far as you are concerned, a Lookalike Audience contains no personal data that you can procedure and thus is non subject field to the GDPR or any rules effectually Direct Marketing. It is untargeted advertising in the sense that you don't know who will run into information technology, but you hope they have similar habits and buying behaviour to your Custom Audience list.

Since you're not processing personal data in a Lookalike Audience advertizement campaign, the likes of GDPR will not stand in your style. You've only got a tall order to be able to create your Lookalike Audience in the first identify in a compliant manner.

smithhathand.blogspot.com

Source: https://consent.guide/making-facebook-custom-audiences-gdpr-compliant/

0 Response to "Verification Email List Upload Custom Audiences Facebook"

Post a Comment

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel