This blog will give you a brief overview of how the new General Data Protection Regulations (GDPR) could impact your Facebook advertising. We’ll show you what you need to do to make sure you’re playing by the rules. While it looks like a complex subject, the good news it that much of the groundwork has already been completed by Facebook itself, so don’t panic!
And if you’d like to know more, why not sign up to our Facebook Advertising Course.
Firstly, what is GDPR?
GDPR refers to the new General Data Protection Regulations that come into effect on 25 May 2018. Although similar to previous data protection regulations, GDPR puts the onus firmly on organisations holding personal data to make sure that people know where their data is held and how it is used. It also gives them the right to request that all their data be deleted. If you hold personal data on anyone based in the EU then you need to take notice.
There are a number of legal justifications for holding data, such as contractual necessity – i.e. giving you the ability to hold data relating to a purchase so you know where to ship products you’ve sold.
For marketing purposes the chances are you’ll need to gain explicit consent from anyone you want to market to. You also need to be able to prove this consent if you’re ever audited. The fines are pretty heavy for those who aren’t able to do this.
Consent requires a ‘freely given, specific, informed and unambiguous consent by clear affirmative action’. In other words they have to actively opt in.
People must be made aware that they have a right to withdraw consent and can do so easily. Consent can only be given by people over the age of consent (13 in the UK), or by a parent or guardian.
How does GDPR affect Facebook advertising?
Facebook’s preparations for GDPR involve three key principles – transparency, control and accountability. Essentially this means they’ll make it easier for people to find out what information is held about them, and take more care about how advertisers make use of that data.
While Facebook is making changes to ensure that it’s platform is compliant with the new regulations, it also states that “Each company is responsible for ensuring their own compliance with the GDPR, just as they are responsible for compliance with the laws that apply to them today.” So don’t think you can blame Facebook if you’re found to be in breach.
However, if you’re using Facebook’s own targeting advertising methods you shouldn’t need to change anything that you do, except in a the scenarios detailed below. As Facebook owns Instagram, Messenger and WhatsApp, any GDPR-related changes that Facebook make will also apply to those platforms.
GDPR and the Facebook Pixel
Facebook pixel is a piece of code that you insert into your website. It helps track people who click on your Facebook advertising and then report on conversations. It also helps you optimize your adverts and build targeted audiences for future adverts, as well as remarket to people that have already interacted with your website.
It’s a powerful tool, but if you use the Facebook Pixel you need to make sure people who visit your site know they are being tracked and ok with this. Examples of publishers who need consent might include:
- A Facebook advertiser who installs the Facebook or Atlas pixel on its website in order to measure ad conversions or retarget advertisements on Facebook
To gain consent is relatively straightforward – you just need to tell people on your site what, how and why you will be tracking their information, and get them to agree to this activity. You could do this by displaying a prominent banner or overlay when people visit your site, and prompting them to click ‘Agree’ to continue. Some companies ask for consent when site visitors register their details.
For more information and examples visit developers.facebook.com/docs/privacy
GDPR and Custom Audiences
A Custom Audience is made up of people whose data you have collected off-Facebook. You can upload this list to Facebook in order to send them social media adverts, or create Lookalike audiences – potential customers who share the same traits as your existing customers.
When you upload custom audience data to Facebook you are responsible for ensuring it’s compliance prior to upload. You have to think about where and how that data was acquired and whether everyone on that list has been informed that you might be using it for this purpose. If asked, could you prove that they’ve given knowing consent? If not, you’ll need to ask those people for their consent for you to use their data in this way.
Facebook is currently developing a ‘Custom Audiences Permission Tool’ which will require you to provide proof of the compliance of your data before uploading it. It’s not yet clear what form this proof will take but it’s worth considering now.
GDPR and Lead Gen Ads
Lead Generation ads simplify the way that customers send you their data. When they click on your advert they are taken to a form that is pre-populated with information they’ve already shared with Facebook (i.e. name, email, location) meaning they don’t have to type it all in each time.
That’s it from us for now, we hope this guide has been helpful.
If you want to know more about GDPR in general do click on the links below, or sign up to our Facebook Advertising Course.
All the best