What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR), which applies starting May 25, 2018, creates consistent data protection rules across Europe. It applies to companies who are based in the EU and global companies who process personal data about individuals in the EU.
While many of the principles build on current EU data protection rules, the GDPR has a wider scope, more prescriptive standards, and substantial fines. For example, it requires a higher standard of consent for using some types of data, and broadens individuals' rights with respect to accessing and porting their data. It also establishes significant enforcement powers, allowing a company's supervisory authority to seek fines of up to 4% of global annual revenue for certain violations.
Read the Full Article here from Facebook:  https://www.facebook.com/business/gdpr

Information for Businesses

Businesses who advertise with the Facebook companies can continue to use Facebook platforms and solutions in the same way they do today. Each company is responsible for ensuring their own compliance with the GDPR, just as they are responsible for compliance with the laws that apply to them today. For more information about specific Facebook ad products, see the FAQ section.

Resources


Facebook Aims to Better Protect Users’ Privacy

Due to the increased pressure, Facebook has been facing recently because of data breaches and privacy concerns, the social media giant recently announced that they are extending many of the protections they were already planning to offer to European citizens through the GDPR rules to the rest of the world in an attempt to better protect user information.
Facebook is planning to give its users new ways to protect their data, including prompting them to review which apps they’ve given access to, offering tools that will make it easier to opt out of targeted ads, and allowing them to delete and/or download their information. Everyone – no matter where they live – will be prompted to review important information about how Facebook uses data and make choices about their privacy on Facebook.

How Will Your Facebook Tracking and Marketing Activity Be Affected?

If you do any sort of Facebook advertising, it is very likely that you use custom audiences and/or the Facebook Pixel to target your ads to the most relevant audience. If you wish to continue doing this after May 25, 2018, Facebook will require you to make some changes about how you’re collecting data. Regardless of if you are marketing to European audiences or not, you  must be Facebook-compliant by that date. Facebook’s new privacy rules will affect businesses worldwide, even if you are based outside the EU and aren’t necessarily targeting European citizens.
Before we discuss the specific steps required to update your Facebook marketing and tracking activities, let’s review some terms we discussed in the previous blog post, specifically data controller vs data processor:
  • Data Controller: You are the data controller when you decide the ‘purposes’ and ‘means’ of any processing of personal data (aka the party that provides the raw data). In most instances, as a Facebook advertiser you are considered the data controller, and are responsible for how the data is collected, what it is being used for, and how long it is being retained for. You must also ensure people have a way to access the data held about them, and are able to remove their data at their request.
  • Data Processor: For the most part, Facebook is merely processing your data on your behalf. There are certain situations where Facebook will be the data controller (for instance, when they spin off a lookalike audience based on your custom audience, or if they are gathering data from Facebook profiles).

Custom Audiences

If you create custom audiences in your Ads Manager, you must now take extra steps to make sure you are following Facebook’s new terms as you are the data controller in this situation. Also, advertisers will also no longer be allowed to share Custom Audiences between business accounts.
Have you created custom audiences in your Ads Manager based on information you uploaded from sources such as CRM data, newsletter subscribers, or a customer database? If you acquired those names, locations, phone numbers and/or email addresses without getting explicit consent from those people to market to them on Facebook, you will have to delete their information from your Ads Manager by May 25, 2018.
Going forward, all data acquired for email lists must be obtained with explicit consent and users must know exactly how their data will be used. Therefore, if you plan to use your audience data to retarget to them on Facebook, this must be made explicitly clear and they must agree to it when they are giving it to you.
If you are a Canadian business and are obtaining email addresses, you should already have a CASL-compliant opt-in message when obtaining email addresses. If that is the case, you may be able to reword that opt-in messaging to include Facebook remarketing. Consult with your legal team for more information.

Facebook Pixel Tracking

If you have the Facebook pixel code installed on your website, you are considered the data controller and Facebook is the data processor, which means you are responsible for getting consent to gather user data. Perhaps you use the pixel to track website traffic, create audiences to retarget on Facebook, or track conversions from your Facebook ads. In most current implementations, the Facebook pixel fires as soon as someone visits your site. After May 25, 2018, you must first obtain consent before Facebook can track a user’s activity on your website. Therefore, you will likely need to update your website with an immediate consent message using functionality such as a
cookie bar, and change the way your Facebook pixel is currently firing.

Facebook Lead Ads

In the case of lead ads, both you and Facebook are considered to be data controllers, therefore both parties are responsible for ensuring compliance. When somebody fills out the form on your lead ad, both you and Facebook need to let your prospects know that you are processing their data. Lead ads require you to link to your website’s privacy policy, so be sure that your privacy policy is up-to-date and allows you to collect consent in real time.

Video Resources

Social Media ExaminerPreparing for GDPR [Video]

Red Shift Media: What North American Businesses Need To Know About GDPR [Video] 

Still need help? Contact Us Contact Us