Data and privacy seem to have reared their heads in unison in the past months, mostly driven by the impending GDPR requirements and fuelled by press stories surrounding Facebook and the misuse of data by Cambridge Analytica.
Whilst GDPR is a broad reaching policy that affects businesses in lots of ways, Facebook in itself is a potential minefield. Most marketers familiar with the Facebook platform will know that it uses data in lots of different ways. From custom audiences to tracking pixels and look alike audiences. But who is responsible for these in a legal context when it comes to GDPR regulations?
Some comments online have suggested that all of these responsibilities lie at the feet of the individual business and that, for example, tracking pixels on your website require permission from the user before they even fire and event (ie return data to Facebooks servers). Which ever way it lies it’s important to be clear as GDPR fines can levy as much as 4% of annual turnover for companies that break the rules.
However recent guidelines published by Facebook shed some light on this and identifying the types of data makes it easier to understand where your responsibilities lie and what Facebook considers their duty of care.
The most important distinction to be made is to understand Facebooks role as both a ‘data controller’ and a ‘data processor’
Facebook describes each in the following way:
- Data controller:In most cases, the Facebook Companies (Facebook and Messenger, Instagram, Oculus and WhatsApp), will be acting as a data controller. When Facebook is the data controller, we handle personal data as described in our Data Policy. For example, Facebook is the data controller of all on-Facebook activity. Affiliates (such as WhatsApp, Oculus and Instagram) each handle personal data as described in their own data policies. We will ensure that services across the Facebook companies align with GDPR, which may involve making new tools available to users and reviewing existing tools to make sure that we honour our obligations.
- Data processor:In certain instances, Facebook acts as a data processor on behalf of advertisers or business partners (the data controller), such as for data file Custom Audiences and Workplace Premium. There are specific compliance requirements for data processors that we’ll make sure we comply with. For example, as relevant, we’ll refresh the contractual obligations that must be agreed upon between data controllers and data processors to align with the updated GDPR requirements. Facebook may also act as a data processor for our affiliate companies in certain instances as well.
In other words responsibility for the data depends on whether the data is sourced by Facebook or the business using Facebook. Let’s look at two common examples to explain that a bit more clearly.
Facebook Tracking Pixels:
Many businesses have taken advantage of Facebooks tracking pixel which can be placed on a website and used to generate data such as lists of visitors who have come to the site and their interests. This is Facebooks data as the business user does not have access to the specific details it gathers. When you use this data you are able to target Facebook messages at the people who came to your site but not determine who they are on an individual level. In this instance Facebook is the ‘data controller’. You do not then in theory have to gain specific permission from visitors before you track them with a pixel. The terms regarding the tracking will be laid out in Facebooks conditions when you sign up for an account.
Facebook Custom Audiences:
In this instance businesses have the options to upload customer lists and CRM data to build custom audiences to whom they can advertise through the Facebook platform. As this source data belongs to the business the business is now the ‘data controller’ and Facebook becomes the ‘data processor’. The responsibility for this data now lies at the feet of the business and they should have proper opt in conditions that explain that the data might be used to create custom audiences.
It makes sense that Facebook should not be responsible for companies that have bought huge databases of contacts often illegally and uploaded them to the Facebook servers for their own benefit.
Facebook clarifies this further saying :
“Facebook is the data controller when it shows ads to people based on the information that people provide directly to Facebook and for data that Facebook receives when websites and apps install Facebook’s pixel and SDK. In these cases, we are responsible for ensuring compliance, including by providing notice and establishing a legal basis to process that data. If you’re using Facebook’s data file Custom Audience product to reach your customers or using Facebook’s measurement and analytics services and providing EU users’ personal information to us, Facebook is acting as a data processor, so you must ensure compliance for our processing of the personal data to provide services for you.”
Understanding the key differences between a data controller and a data processor should enable you to asses the various other ways that data is used across the platform and who is liable for it.
If you’re uncertain though I would recommend contacting a good GDPR lawyer to iron out the details for your business.
More details regarding Facebooks evolving privacy laws and it’s response to GDPR can be found on the Facebook site.