How GDPR Affects Your Facebook Tracking and Advertising

May 1, 2018
By   Jen McDonnell
Category   Social Media

In this blog series, we will cover:

•  Blog 1: What is the GDPR?
•  Blog 2: What Canadian and US Businesses Need To Know
•  Current post: How It Affects Your Facebook Tracking and Advertising
•  Blog 4: How It Affects Your Google Tracking and Advertising

In our previous blog post, we explained the General Data Protection Regulation (GDPR) laws that are being implemented in Europe, and how it will affect businesses in Canada and the US. Here, we look specifically at Facebook, which has extended some of the GDPR rules to the global population.

Facebook Aims to Better Protect Users’ Privacy

Due to the increased pressure, Facebook has been facing recently because of data breaches and privacy concerns, the social media giant recently announced that they are extending many of the protections they were already planning to offer to European citizens through the GDPR rules to the rest of the world in an attempt to better protect user information.

Facebook is planning to give its users new ways to protect their data, including prompting them to review which apps they’ve given access to, offering tools that will make it easier to opt out of targeted ads, and allowing them to delete and/or download their information. Everyone – no matter where they live – will be prompted to review important information about how Facebook uses data and make choices about their privacy on Facebook.

How Will Your Facebook Tracking and Marketing Activity Be Affected?

If you do any sort of Facebook advertising, it is very likely that you use custom audiences and/or the Facebook Pixel to target your ads to the most relevant audience. If you wish to continue doing this after May 25, 2018, Facebook will require you to make some changes about how you’re collecting data. Regardless of if you are marketing to European audiences or not, you must be Facebook-compliant by that date. Facebook’s new privacy rules will affect businesses worldwide, even if you are based outside the EU and aren’t necessarily targeting European citizens.

Before we discuss the specific steps required to update your Facebook marketing and tracking activities, let’s review some terms we discussed in the previous blog post, specifically data controller vs data processor:

  • Data Controller: You are the data controller when you decide the ‘purposes’ and ‘means’ of any processing of personal data (aka the party that provides the raw data). In most instances, as a Facebook advertiser you are considered the data controller and are responsible for how the data is collected, what it is being used for, and how long it is being retained for. You must also ensure people have a way to access the data held about them and are able to remove their data at their request.
  • Data Processor: For the most part, Facebook is merely processing your data on your behalf. There are certain situations where Facebook will be the data controller (for instance, when they spin off a lookalike audience based on your custom audience, or if they are gathering data from Facebook profiles).

Custom Audiences

If you create custom audiences in your Ads Manager, you must now take extra steps to make sure you are following Facebook’s new terms as you are the data controller in this situation. Also, advertisers will also no longer be allowed to share Custom Audiences between business accounts.

Have you created custom audiences in your Ads Manager based on information you uploaded from sources such as CRM data, newsletter subscribers, or a customer database? If you acquired those names, locations, phone numbers and/or email addresses without getting explicit consent from those people to market to them on Facebook, you will have to delete their information from your Ads Manager by May 25, 2018.

Going forward, all data acquired for email lists must be obtained with explicit consent and users must know exactly how their data will be used. Therefore, if you plan to use your audience data to retarget to them on Facebook, this must be made explicitly clear and they must agree to it when they are giving it to you.

If you are a Canadian business and are obtaining email addresses, you should already have a CASL-compliant opt-in message when obtaining email addresses. If that is the case, you may be able to reword that opt-in messaging to include Facebook remarketing. Consult with your legal team for more information.

Facebook Pixel Tracking

If you have the Facebook pixel code installed on your website, you are considered the data controller and Facebook is the data processor, which means you are responsible for getting consent to gather user data. Perhaps you use the pixel to track website traffic, create audiences to retarget on Facebook, or track conversions from your Facebook ads. In most current implementations, the Facebook pixel fires as soon as someone visits your site. After May 25, 2018, you must first obtain consent before Facebook can track a user’s activity on your website. Therefore, you will likely need to update your website with an immediate consent message using functionality such as a cookie bar and change the way your Facebook pixel is currently firing.

Facebook Lead Ads

In the case of lead ads, both you and Facebook are considered to be data controllers, therefore both parties are responsible for ensuring compliance. When somebody fills out the form on your lead ad, both you and Facebook need to let your prospects know that you are processing their data. Lead ads require you to link to your website’s privacy policy, so be sure that your privacy policy is up-to-date and allows you to collect consent in real-time.

What Are Your Next Steps?

In order to continue to track your audience’s activity and remarket to them via Facebook, you must:

  • obtain explicit consent from anyone on your current list/database who did not previously give explicit consent. One way to do this is to send a mass email to your database, and remove anyone from your custom audience list who does not respond with explicit consent
  • inform everyone going forward that you’re collecting data and what you’re doing with it. Some ways you can do this is through a cookie banner asking for consent, or by obtaining consent from users during a registration flow
  • make it possible for users to reject cookies, and withdraw their consent at any time. If they do withdraw their consent, you must be able to erase their data
  • be able to notify users of a data breach within 72 hours of discovering it

Note: We aren’t lawyers, so please be sure to review your obligations with your legal team. The information we share is based on general marketing best practices and information our team has reviewed from a variety of sources. 

This blog post is part of a 4-part series. Keep reading:

•  Blog 1: What is the GDPR?
•  Blog 2: What Canadian and US Businesses Need To Know
•  Current post: How It Affects Your Facebook Tracking and Advertising
•  Blog 4: How It Affects Your Google Tracking and Advertising


Facebook GDPR privacy


Jen McDonnell

Jen is the Vice President of Content and Social Media at Reshift Media, where she manages a team responsible for the social strategies for several national and international brands. She has a strong content background, having previously worked in online journalism for 10 years. Her articles have been published in the National Post, the Ottawa Citizen, the Vancouver Province, the Calgary Herald, Flare, and more.

Write a comment

Your email address will not be published. Required fields are marked *

Comment (1)