Facebook Custom Audiences is a valuable tool for many online marketers, but the dirty little secret is the difficulty in making it compliant with the GDPR and ePrivacy rules. I explain the issues and how to overcome them.

1 Summary

2 Scenario

Your company ACME Widgets Ltd (the “advertiser”) wants to promote its health widgets to people using online advertising, e.g. in Facebook and Google ads, and through traditional email marketing.

A news organisation named Global News Ltd (the “publisher”) provides a free website and app to provide news and is funded by the adverts it displays.

Ads on the Global News Corp website/app are chosen and presented in real-time by a third party “ad network”, such as Facebook or Google.

3 What is a Custom Audience?

A Facebook Custom Audience is a group of Facebook user accounts that have been matched to a dataset that an advertiser provides, e.g. ACME Widgets Ltd uploads a list of 100 customer email addresses for which Facebook matched 75 Facebook accounts which becomes a Custom Audience to use within Facebook.

There are really three types of Custom Audience based on where the data comes from:

1. Customer List – A list of contact information that you supply to Facebook (Facebook names this a “customer list”), e.g. email addresses of customers who may or may not be Facebook users.
2. Pixel/App Tracking – People that have interacted with your website (pixel) or app (SDK), who may or may not be Facebook users.
3. Facebook Engagement – Facebook users that have interacted with your Facebook/Instagram presence, e.g. liked your Facebook Page or accessed your Instagram profile.

4 How do I create a Custom Audience?

An advertiser uploads to Facebook a list of contact information or selects a cohort of previously tracked pixel/app/Facebook interactions. Facebook matches the data for the advertiser and creates the Custom Audience list of Facebook users.

5 Is it compliant to CREATE a Custom Audience?

5.1 Customer List and Pixel/App Tracking Users

Summary – probably yes, if you collected the personal data in a compliant fashion in the first place.

For the sole act of creating a Custom Audience (and not actually using it yet), a number of processing activities have to occur:

1. Advertiser collects the personal data from the user, e.g. email, phone, Pixel event.
2. Advertiser stores the personal data.
3. Advertiser sends the personal data to Facebook (in a hashed form).
4. Facebook matches the personal data against Facebook user data it already controls.
5. Facebook creates a list of matched Facebook user accounts (the “Custom Audience”).
6. Facebook retains this Custom Audience within the Advertiser’s account.

For each of these processing activities we first need the Advertiser (the Data Controller here) to establish a lawful basis. Likely examples are shown below in bold.

1. Advertiser collects the personal data from the user, e.g. email, phone, Pixel. [Consent, Legitimate Interest or Contract]
2. Advertiser stores the personal data. [Consent, Legitimate Interest or Contract]
3. Advertiser sends the personal data to Facebook (in a hashed form). [Possibly Consent or more likely Legitimate Interest]
4. Facebook matches the personal data against Facebook user data it already controls. [Legitimate Interest]
5. Facebook creates a list of matched Facebook user accounts (the “Custom Audience”). [Legitimate Interest]
6. Facebook retains this Custom Audience within the Advertiser’s Facebook account. [Legitimate Interest]

We now need to test whether those stand up to scrutiny.

The first and most common issue is with collecting the personal data in the first place, such as when an email list has been purchased without the users knowing or if the user has not given affirmative consent to Facebook Pixel tracking. In the case of an advertiser not having gained cookie consent, retargeting based advertising is off the table, whether that be through Facebook, Google or any other cookie integrated provider.

The next big question is whether the personal data may be sent to Facebook. In this narrow instance of solely creating the Custom Audience, Facebook states that it acts as a Data Processor and has no additional rights over using the created data, e.g. it is not allowed to enrich its dataset with this new matched knowledge that a user has purchased from ACME Widgets Ltd. On the basis of a Data Controller to Data Processor relationship (ACME Widgets Ltd to Facebook), legitimate interest is the likely choice for a lawful basis. Consent is also an option for the Controller, but realistically few Controllers want to ask a customer if they are permitted to send their data to Facebook.

After uploading the data, Facebook will then perform the matching of your data against their own users and create a list for you to use later. These processing actions are well defined by Facebook and ones that you have specifically requested. Facebook are acting as a Data Processor for you here, but in parallel are acting as a Data Controller in the matching of their own data for which they have permission via Facebook users’ agreement with their Terms of Service (by being a Facebook user you agree to being “matched” with advertiser data).

Facebook states that as a Data Processor, “Facebook will not give access to or information about the Custom Audience(s) to third parties or other advertisers, use your Custom Audience(s) to append to the information that we have about our users or build interest-based profiles, or use your Custom Audience(s) except to provide services to you, unless we have your permission or are required to do so by law.” Again, legitimate interest would be the obvious choice for this data processing.

With legitimate interest in mind, is it valid and is it fair?

This assessment will depend on many factors and judgement calls of how well Facebook can be trusted. You may take the view that Facebook should be taken on its word that it will purely act as a Data Processor. You may take the view that Facebook has repeatedly shown poor privacy behaviour and that with no way to audit Facebook’s use of your data they should not be trusted.

If you follow Facebook’s stance then you would rely on legitimate interest to upload your data to Facebook and have them create your Custom Audience.

(But having a Custom Audience is pointless if you’re not going to use it, so we need to explore the compliance of the various uses cases.)

5.2 Facebook Engagement Users

(Reminder – here we’re talking about users of Facebook that are directly engaging with a Facebook property, e.g. Facebook.com)

Summary – yes, if your Facebook presence is GDPR compliant.

When a company such as ACME Widgets has its own corporate Facebook presence, e.g. a Facebook Page, it is acting as a Joint Controller with Facebook (see 2018 ruling). In turn, ACME must treat its Facebook presence like its website by providing a Privacy Notice and explain its collection and use of personal data. With those in place, ACME is able to work with Facebook in a fair and transparent way to build up a detailed understanding of its audience in a defined list of Facebook users.

6 Is it compliant to ADVERTISE to a Custom Audience on Facebook?

6.1 Customer List and Pixel/App Tracking Users

Summary – yes, but only if you have consent, which you probably don’t have.

This question is best split into two parts, compliance against the GDPR and compliance against ePrivacy Laws (PECR/ePrivacy Directive/EU country’s implementation of the ePrivacy Directive).

GDPR Compliance

When advertising through Facebook, Facebook acts as both a Data Processor and Data Controller of the data. Facebook states that one of the ways is acts as a Data Processor for advertisers is when, “Facebook processes data on an advertiser’s behalf in order to measure the performance and reach of advertising campaigns and report back insights about the people who saw and interacted with the ads.” Note how narrow this processing activity definition is – specifically providing analytics back to the advertiser when they run an advertising campaign. Facebook states that in most scenarios it is a Data Controller, and through the omission of any other mention of acting as a Data Processor within ad campaigns we must assume that Facebook is indeed the Data Controller for the running of ad campaigns for advertisers. This seems logical, with Facebook using its own decisions on when and how to advertise to users, and how it will use all the meta data around the ad campaign for enriching its own dataset (such as whether a user actually likes widgets).

We’ve previously covered the validity of using legitimate interest as a lawful basis for Facebook acting as a Data Processor. But now we must also consider a lawful basis for letting Facebook advertise with our data when acting as a Data Controller. As soon as you tell Facebook to advertise to a Custom Audience you are authorising Facebook to use your data for their own purposes and “learn” from your data. Since this is unlikely to be a purpose you tell your users about, or one that they would expect, you would likely fail any tests of transparency or fairness and fall short in any legitimate interest balancing test.

There is the view that by having a Facebook account together with its configurable advertising settings, a user agrees to receive retargeting from Facebook and any of its advertisers. This is only half true, with the user agreeing to receive the retargeting, but not authorising simply any advertiser to share that data with Facebook in the first place.

An example of a problematic scenario would be if a teenage girl purchased a pregnancy testing product from ACME Widgets. She might have blocked the Facebook Pixel cookie on ACME’s website as she didn’t want her website purchase to be tracked by Facebook, even though she is a big fan of Facebook. ACME uses her email to create a Custom Audience within Facebook, and subsequently she receives targeted ads on Facebook for more pregnancy testing kits. In principle she was happy to see ads on Facebook, but did not want her Facebook profile to include anything sensitive, such as her pregnancy test and certainly didn’t want to see ads for it. And the only way Facebook knew this sensitive information about her was through an action that ACME took. Facebook was not to blame here. She is now seeing related ads for birth control and maternity wear and is even more unhappy.

Since legitimate interest may be hard to demonstrate here, consent would be the answer to ensure the user was happy with Facebook advertising to them.

ePrivacy Compliance

In parallel to the data protection requirements of the GDPR we must consider the rules around eCommuncations, such as those on cookies and Direct Marketing. Assuming that we already have consent for any cookie tracking (such as with a Facebook Pixel), the question is whether Facebook advertising is a form of Direct Marketing.

Traditional retargeting where an ad is shown to a cookie tracked device with virtually no understanding of the user’s identity is generally not seen as Direct Marketing. But Facebook is substantially different, with Custom Audiences being a list of known real people whose data you already possess. Advertising to a Custom Audience is virtually identical to email marketing, where a promotional message is being sent to known individuals with whom you have a relationship. As such, I would argue that the rules around Direct Marketing do apply to Facebook advertising to a Custom Audience.

These rules require either affirmative, informed consent from the user (as above with the GDPR) or a “Soft Opt-in” use of legitimate interest. A major issue here is the marketing channel being used. When choosing to consent or not opt-out of direct marketing, an individual should be given a choice of what marketing channel they agree to, e.g. email marketing, SMS marketing, social media marketing. If an advertiser is relying on consent or Soft Opt-In but does not specifically have permission for marketing via Facebook, then it won’t be valid for that communications channel. Back to the example above, the girl may have been happy receive email marketing from ACME for future promotions on pregnancy testing kits, and thus consented to email marketing, but she did not give consent for marketing via Facebook.

The only real way of making Facebook advertising to Custom Audiences compliant is through an affirmative, informed expression of consent to Facebook advertising (along with detail in the Privacy Notice of what that means for further processing by Facebook). Sadly, few data controllers ever gain this user consent, and thus are on dangerous ground with their Facebook advertising to Custom Audiences.

6.2 Facebook Engagement Users

Summary – yes, if your Facebook presence is GDPR compliant.

In this scenario ACME Widgets is acting as a Joint Controller with Facebook, and your users have all accepted both Facebook’s Terms of Service/Privacy Settings and your Privacy Notice. To then target known Facebook users for advertising within Facebook would require a lawful basis, for which Legitimate Interest would be likely to suffice, if your Privacy Notice explains you would do this.

7 What is a “Lookalike Audience” on Facebook?

Advertisers can find similar people to their existing audiences by using Facebook’s “Lookalike Audience” feature. Advertisers choose a “source audience” which is a Custom Audience you define, e.g. fans of your Facebook Page. Facebook then tries to find other Facebook users that are unknown to the advertiser, e.g. those that share similar interests and demographic profiles.

8 Is it compliant to CREATE a “Lookalike Audience” on Facebook?

All the processing activities that take place within the Lookalike Audience feature have Facebook in the Data Controller role. We can split these into two buckets of Facebook activity, understanding the shared attributes within the Custom Audience, and then matching these to individual Facebook user profiles for creating a new list. The first stage requires some intelligent work by Facebook to determine what similarities your Custom Audience has, since essentially you have supplied a list of 1,000 random Facebook users and simply told Facebook that you believe they belong together. It’s now for Facebook to determine why – something many marketers struggle to calculate alone and gladly turn to the likes of Facebook for automated assistance. Again, this is the advertiser giving new information to Facebook and letting Facebook use the data for its own enrichment.

For example, you supply a list of 1,000 Facebook users in a Custom Audience that you know are top purchasers of your baldness curing widget. Facebook analyses the 1,000 user profiles and finds a preference amongst these users towards motor racing events and home renovation Facebook Pages. This is a theory that Facebook can use in future matches and test in future ad campaigns, e.g. by targeting baldness related products at members of a DIY company’s Facebook page, or in reverse by targeting DIY ad campaigns at your very own Facebook Page members. Marketers are generally happy with this approach, since they get the new audience to target and they have helped enrich the Facebook “graph” to hopefully benefit them in the future.

8.1 Customer List and Pixel/App Tracking Users

Summary – yes, but only if you have consent, which you probably don’t have.

Since we’re in the same situation as advertising to a Custom Audience (where we are giving Facebook our data, enriching its data set and letting Facebook do anything it wants with it), legitimate interest as a lawful basis is a stretch, and consent from the users involved our only real option.

8.2 Facebook Engagement Users

Summary – yes, if your Facebook presence is GDPR compliant.

In this scenario ACME Widgets is acting as a Joint Controller with Facebook, and your users have all accepted both Facebook’s Terms of Service/Privacy Settings and your Privacy Notice. To then perform the shared attribute analysis would require a lawful basis, for which Legitimate Interest would be likely to suffice, if your Privacy Notice explains you would do this.

8.3 Lookalike User Matching

Facebook’s matching of its theoretical profile against other Facebook users to create the Lookalike Audience is outside of your control and doesn’t involve any of your personal data. So we don’t actually need to care about this stage. But we do need to consider how we advertise to this new Lookalike Audience we possess in a compliant fashion.

9 Is it compliant to ADVERTISE to a “Lookalike Audience” on Facebook?

Summary – yes, but only if you can create the Lookalike Audience in the first place in a compliant fashion.

The key difference between a Lookalike Audience and a Custom Audience is that as an advertiser you have no ability to identify individuals within a Lookalike Audience but can within a Custom Audience. As far as you are concerned, a Lookalike Audience contains no personal data that you can process and thus is not subject to the GDPR or any rules around Direct Marketing. It is untargeted advertising in the sense that you don’t know who will see it, but you hope they have similar habits and buying behaviour to your Custom Audience list.

Since you’re not processing personal data in a Lookalike Audience ad campaign, the likes of GDPR will not stand in your way. You’ve just got a tall order to be able to create your Lookalike Audience in the first place in a compliant fashion.