In September 2020, the European Data Protection Board (EDPB) released new guidelines on the targeting of social media users (Guidelines) for consultation.

Background

The Guidelines address the privacy risks and legal issues that arise when social media services are used to direct specific messages to users based on particular criteria, such as the users’ perceived interests, preferences and socio-demographic characteristics.

 A typical example of this is when a brand (or ‘advertiser’) advertises their products or services on individuals’ social media platforms. Through programmatic advertising (the automated buying and selling of online advertising) and the process of ‘real-time bidding’ (the automated bidding of display advertising inventory in real-time) in particular, advertisers can place personalised adverts on individuals’ social media platforms (e.g. through content feeds or ‘stories’). This process usually involves processing personal data in bid requests, which can include individuals’ web browsing history, age, gender, location and network connections. Advertisers submit bids to have their adverts placed on individuals’ social media pages based on the perceived likelihood that the individual will be interested. Generally, the more detailed the bid request, the higher the bids are likely to be, so there is more incentive for the parties involved to collect as much personal data as possible through the use of tracking technologies or otherwise. Further, parties within the ad tech ecosystem (such as data brokers) may augment the data collected from the bid request with information from other sources (including offline sources), which they might sell to other stakeholders involved in the targeting process.

The Guidelines split the types of actors involved in the targeting process into four different groups, namely: (1) social media providers; (2) social media users; (3)  targeters (e.g. advertisers); and (4) ‘other actors’ which may be involved (e.g. supply side platforms (SSPs), demand side platforms (DSPs), data management platforms (DMPs), data brokers, ad networks and ad exchanges).

The Guidelines identify the potential risks of targeting for social media users, such as loss of control over personal data, potential discrimination and potential manipulation of individuals (as targeting mechanisms seek to influence individuals’ behaviour and choices).

The Guidelines also seek to clarify the roles, responsibilities and relationships between social media providers and targeters and explain the key data protection requirements and documentation that should be in place.

Issues and actions

Joint controllership

Issue – The Guidelines provide that social media providers and targeters are ‘joint controllers’ for the following targeting activities typically involved in programmatic advertising – determining the targeting criteria; identifying a target audience; displaying the adverts to the target audience and providing targeting campaign reports. The parties would also be joint controllers for custom audience (or ‘list-based’) targeting, whereby the targeter uploads lists of personal data it holds (such as emails or phone numbers) for the social media provider to match against information on the platform to build the target audience. The Guidelines clarify that the parties can be joint controllers even where the targeter does not have access to the personal data of the target audience.

Action – Social media providers and targeters should put in place a joint controller agreement to set out their respective responsibilities and liabilities. The arrangement between targeters and social media providers should encompass all processing operations for which they are jointly responsible (which would exclude any data collection that occurred prior and unrelated to the targeting campaign, for which the parties would be separate and independent controllers). The Guidelines state that by concluding a superficial and incomplete arrangement, targeters and social media providers would be in breach for non-compliance with their obligations under the General Data Protection Regulation (GDPR).

Legal basis

Issue – Social media providers and targeters each need to identify an appropriate lawful basis for the processing of personal data. The two legal bases under Article 6 of the GDPR which could potentially justify the processing that supports the targeting are legitimate interests or consent (as the Guidelines rule out processing based on necessity of contract), and controllers must assess which is appropriate based on their particular circumstances.

The Guidelines indicate that it would be difficult for controllers to justify using legitimate interests as a legal basis for intrusive profiling and tracking practices for advertising purposes, which include tracking individuals across multiple websites, locations, devices, services or data-brokering. To rely on legitimate interests, social media users should be able to object to the display of targeted advertising when accessing the platform before the processing is initiated, and also be provided with controls that ensure the processing of their personal data for the targeting purposes no longer takes place after they object.

In relation to consent, the Guidelines point out that for consent to be valid, the individual must be offered control and genuine choice, as well as the ability to refuse or withdraw consent without detriment. Consent must also be active, specific, informed and unambiguous. Where targeting activities involve the use of cookies or similar tracking technologies, the cookie consent must fulfil these same conditions. Further, even if the processing is based on consent, this would not legitimise targeting which is disproportionate or unfair.

Note that if the processing of personal data in the targeting process includes sensitive or ‘special category data’ (e.g. about an individual’s race or ethnic origin, political opinions, religious or philosophical beliefs, genetics, health, sex life and sexual orientation) whether explicit or inferred, an additional legal basis is required under Article 9 of the GDPR (e.g. explicit consent).

Action – Once each party has identified its lawful bases for the targeting, the joint controller arrangement between social media providers and targeters should set out each purpose of processing and the corresponding legal basis relied on by each party. The Guidelines state that although the GDPR does not preclude joint controllers from using different legal bases, it is recommended to use the same basis for a particular targeting method and purpose where possible. Separately, each party should ensure it has carried out and documented an appropriate Legitimate Interests Assessment and/or has appropriate consent notices and mechanisms in place for the targeting where necessary.

Transparency and data subject rights

Issue – As targeters can use personal data which has been ‘observed’ or ‘inferred’ (e.g. through a user’s web browsing behaviour, purchase history or network connections), in addition to personal data actively provided or shared through social media sites, this may result in personal data being used in ways individuals would not reasonably expect. Further, where there is a lack of transparency about the exact personal data used in the targeting process and by whom, individuals cannot easily exercise control through data subject rights such as the right to access or erasure.

Action – Clear privacy notices should be put in place. It should be made clear to individuals what types of processing activities are carried out for the targeting and what this means for individuals in practice. The Guidelines provide that the mere use of the word ‘advertising’ is not enough to inform users that their activity is being monitored for the purposes of targeted advertising. Individuals should be informed if a profile will be built based on their online behaviour, and the types of personal data collected to build such profiles.

Further, an easy-to-use and efficient tool should be available for individuals to exercise their data subject rights at any time, in particular the rights of erasure, access and objection. The joint controller agreement can designate responsibility for responding to data subject requests, but it cannot exclude the possibility of the individual exercising their rights against each controller.

Data Protection Impact Assessment (DPIA)

Issue – Before initiating the envisaged targeting operations, both social media providers and targeters should assess whether the processing is ‘likely to result in a high risk’ and therefore requires a DPIA to be completed. Amongst other things, the parties should consider the nature of the product or service advertised and type of personal data used for the targeting, including whether sensitive data is used. For example, adverts for pharmaceutical products targeted on the basis of individuals’ known or perceived health conditions (e.g. through their search history) are more likely to result in a high risk to individuals than adverts for clothes targeted only at individuals who have recently visited the retailers’ website.

Action – Social media providers and targeters each need to assess whether a DPIA is necessary and decide whether one party or both will carry out the DPIA in practice (which should be reflected in the joint controller agreement). The DPIA must address the risks involved with the targeting and set out the security measures and mechanisms in place to mitigate the risks and protect personal data.

Comment

The Guidelines offer practical examples of different types of online targeting activities and provide more clarity around the necessity to put in place joint controller agreements between targeters and social media providers. What remains unclear, however, is how the relationships between the social media providers, targeters and ‘other actors’ (e.g. the SSPs, DSPs, DMPs etc.) should be governed. It also remains unclear whether the consent obtained to drop cookies would be sufficient in practice to cover the subsequent targeting activities, particularly where ‘explicit consent’ is needed under Article 9 GDPR to process special category data.

Organisations should review their social media targeting processing activities and consider any remediation actions that may be necessary to comply with the final version of the Guidelines. The Guidelines are open for public consultation until 19 October 2020. We will monitor progress and keep you informed of any new developments.