The European Data Protection Board (the “EDPB”) has recently published for public consultation the Guidelines on the targeting of social media users (the “Guidelines”).
These Guidelines come as a result of the fact that mechanisms to target social media users have increased in sophistication over time and organizations now have the ability to target individuals on the basis of a wide range of criteria. As a general note, the EDPB states that such criteria may have been developed on the basis of (i) the personal data which users have actively provided or shared, (ii) the personal data which was observed or (iii) the personal data which was inferred.
As the targeting of social media users may involve a variety of different actors, the EDPB mainly analyzed the roles of the (i) social media providers (entities offering an online service that enables the development of networks and communities of users, among which information is shared), (ii) users (meaning those who are registered with the service – have an “account” or “profile”, however, non-registered users could also be data subjects), (iii) targeters (those who use social media services in order to direct specific messages at a set of social media users based on specific parameters or criteria) and (iv) other actors which may be involved in the targeting process (such as marketing service providers, data management providers, data analytics companies, data brokers etc.).
The Guidelines seek to clarify the distribution of responsibilities between targeters and social media providers, considering also the CJEU case-law, as we briefly mention below.
1. Targeting individuals on the basis of provided data
1.1 Data provided by the user to the social media provider
As per the Guidelines, the joint control among the targeter and the social media provider only extends to those processing operations for which they effectively co-determine the purposes and means. It extends to the processing of personal data resulting from the selection of the relevant targeting criteria and the display of the advertisement to the target audience. It also covers the processing of personal data undertaken by the social media provider in order to report to the targeter about the results of a targeting campaign.
EDPB notes that even if the targeter only specifies the parameters of its intended audience and does not have access to the personal data of the users involved (such access being limited to the social media provider), it will still be considered a joint-controller.
In what concerns the legal basis for targeting of social media users, EDPB states that there are two legal bases which could theoretically justify the processing that supports the targeting, respectively (i) data subject’s consent or (ii) legitimate interest.
With respect to legitimate interest, it is still considered that it would be difficult for controllers to justify using legitimate interests as a legal basis for intrusive profiling and tracking practices for marketing or advertising purposes, for example those that involve tracking individuals across multiple websites, locations, devices, services or data-brokering.
1.2 Data provided by the user to the targeter
For this scenario EDPB provides two examples, in the scenario when a bank intends to target an individual by using his e-mail address from the bank’s customer e-mail database. For this purpose, the bank allows the social media provider to “match” the bank’s list of e-mail addresses with those from the provider’s platform, in order to target the individuals concerned with the full range of financial services on the social media platform.
- In the first case, when the individual, in his capacity as the bank’s client, provided the bank with an e-mail address and was informed by the bank, at the moment of collection, that: (a) his e-mail address would be used for advertising of offers linked to the bank services that he is already using; and (b) he may object to this processing at any time.
- In the other case, after providing the-mail address, the individual decided not to become a client of the bank and he has not been provided with information as those mentioned above.
In both examples, EDPB concludes that the bank acts as the sole controller regarding the initial collection of the e-mail address. The joint control of the bank and the social media provider begins with the transmission of the personal data and includes the collection by the social media provider and the processing for the purpose of displaying targeted advertising (and until the deletion of the data).
As regards the legal basis for targeting, EDPB states that only in the first case the bank, in its capacity of targeter, might be able to rely on legitimate interest to justify the processing, taking into account also that the individual was informed of the fact that his e-mail address may be used for advertising via social media and the advertisement relates to services similar to those for which the individual is already a client.
2. Targeting on the basis of observed data
In this case, EDPB provides the following example: an individual who is browsing online in order to purchase a backpack on website Z decides not to make a purchase. The operator of the website Z wishes to target social media users who have visited its website without making a purchase. For this, it integrates a so-called “tracking pixel” on its website, which is made available by the social media provider. After leaving the website Z and logging into his social media account, the individual begins to see advertisement for the backpacks he was considering when browsing the website Z.
According to the Guidelines, in the aforementioned case joint controllership exists in relation to the collection of personal data and its transmission by way of pixels, as well as in relation to the matching and subsequent display of the advertisement to the individual on the social platform, and for any reporting relating to the targeting campaign.
With respect to the legal basis EDPB considers that legitimate interest is not the appropriate legal basis, when the targeting relies on the monitoring of individuals’ behavior across websites and locations using tracking technologies, but that consent should be more appropriate.
3. Targeting on the basis of inferred data
The EDPB explains the concept of “inferred data” as the data which is created by the controller on the basis of the data provided by the data subject. The inferences about data subjects can be made both by the social media provider and the targeter.
For this scenario, EDPB mentions the following example: an individual likes photos posted by the art gallery X by an impressionist painter on his social media page. Museum Z is looking to attract individuals who are interested in impressionist paintings for its upcoming exhibition. In this respect, Museum Z uses the following targeting criteria offered by the social media provider: “interested in impressionism”, gender, age and place of residence. Thus, the user subsequently receives targeted advertisement by Museum Z related to the upcoming exhibition of Museum Z on his social media page.
In this case, EDPB notes that joint controllership exists between Museum Z and the social media provider for the purpose of the targeted advertising, taking into account the collection of these data via the “like”-functionality on the social media platform, and the ”analysis” undertaken by the social media provider in order to offer the targeting criterion (i.e. “interested in impressionism”) to the targeter.
In the example provided, EDPB mentions consent as the applicable legal basis.
In addition to the above, we mention several other important highlights from the EDPB Guidelines:
- the mere use of the word “advertising” would not be enough to inform the users that their activity is being monitored for the purpose of targeted advertising, but they should also be informed if a profile is built;
- the targeter is not directly responsible for providing the information relating to any further processing which is carried out by the social media platform that does not fall under the scope of joint controllership;
- a data protection impact assessment might be necessary in some cases, depending on the nature of the product or service advertised;
- although the GDPR does not preclude joint controllers to use different legal basis for different, processing operations they carry out, it is recommended to use, whenever possible, the same legal basis for a particular targeting tool and for a particular purpose.
The Guidelines are open for public consultation until 19 October 2020.