With Europe’s General Data Protection Regulation taking effect May 25, Facebook must alter some of its business practices regardless of any fallout due to the Cambridge Analytica debacle.
The Cambridge Analytica revelations merely behoove Facebook to move faster and fix things in light of macro privacy changes hitting the EU.
The most recent example is a tool Facebook is developing for advertisers to prove they have consent before uploading email addresses through Custom Audiences. Facebook confirmed to TechCrunch that this is in the works.
GDPR’s scope extends to any company collecting or processing an EU citizen’s data.
Here’s how Facebook is laying the groundwork for GDPR compliance with less than two months to go until the deadline. [Click here to read about what Google’s cooking up in the GDPR lab.]
Controller or processor?
When Facebook has the first-party relationship, it is the controller, meaning it decides what, how and why the data is being collected. In those cases, Facebook also bears the responsibility to provide a transparent privacy notice and establish a legal basis for processing, such as consent.
Facebook is a controller for any data that EU users share about themselves on Facebook, any data generated when users interact with Facebook and the data Facebook gets when a site or an app uses Facebook’s pixel or integrates its software development kit.
What’s perhaps more relevant for advertisers, however, are the instances in which Facebook claims processor status, which include when working with brands that use Custom Audiences or Facebook’s measurement and analytics tools.
Much like a mar tech provider a la Salesforce or Marketo, Facebook leaves it to its clients to obtain consent for any data they upload to the system.
Using Custom Audiences, advertisers can match their email list against Facebook’s database to find and target their existing customers on the platform.
But Facebook has no easy way to guarantee that the data being uploaded to Custom Audiences was rightfully collected. If the Cambridge Analytica episode revealed anything, it was how little control Facebook has over data once it leaves its walled garden.
In order to guard against the opposite problem – unauthorized data being piped into its platform – Facebook reportedly is working on a certification tool to ensure advertisers only upload email addresses collected in the proper way.
GDPR makes it illegal for any business to use an EU citizen’s data without consent or some other legal basis.
Advertisers will also no longer be allowed to share Custom Audiences created on Facebook between business accounts. Under GDPR, controllers are required to get “unambiguous” consent for each purpose they plan to use the data for. Opting in to share an email address with one business doesn’t imply consent to be contacted by another.
It’s unclear how Facebook’s certification tool will work – and it doesn’t absolve Facebook of responsibility in the case of a breach or improper collection – but requiring advertisers to guarantee that user data was gathered with consent at least demonstrates to regulators that Facebook is making an effort on both sides of the Atlantic.
Measurement and analytics
Facebook is also a processor when it provides analytics on its platform, such as campaign measurement and reporting on reach and performance.
For its part, Google also classifies itself as a processor for users of tools like Google Analytics, DoubleClick Bid Manager and Ads Data Hub.
In late March, Facebook announced updates to its privacy tools that give users more control over their data on the platform, including the ability to access, manage and delete all the information Facebook has on them from a single place.
Sheryl Sandberg first announced these changes were on the way in January, speaking at a Facebook event in Brussels.
A new feature in Facebook’s privacy hub will provide a way for users to see all their information, including posts, reactions, comments and search history. They’ll be able to remove anything from their profile or timeline that they no longer want to exist on Facebook and be able to more easily download their personal data and port it to another service – all of which are requirements under GDPR.
Third-party data partnerships
Not everything Facebook is doing to shore up its privacy shortcomings is explicitly GDPR-related.
Last week, Facebook announced a plan to phase out third-party data for ad targeting on its platform through partners such as Experian, Acxiom and Oracle. Facebook confirmed to AdExchanger that the move was triggered by the Cambridge Analytica fallout.
But discontinuing access to third-party data has a GDPR halo effect. GDPR raises the bar on permission. Businesses that use third-party data are required to have a legal basis for doing so just as much as first-party data.
By distancing itself from targeting data it hasn’t collected itself, Facebook kills three birds with one stone: appearing to react with alacrity to the Cambridge Analytica scandal, culling possibly unpermitted targeting data from its platform in advance of GDPR and encouraging advertisers to use Facebook’s own targeting tools, including Custom Audiences.
Although some data brokers will feel the burn from this change – Acxiom has said the removal of partner categories will hurt its 2019 revenue – the fact is life won’t change very much for any advertiser with its own direct consumer relationship and CRM files that it can upload to Facebook.
It’s also status quo, at least for the moment, for third-party measurement through Facebook’s marketing measurement partner ecosystem. Facebook has said it’s “working with” its measurement partners and FMPs to ensure compliance, but that it expects “the vast majority of our partnerships will continue uninterrupted.”