Facebook and ‘CA’ – not Cambridge Analytica, but Custom Audiences

Unless you have been living under a rock for the past few weeks, you will have noticed that Facebook’s business practices have been coming under the microscope of public scrutiny. It’s been well-known for a long time among the data protection and marketing communities that Facebook operates by harvesting, generating and acquiring large amounts of information about people, and that the purpose of this profile-building is to sell advertising opportunities and advantages to organisations that want to harness Facebook’s enormous reach to get their adverts in front of viewers. While the extent of this activity was limited in people’s perception, to being shown good deals on shoes or meals out, there was little concern about the wider threats on individual society and privacy that this capability might bring.

Now, however, many more people are becoming aware of the degree to which Facebook’s operating models may pose a risk to their privacy, and to wider social interactions. Between manipulative election advertising to fake news, to psychological experiments, to major security flaws; Facebook is suffering from a bit of a PR nightmare at the moment, and the knock-on effect to brands which are heavily-invested in their Facebook presence may be significant.

One common use of Facebook by charities and commercial organisations is the Audiences capability. This allows advertising to be targeted at specific individuals or groups of individuals who share certain characteristics.

Facebook Custom Audiences

How this works:

You upload your customer list – with names, email addresses, phone numbers and other personal details to Facebook’s Custom Audiences tool.

Facebook performs a ‘hashing’ operation on the data – this scrambles the individual data items so that the original data is obscured but is still unique

Facebook compares the hashed data to data it already holds, to see whether the contact details you have uploaded can be matched to individuals with Facebook accounts.

Your advertisements are shown to these Facebook users

Lookalike audiences

You can also set options to show your advertisements to ‘people like this’ – using categories that Facebook offer, you can select particular demographic or behavioural categories to target your advertisements at. This information is collected or generated by Facebook and made available to advertisers.

Data protection concerns.

Fairness: the lawful basis for uploading your supporter or customer data to Facebook is a matter for debate. Although Facebook state that they delete the hash matches after the targets for advertising are determined, there is no way to verify this. Additionally, there will be a record of which advertisements are delivered to which users and the source of the targeting request. This means therefore, that although Facebook may not retain the actual; data you uploaded to their site, they will have generated additional data based on your audience-targeting activity. Therefore, they cannot be said to be acting solely as a Data Processor as hashed data is still unique and identifying enough to be personal data – which is re-used by Facebook for their own purposes (i.e. to augment existing profiles or build ‘shadow profiles’ of people who do not have their own Facebook accounts).

This makes the uploading of audience data a disclosure of personal data to a third party Data Controller rather than use of a Data Processor. The relationship between your organisation and Facebook is likely to be that of Joint Controllers, with shared liability for data protection compliance. (It is worth noting that Data Controllership is established by the facts of the processing and cannot be reassigned or disclaimed through contracts or terms and conditions)

For individuals who already have a Facebook account, this may not be a significant privacy concern as it merely adds another datapoint to the profile that Facebook has already built about them.

However, where individuals do not already have a Facebook account, this disclosure becomes more significant from a privacy point of view as they may prefer to restrict the data that Facebook collects about them.

Lawful: the legal basis for disclosing audience data to Facebook could only be either legitimate interests or consent.

Consent would be the safest option, but asking for consent for this processing activity may undermine the effectiveness of such ‘stealth’ advertising tactics. If consent is withdrawn, the individual’s data must be excluded from any future uploads to Custom Audiences. The process of obtaining informed, freely-given, specific and unambiguous consent specifically for Custom Audiences processing is likely to add friction to the data collection activity. However, if valid consent is obtained then this at least should guarantee that there will be no surprises for your supporters about how their personal data is used.

Legitimate interests may be a difficult basis to justify, considering that there have been privacy and security concerns about how Facebook uses individuals’ data for many years. One requirement for being able to demonstrate a balance between the advertisers’ interests and those of the individuals whose data is used is that there be a high standard of transparency in regard to this processing. Privacy information and an opportunity to object to this processing must be given to the individuals whose data is affected, at the time that the data is collected.

The balance of the individuals’ rights and freedoms against the organisation’s interests in targeting advertising should be considered separately for individuals who do not already have a Facebook account (or who may have used a unique email address for their Facebook account to limit Facebook’s capacity for profiling them) as the impact to their privacy is much greater. However, there is no way to know which sets of contact data this applies to which may undermine the overall case for using legitimate interests.

If individuals object to their data being processed in this way, it is unlikely that the organisation’s interests would override those individual’s preference and rights in this case, so the data of anyone who does object to this processing would need to be excluded from future uploads.

The extent to which PECR applies to targeted advertising on social media is currently unclear, as the Regulations were written at a time when this capability did not yet exist. The PECR-reboot; the ePrivacy Regulation which is scheduled to come into law later this year does address targeted advertising based on profiling of individuals’s behaviour (rather than the cookies stored on their devices), making it likely that this type of advertising will require GDPR-standard consent to be lawful.

Action points:

  • Conduct (and document) a Legitimate Interests Assessment on the use of Facebook Custom Audiences, balancing the individuals’ rights and freedoms against the interests that the processing serves.
  • Or, put in place steps to obtain informed, freely-given, specific and unambiguous consent for this processing.
  • Ensure that privacy information on the use of Facebook Custom Audiences is clearly and promptly provided to individuals whose personal data will be used in this way.
  • Put in place a process for recognising and acting on objections to/refusal or withdrawal of consent for this processing of personal data