It’s exactly one month before new GDPR compliancy laws kick in and we’ve already given you a bit of insight as to how GDPR will affect your business and what you can do to get GDPR compliant in time.

But in an ever-changing digital world, it’s important to delve a little deeper into how your digital advertising is affected by GDPR.

Here we’ll specifically look at Facebook advertising, because unless you’ve been living under a rock for the last month or two, Facebook has had a pretty woeful time in terms of data handling recently. Facebook is also a slightly different beast in that it is both a data controller and a data processor. But of course, GDPR legislation affects any other digital advertising partner you may use, such as Google or Bing.

The TL;DR of this is that as an advertiser or owner of a Facebook advertising account, you need to be doing exactly what Facebook is doing, ensuring a relevant legal basis for the use of customer data. And you’re solely responsible for ensuring GDPR compliance when you are the data controller, so no trying to blame Facebook if you’re not ready in time for May 25th!

Now let’s get into the good stuff…

Existing Customer Data

As many advertisers do, you’ve probably uploaded a customer list into Facebook Ads to better target your ads and make them more relevant to your customer base. If you have done this, GDPR requires that data is only held for as long as is necessary for the purposes that it was collected for, and that data subjects are informed of the retention period.

So, if you have a data list in your Facebook Ads account that don’t meet GDPR requirements, i.e. you have no traceability of consent, and/or the list is no longer relevant for advertising use, these need to go before May 25th.

Moving forward, it’s necessary that you have a clear legal basis for collecting the data and make sure the users of the data you’re collecting are aware how long you’ll hold that data for.

Facebook is also in the process of creating a Custom Audiences Permissions Tool that will require user consent confirmation.

Facebook Pixel

If you have a website or app linked to your Facebook Advertising, you probably use cookies to offer a better ad experience to your customers, and in many situations, you’re already required to obtain consent from users before using these technologies – even before GDPR.

Not much about this needs to change. If you’re using Facebook Pixel, you have GDPR obligations, and Facebook lists the following as instances in which you’ll need to obtain user consent:

• “A retail website that uses cookies to collect information about the products people view on the site in order to target ads to people based on their activity on the site
• A blog that uses an analytics provider who uses cookies to capture aggregate demographic info about its readers
• A news media website that uses a third-party ad server to display ads, when the third party uses cookies to collect information about who views those ads
• A Facebook advertiser who installs the Facebook or Atlas pixel on its website in order to measure ad conversions or retarget advertisements on Facebook”

Acquiring consent is fairly simple. You’ll just need to inform site users how and why you’re tracking their data. The easiest way to do this is through a cookie bar that you see on a growing number of websites today.

Third Parties

Both Instagram and Whatsapp are in the Facebook family and so fall under the same GDPR compliancy terms as Facebook. Instagram adverts created through the Facebook ads programme won’t require any extra work. No worries there!

At Cornerstone we have a dedicated digital and GDPR team that can help you navigate the data handling minefield, so you don’t end up Zuckerberg-ed.

Feel free to give us a ring for a conversation about GDPR and your digital advertising.

By Jess Buckley

Cornerstone DM