You’re a marketer. You use Facebook ads to grow your business. You’ve also likely heard of the General Data Protection Regulation (GDPR), and are probably freaking out about how it’ll affect you, your business… and your Facebook Ads account.
Rightly so, because with the recent hearings it’s likely that Facebook will enforce advertisers to follow the new privacy law as well.
But what exactly is the GDPR, and who does it affect?
More importantly… What can you as a Facebook advertiser do to ensure that you’re GDPR-compliant?
First Things First: What Is the GDPR and to Whom Does It Apply?
The GDPR is a piece of legislation brought into effect for the strengthening and unification of data protection laws for everyone residing within the European Union.
This means that the GDPR applies to all organizations within the European Union that process personal data, as well as any other organization in the world that processes the personal data of people within the European Union.
Storing, managing, or analyzing personal data of any sort likely means that the GDPR affects your organization.
How does this affect you as a Facebook advertiser? There’s quite a bit we need to consider, which we’ll be diving into in this article..
Given recent events and hearings, Facebook has been paying plenty of attention to privacy issues, and it’s only natural that they would expect all their advertisers to follow suit.
So listen up, because this is important!
Disclaimer: This Isn’t Legal Advice.
First thing’s first though: This isn’t meant to be any sort of legal advice. This blog post is based on opinion and should be taken as such. If you’re looking for legal counsel, seek it elsewhere. This post is made for educational purposes only, to make sure you’re informed about what you absolutely need to do to be GDPR-compliant.
Main Implications of GDPR
If you have anyone from the European Union in your database–maybe they signed up for your email list, or they visited your site and you tracked them that way–then they have certain rights under the GDPR.
These rights are as follows:
The Right to Be Informed – People protected under GDPR have the right to be told how their data is to be used. Anything that happens to the data must be disclosed to them.
The Right to Object – Under GDPR, people must explicitly give consent before any data is to be used. They have the right to object to the use of their data, and consent can be withdrawn as easily as it is given.
The Right to Data Portability – If anyone under GDPR needs to see the information that an organization has on them, it must be presented to them. They must always have the option to see their data.
The Right to Rectification – Any information on people protected by GDPR must be able to be edited when it is required by the person in question. Any edits to information must be carried out when requested.
The Right to Be Forgotten – Lastly, information on people protected by GDPR must also be deleted when required by said people. There are some exceptions to this, like laws that require data to be kept in the case of accounting and bookkeeping, but generally speaking, if someone requests the deletion of their information, it should be done.
These are the rights that EU citizens have under GDPR. Given these rights, there are 5 things that you, as a Facebook advertiser, must do to become GDPR-compliant.
5 Things Every Facebook Advertiser Must Do to Become GDPR-Compliant
In the case of you or your company using the Facebook pixel, that has to be disclosed as well, so don’t skip over it.
2. Use a Cookie Notification Bar When Using the Facebook Pixel
You should display a prominent message when a page loads for the first time, informing your users what actions they can take to consent to your using of cookies.
Here’s a guide by Facebook on cookies, consent, and more. You should definitely give it a read. 🙂
In case you’re looking for a tool to use to show a cookie consent notification, look no further, this one is free, and we’re using it ourselves, too.
3. Ensure Explicit Consent from Everyone Included in Your Custom Audiences
As a Facebook advertiser, you might be using custom audiences.
Custom audiences are audiences taken from an uploaded list of email addresses for the purpose of running ads to those people, or creating lookalike audiences from them.
There are two main ways to create custom audiences: You could upload your list manually– go through an entire spreadsheet and export your emails into it and upload it into Facebook that way. I don’t recommend this though.
Or you can automate it (recommended).
That’s why we use ConnectAudience. It synchronizes your email autoresponder into a Facebook custom audience. This will keep your custom audiences updated every single day from whatever segment you’ve set up. You can select your whole email list, or even just people who have a certain tag, or people who have opened a certain email, or clicked on a certain link…
This ensures that your custom audiences are always up-to-date!
Now, because of GDPR, you cannot use your email list to create custom audiences without the explicit consent given to you by those people.
So here’s the cool thing.
Let’s say you were going to ask for consent at an opt-in page… You add a checkbox on the page that allows your customers to give consent for their emails to be used for your purposes.
Once someone checked that, you can add a “tag” to that contact on your autoresponders’ email list. This way, you’ll know who has given consent and who hasn’t.
From there, you can set it up from within ConnectAudience to include everyone on your list who has that consent tag. Whenever ConnectAudience sees an email with that tag, it gets added to your custom audience automatically.
This means that everyone in your custom audience is someone who has explicitly given their consent to be there!
4. Remove People from Your Custom Audiences When They Remove Consent
The next point is in line with the last one. Remember when I said consent should be withdrawn as easily as it is given?
What happens when people unsubscribe from your email list? They’re literally removing their consent– they’re saying “I no longer want to be included in this.”
So the problem lies where marketers don’t remove people from their custom audiences who have unsubscribed from their email list.
5. Don’t Share Personal Data with Tools That Aren’t GDPR-Compliant
If you are collecting any sort of personal data, and you run it through a platform or system that isn’t GDPR-compliant, then you aren’t GDPR-compliant either.
You would be the data controller in this case, which makes you responsible for the data that passes through all the tools you use.
You want to make sure that all the tools you’re using are GDPR-compliant. Ideally, you would also have a data processing agreement (DPA) between you and the platforms you use to make sure that you are on terms that you both understand and consent to, in accordance to the GDPR law.
What’s really important here is understanding how privacy and the laws surrounding it can really affect your business. It’s so important to pay close attention to this right now, because this could prove to be a big issue with Facebook and its advertisers.
So make sure that you’re doing all you can to be GDPR-compliant. The five things I’ve listed are a great way to get the ball rolling.