EU social media targeting guidelines – call for feedback
Who are the key actors in the targeting of social media users, and what can they learn from the EU's new social media targeting guidelines?
The key takeaway
The Social Media Targeting Guidelines (the Guidelines) offer guidance on the targeting of social media users - in particular, it seeks to clarify the roles and responsibilities of “targeters” (eg advertisers utilising social media) and social media providers under the EU’s General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR). The Guidelines have been submitted for public consultation. Social media platforms and adtech businesses are amongst those who have been invited to submit views to the European Data Protection Board (EDPB), with the deadline for responses being 19 October 2020.
As part of their business model, many social media providers offer targeting services. Targeting services make it possible for natural or legal persons (targeters) to communicate specific messages to the users of social media in order to advance commercial, political, or other interests. Targeters may use targeting criteria based on personal data which a social media user will have actively provided or shared. Alternatively, targeters may use targeting criteria based on personal data which has been observed or inferred, either by the social media provider or third parties. This personal data is often aggregated by the platform or by other actors (eg data brokers) to support ad-targeting options.
On 7 September 2020, the EDPB launched a public consultation on the Guidelines. Taking into account the case law of the CJEU (the judgments Wirtschaftsakademie and Fashion ID), as well as the provisions of the GDPR regarding joint controllers and accountability, the Guidelines offer guidance on targeting of social media users, in particular the responsibilities of targeters and social media providers. Where joint responsibility exists, the guidelines seek to clarify what the distribution of responsibilities might look like between targeters and social media providers on the basis of practical examples.
The Guidelines aim to provide the following:
- to clarify the roles and responsibilities among the social media provider and the targeter (including the lawful basis on which they can rely to process users’ data)
- to identify the potential risks for the rights and freedoms of individuals
- to identify the other main actors and their roles
- to clarify the application of key data protection requirements (such as lawfulness and transparency, DPIAs, etc), and
- to identify the key elements of arrangements between social media providers and the targeters
Why is this important?
The mechanisms that can be used to target social media users, as well as the underlying processing activities that enable targeting, may pose significant risks to the freedom and rights of individuals. This is particularly the case given that the sophisticated processes involved in the delivery of targeted ads may not be within a user’s reasonable expectations. The EDPB has sought to provide clarity on the roles and responsibilities of the different types of actors involved in the process of targeting social media users (accompanied with useful examples) and guidance around their compliance with some key tenets of GDPR. In particular, targeters and social media providers should be aware that:
1. Joint Controllership: Following on from the Fashion ID case, the EDPB are clear that targeters and social media providers will, in most cases, be joint controllers
2. Enhanced transparency: In line with the ICO’s Draft Direct Marketing Code, the EDPB highlights the importance of clearly informing users how their activity is being monitored for the purpose of targeted advertising. Using the word “advertising” is not enough
3. Lawful basis: the EDPB stresses that: (i) when acting as joint controllers, both parties must be able to demonstrate a lawful basis for their processing; (ii) the most appropriate lawful bases are consent and legitimate interests; and (ii) consent is required for intrusive profiling and tracking for advertising purposes
4. Special Category Data (SCD): the EDPB are clear that assumptions or inferences drawn from data (which isn’t SCD on its own) can constitute SCD
Any practical tips?
The Guidelines are aimed at the four groups of actors involved in the targeting of social media users: social media providers; their users; targeters and other actors which may be involved in the targeting process.
If your company falls within one of the identified groups, you should review the Guidelines to determine your role and responsibilities – both generally and under the identified targeting mechanisms. This will be especially important if you are a social media provider or a targeter. In particular, it’s likely that your organisation should consider whether:
- your targeting related data terms adequately capture Article 26 of the GDPR
- you can continue to rely on the same lawful basis going forward for advertising related processing activities
- you are processing SCD in light of the guidance and, if so, which Article 9 condition you are able to establish.
Remember that any comments on the Social Media Targeting Guidelines must be submitted to the EDPB via an online form by 19 October 2020.