What does the GDPR mean for your Facebook Advertising?

GDPR is just around the corner and we’re sure you have been preparing for months.

Over the next few weeks, we’re going to stick to our proverbial onions and take a look at how the GDPR impacts Digital Marketing.

We know you have other considerations as Dentists with regard to the GDPR and if you are looking for great guidance on various aspects of the new regulations from confidentiality, data security, data protection policies to records management, you need look no further than the British Dental Association.

In the meantime, however we will take each aspect of Digital Marketing in turn to look at how the GDPR impacts these channels and what if anything you need to consider and do.

This week, we’re going to focus on Social Media and in particular Facebook and Lead Ads.

As with all your marketing channels, under the GDPR you need to know whether your audience has provided you with appropriate consent to store and use their data. If you are advertising on social media, then the platforms are doing a lot of the heavy lifting, but there are still some very clear actions that you will need to follow in order to be fully GDPR compliant.

As an aside - we’re going to focus on Facebook (but know that Facebook also owns instagram, what’s app and messenger, so its provisions will be identical across these platforms).

Before we jump in, we need to recognise Facebook’s dual status as both a data controller (they handle personal data) and a data processor (they process personal data for other data controllers). What this means in reality is that when they are acting as a data controller - they’ve got it covered 100% but when they are acting as a data processor, there is a lot more onus on the businesses for whom they are processing data to ensure that the data they provide and/or collect is GDPR compliant.

In most instances, as a Facebook advertiser you are considered the data controller, and are responsible for how the data is collected, what it is being used for, and how long it is being retained for. Hence if you are not aware of your obligations and actively following them, then you might want to double check your provisions.

Don’t get caught out by Custom Audiences

We’re going to start with Custom Audiences. When you upload a ‘custom audience’ Facebook reverts to a role of data processor and you become the data controller meaning you are now responsible for complying with the GDPR.

If you have created custom audiences in your Ads Manager based on information you uploaded from sources such as your customer database and you had not acquired explicit consent to market to these people on Facebook, you will have to delete their information from your Ads Manager.

What’s more if you plan to use your customer data for retargeting purposes in Facebook, this must be made explicitly clear when consent is given and they must agree to it first.

In time Facebook will also have a nifty way of checking you have performed this obligation and is developing a Custom Audiences permission tool, so this is definitely worth considering now. The tool will require you to provide proof that you acquired consent although as yet, it’s not clear what that “proof” will be.

The Facebook Pixel - Should I be concerned?

Concerned no, aware yes. If you have the Facebook pixel on your website you are considered the data controller and Facebook the data processor, which means you are responsible for getting consent to collect audience data..

For those of you already scratching your head and wondering what we are referring to - the pixel is code that you place on your website to help you track conversions from Facebook ads. Typically, it is used to help build targeted audiences for future ads, and remarket to qualified leads. Under the GDPR, if you want to use your customers’ data or track their behavior for advertising, you must obtain the legal basis to do so. That is, you have to obtain an explicit opt-in consent from your customers.

If you are using this widget then Facebook’s ‘Guide to Consent’ is a good place to start as it lists examples of instances where you might need to obtain consent from prospects such as:

• Retail websites that collect data about the products people view for the purposes of ad targeting
• Blogs that use cookies to collate aggregate demographic data about readers
• Facebook advertisers who install the Facebook Pixel to measure ad conversions or retarget prospects on Facebook

Although it’s not great bedtime reading - Facebook’s Guide is really very helpful and if you are unsure about your obligations it's worth checking.

If you’re not the reading type, then acquiring consent isn’t actually as hard as it looks and worth doing if you’re allowing Facebook to track a user’s activity on your website.

By adding a consent message on your cookie bar which tells people on your site what, how, and why you track their data, and gaining their permission to do so ensure you are covered.

Oh and check you’ve included an opt out button on-site for cookies? This is now considered profiling under the new regulation, so all users need to be informed in clear, transparent language and also be able to opt out.

How does the GDPR impact Lead Ads?

In the case of Lead Ads, both you and Facebook are data controllers. As you might expect, Facebook has it covered. It now gives people the chance to opt into targeted marketing, and have their data collected for ads. Users are asked explicitly to opt in to having themselves tracked, so that they can keep using Facebook, and are then advised to adapt their settings if they wish to limit that collection.

So what does this mean for you as advertisers on the site? As you are both data controllers it means that when you run Lead Ads asking for personal data of users, you must be sure that you are also compliant

Being compliant means being able to demonstrate:

• how your data was collected,
• what you'll be using the data for, this includes how you share data with Third Parties
• that each user has agreed to you having their data,
• how long you'll hold their data for,
• that users have had the chance to opt out, and
• that users are able to access all the data you have on them if they want.

This isn’t as complex as it may sound, Facebook makes it pretty simple to link your Lead Ad to your privacy policy, which allows you to inform your users and collect consent in real time. As long as your privacy policy is easily accessible, and you’ve obtained active consent you’re meeting your obligations alongside Facebook.

And just to be clear Inactivity also doesn’t constitute consent. Customers have to take an action. (i.e. Pre-ticked boxes are not allowed.)

What Are Your Next Steps?

We must start by saying we are not lawyers, so this very much constitutes our interpretation of the GDPR’s impact. But as you will have read, in most cases you need to be demonstrably and actively gaining consent to process people’s data, particularly if you are looking to track and remarket to them via Facebook.

Here are a few things we recommend:

1. Ensure you have obtained explicit consent from anyone on your current marketing or customer database who has not previously given explicit consent.
2. Inform everyone going forward that you’re collecting data and what you’re doing with it. Gaining consent at sign up is obviously one way, the cookie bar another.
3. Give users the possibility of opting out of cookies, and the ability to withdraw their consent at any time.

If GDPR is giving you a headache and you want to be sure that you’re running compliant campaigns, then give us a call.

Not only will you not have to worry about whether or not you’ve swallowed Facebook’s guide to consent, because we’ve done it for you and have the indigestion to prove it, but we will almost certainly run much higher converting campaigns with a lower cost per new patient enquiry - so it's a win win.

If you would like to invite you to schedule a 15 minute call with me. Just CLICK HERE TO SCHEDULE A CALL.