On September 7, 2020, the European Data Protection Board (the “EDPB”) published Guidelines on the Targeting of Social Media Users (the “Social Media Guidelines”) for consultation. Consultation is open until 19 October 2020. The Social Media Guidelines are extensive and contain a lot of important commentary intended to clarify the roles and responsibilities of social media platform providers and advertisers using social media targeting services (‘targeters’). The types of activity that the Social Media Guidelines intend to capture is the communication of specific messages to users of social media in order to advance commercial, political, or other interests. The Social Media Guidelines make the point that mechanisms used to target social media users are increasingly sophisticated and individuals may not be aware of the process being carried out to ensure the delivery of a specific message to specific individuals.
We will follow up with an article which looks at the content of the Social Media Guidelines more in depth, but for now the key points to note are the following:
- The EDPB seems to have three main concerns:
- Risks to rights and freedoms of individuals posed by this type of targeting activity, including the lack of transparency about the different actors involved in the targeting activities and the extent of the profiling activities being carried out, undermining an individual’s ability to exercise control over their personal data. Given the detailed targeting criteria, extensive quantity and variety of personal data being used to target individuals, there is also the risk of possibility of discrimination and exclusion.
- Lack of clarity on the roles and responsibilities of social media platforms and targeters.
- Significant amounts of special category data are potentially being processed in the context of social media and targeting, and not always with a lawful basis. In particular, the EDPB looks at a legal basis that is commonly relied on – manifestly made public by the data subject - and notes that a combination of elements may need to be considered to demonstrate that an individual has clearly manifested its intention to make such data public. A case by case assessment will need to be made, and it cannot just be assumed.
- Targeters and social media platforms will in the majority of cases be considered joint controllers. This is a big shift for social media platforms, who typically position themselves as data processors for most types of targeting activity. This means social media terms will need to be reviewed in light of Article 26 Please see our passle here on what an Article 26 joint controller arrangement should look like.
- Increased need for transparency. The EDPB recalls that the mere use of the word “advertising” is not enough to inform the users that their activity is being monitored for the purpose of targeted advertising. It should be made transparent to individuals what types of processing activities are carried out and what this means for the data subject in practice.
- Targeters and platforms need to carefully consider the most appropriate legal basis. Notably the EDPB does not go as far as the ICO seemingly does in its own draft direct marketing guidance (where it states that consent for social media retargeting is likely to be the most appropriate lawful basis, as it does not see how the three-part legitimate interest test can be satisfied). Instead, the EDPB makes it clear that if the targeter is seeking to rely on legitimate interest, it should, for its part, make it easy for individuals to express a prior objection to its use of social media for targeting purposes. It also states that insofar as the targeter does not have any direct interaction with the data subject, the targeter should at least ensure that the social media platform provides the data subject with means to efficiently object. The EDPB does however re – emphasise the ICO’s view that legitimate interest would not be an appropriate legal basis for certain processing activities, such as intrusive profiling and tracking practices for marketing or advertising purposes, which would require collection of users’ consent.
The Social Media Guidelines are likely to significantly change the ways in which individuals experience advertisements on social media and how advertisers use social media for targeted advertising. It will also have an impact on how parties contract where using these platforms. In most instances, advertisers currently sign up to the social media platform’s standard terms, without concerning themselves too much with any obligation they may have in relation to the personal data. The EDPB even acknowledges the ‘take it or leave it’ conditions that targeters may be confronted with are not an excuse for non-compliance. Going forwards social media platforms will need to do some work to readjust their terms to avoid long negotiations with targeters.
All in all, it may become less of a social ‘faux pas’ to actually consider the privacy implications of social media targeting.
'The main aim of the Guidelines is to clarify the roles and responsibilities of the social media provider and the targeted individual.’