On 7 September 2020, the European Data Protection Board (“EDPB”) published its guidelines on targeting social media users (“Guidelines”).
The main takeaways are:
The Guidelines were open to public consultation until 19 October.
The Guidelines build on recent case law of the Court of Justice of the European Union (“CJEU”) and aim to clarify the roles and responsibilities of social media providers and targeters. The Guidelines:
The EDPB considers that targeting may pose significant risks to individuals; targeting could involve using data in ways that individuals do not reasonably anticipate, resulting in lack of control and lack of transparency. Combining the user’s data on the social media platform with data from various third-party sources is given as an example. Targeting which uses criteria related – directly or indirectly – to protected characteristics (such as race, health status or sexual orientation), for example, to target job offers, housing or credit, may reduce the visibility of opportunities to certain groups of individuals and lead to discrimination and exclusion.
Use of data collected outside the social media platform (such as browsing data and offline data) in order to target users, can make individuals feel that they are systematically monitored and this can impact on their freedom of expression and access to information.
Another risk factor is the increase in concentration in the social media market: this can result in concentrating large and diverse datasets that can be used for more advanced targeting and can thus have an effect from both data protection and competition law perspective.
The main actors in the social media targeting context are: users, social media providers, targeters, other adtech actors and data brokers. The Guidelines focus on social media providers and targeters only; the Guidelines do not cover other parties (such as ad-tech companies) and EDPB mentions only in passing that analogous considerations may apply depending on their role.
Users are the individuals who have an account or profile on a social media platform. Whether users use their real name in their account would not be relevant, as targeting mainly relies on other identifiers or interests and behaviours. The EDPB recognises that social media may also be available -with limited functionality- to non-registered individuals, who will also be considered data subjects as long as they are identifiable.
Social media providers offer online platforms that enable creating networks and communities of users, among which information and content is shared. This covers not only “traditional” social media platforms, but also includes data sharing platforms, video sharing platforms or computer games which allow playing with other users, exchanging information or sharing experiences within the game. Social media providers have the opportunity to gather large amounts of data within their platform about individuals’ behaviour and interactions and get insights into individuals’ socio-demographic characteristics, interests and preferences; they also increasingly enrich that data with data from other online and offline sources.
Targeters are individuals or businesses that use social media services to direct their specific messages at a group of social media users selected on the basis of specific parameters or criteria. Brands, political parties, charities and non-profit organisations that use social media to show targeted messages to a specific audience based on perceived characteristics, interests or preferences are covered by the term “targeters” under the Guidelines.
In examining the role and responsibilities of social media providers and targeters, the EDPB relies heavily on recent CJEU case law:
The EDPB describes different targeting mechanisms, depending on whether the targeting is based on provided, observed or inferred data and examines the roles of the parties and the relevant legal bases in different scenarios.
Following CJEU case law, the EDPB finds that in the scenarios it examines both social media providers and targeters participate in determining the purposes and means of processing; therefore, it treats their relationship as joint controllership. From EDPB’s analysis, it appears that joint controllership will be the rule and it will be difficult for targeters and social media platforms to deviate from this.
When joint control applies, both parties must be able to demonstrate the existence of a legal basis. Unsurprisingly, the EDPB takes the view that the legal bases that would be likely to apply -depending on the circumstances- in the targeting context are consent (Art. 6(1)(a) GDPR) and legitimate interests (Art. 6(1)(f) GDPR). The Guidelines state that contractual necessity would not apply in social media targeting scenarios.
The EDPB reiterates the conditions for legitimate interests to apply: (i) the existence of a legitimate interest pursued by the controller or a third party, (ii) necessity (and considering whether less invasive means are available), and (iii) proportionality (assessing whether the legitimate interest is overridden by the individual’s fundamental rights and freedoms). This balancing exercise should consider the purposes of targeting, the level of detail of the targeting criteria, the type and combination of the targeting criteria and the sensitivity, volume and source of data used to develop the targeting criteria. In addition, individuals should be given the opportunity to object, before the processing is initiated: this should include the possibility to object to targeting advertising when accessing the platform, but also controls to ensure that users’ data is not processed for targeting after they have objected.
Consent is a more appropriate legal basis when it comes to more intrusive profiling and tracking for advertising purposes, for example, tracking across multiple websites, locations, devices, services or data brokering. The EDPB reiterates the high standard for valid consent under the GDPR and points out that even if consent is obtained, this would not legitimise any targeting that is disproportionate or unfair.
The EDPB points out that consent needs to be obtained prior to the processing and explains that the question as to which of the joint controllers will be in charge of collecting consent comes down to determining which of them is involved first with the data subject. Where multiple joint controllers wish to rely on consent, all of these need to be named. If for example, a social media provider seeks consent for using social media plugins and the joint controller is not known at the point of collecting consent, this will need to be complemented by further information and consent collected by the website operator acting as joint controller.
The EDPB emphasises that the collection of consent by a website operator does not negate or diminish the obligation of the social media provider to ensure that the individual has provided valid consent for the joint activity as well as for any subsequent or further processing which the website operator does not control.
|Standard targeting: A shoe company wants to show its advertisements to a targeted audience with specific characteristics (e.g. age, gender, relationship status). The social media provider offers criteria for targeting audiences, based on information its users provide, displays the ads to the targeted audience and shares with the targeter statistical information after the ads are displayed.||
Role: Joint controllership exists in relation to processing resulting from the selection of targeting criteria, display of advertising and ad reporting. Access to the personal data by the targeter is not a prerequisite for joint responsibility.
The parties jointly determine the purpose: displaying specific ads to the target audience; and the means resulting in targeting: the targeter selects to use the social media provider’s targeting service, defines the criteria for targeting and designates the categories of data subjects whilst the social media provider determines the categories of data processed, the targeting criteria offered, and who has access to personal data as part of a targeting campaign (essential means of processing).
The joint control does not extend to processing at other stages, before the selection of targeting criteria or after the targeting and reporting has been completed.
Legal basis: Legitimate interests or consent, depending on the circumstances.
The targeter’s legitimate interest could be its economic interest to increased publicity of its goods through social media targeting. The social media provider’s legitimate interest could be to make the social media service profitable by selling advertising space. Reliance on legitimate interests would also require assessment of necessity and proportionality (as described above).
|Examples 2 & 3||Analysis|
Standard Custom Audience with prospects’ data: A Bank provides the email address of a prospective customer to a social network so the social network can match this with its users’ email addresses, in order to target the individual on the social media platform.
Standard Custom Audience with customers’ data: The Bank provides to the social media network the email address of an existing customer who has been informed that his email address would be used for marketing of the Banks’ services and that he may object to this processing at any time.
Role: Joint controllership exists in relation to processing for which the social media network and the bank jointly determine the purposes and means of processing i.e. sharing the email address, matching, selection of targeting criteria, display of advertising and ad reporting. The reasoning is similar to that under Example 1.
The bank is the sole controller for the initial collection of the email address as the social media network does not participate in determining the purposes and means of this activity; likewise, the social network is the sole controller of any subsequent processing after the completion of targeting and ad reporting, for which the advertiser does not determine the purposes and means.
Legal basis: For the prospect’s targeting, consent will be required: legitimate interests is not an appropriate basis here, as the prospect doesn’t have the reasonable expectation that her data will be used for re-targeting.
For the customer’s targeting, it is possible to rely on legitimate interests, provided that the customer was informed that his email would be used for marketing services linked to those provided to him and was given the opportunity to object at the point of data collection.
|Examples 4 & 5||Analysis|
|Pixel based targeting: an online retailer places a pixel on its website so it can re-target on social media website visitors who have not made a purchase.||
Role: The retailer and social media provider are joint controllers in respect of the collection of personal data and transmission through pixels to the social media provider, in addition to the matching and subsequent display of advertising, and ad reporting.
According to the EDPB, reflecting CJEU’s judgment in Fashion ID, “by embedding the pixel into its website, [the retailer] exerts a decisive influence over the means of processing”.
Legal basis: Because the use of pixels is subject to cookie rules, consent will be required under the ePrivacy directive.
Consent is likely to be the appropriate legal basis also for the subsequent processing of personal data collected through the pixels.
Geolocation based targeting: a social media network via its app collects GPS from its users on an ongoing basis which the social media network uses to help advertisers better target advertising.
A pizzeria uses this geo-targeting functionality to target individuals who are within a 1km radius of its restaurant for the first time in the last 6 months.
Role: Joint controllership exists between the pizzeria and the social media platform in relation to the collection of the user’s location, as well as the display of the advertisement.
This is because the pizzeria exercises a decisive influence over the processing by defining the parameters of the ad targeting and the geofence, and the social media network collects the information (via GPS) for the purposes of enabling its clients-advertisers (such as the pizzeria) to carry out such targeting.
Legal basis: Same as in example 4 above.
|Examples 7 & 8||Analysis|
|Social Media “likes”: A museum with an upcoming exhibition of impressionists’ paintings wants to advertise the exhibition on social media. It targets social media users who “like” posts of impressionist paintings and events, and also uses criteria such as age, gender and place of residency.||
Role: Joint controllership exists between the museum and the social media provider for the targeted advertising: this includes the collection of the data via the “like” button on the social media network, the analysis undertaken by the social media network to offer the targeted advertising within the parameters specified by the museum and the display of the advertisement.
Legal basis: Targeting on the basis of inferred data typically involves profiling. The EDPB considers that cookie rules will apply here (insofar as the ad display requires a read/write operation to match the user’s “likes” to information previously held by the social media provider about that user).
Data inferred on social media platforms to build audiences: A user indicates on his social media page that he is interested in sports and betting. He has downloaded an app to get the latest sporting results and sets a sports website as his homepage. The social media provider tracks the user across his various devices and based on this information, and his activity on the social network, it infers that the user is interested in sport and betting in addition to inferring income bracket.
A betting company uses the social media network’s advertiser tools to target its services to the user.
Role: Joint controllership exists between the betting company and the social media network in relation to the selection of the targeting criteria, the subsequent display of the advertisement and ad reporting.
Legal basis: Profiling and automated decision making that has a legal/similarly significant effect (Art. 22 GDPR) will be relevant here. The EDPB takes the view that in this scenario Art. 22 GDPR may apply (targeting financially vulnerable persons that are interested in betting which has the potential to significantly and adversely affect their financial situation), thus requiring explicit consent. The EDPB advises controllers to make this assessment on a case by case basis, with reference to the specific facts of the targeting.
Besides obtaining consent, the EDPB reiterates controllers’ obligations to ensure that the processing meets the GDPR principles of fairness, necessity, proportionality and data quality.
Transparency: Social media providers and targeters need to provide clear and meaningful information to individuals: a mere reference to “advertising” would not be sufficient to explain that individuals’ activity is monitored for targeted advertising purposes. Individuals need to be informed on the processing activities, whether a profile is built based on their online behaviour and the types of data used for such profile.
Joint controllers may agree that one of them is tasked with providing all relevant information to individuals – with the assistance of the other joint controller so as to ensure the information is complete - especially where one of them interacts with the individuals prior to the processing.
The EDPB clarifies that controllers are not directly responsible for providing information on further processing which does not fall under the scope of the joint controllership: it is the responsibility of the controller who exercises the further processing to provide information as well as to ensure the compatibility of such further processing – even if the parties agree that one of them provides this information on behalf of the other.
Right of access: Individuals must be able to easily exercise data subject rights, including their right of access. The EDPB suggests that controllers implement a mechanism for individuals to check their profile, including the sources used to develop it, the identity of the targeter, the targeting criteria used and all other information set out in Art. 15 GDPR, including the recipients or categories of recipients of their personal data. The EDPB considers that remote access to a secure system through which the individual can access their data is the most “appropriate measure” to satisfy the right of access. The social media provider and the targeter may designate a single point of contact for individuals but this does not preclude individuals exercising their rights in respect of and against each of them. Hence, they both need to ensure that a suitable mechanism is in place for individuals to get access to their data in a user-friendly manner.
DPIA: The Guidelines remind to social media providers and targeters that they need to assess whether a Data Protection Impact Assessment (DPIA) is required, taking into account the criteria set out in EDPB’s guidelines on DPIAs as well as the DPIA lists issued by national supervisory authorities. The EDPB points out that the risks to individuals and therefore the need to carry out a DPIA depend on the nature of the product or service advertised, the content of the message or the way the advert is delivered (e.g. targeting of vulnerable individuals), the purposes of the advertising campaign and its intrusiveness, as well as whether the targeting involves processing of observed, inferred or derived data.
Both controllers are responsible for assessing whether a DPIA is required and if so, for carrying out one. The DPIA should cover the entire processing carried out by both controllers; however, the joint controllers may agree for one of them to be tasked with completing the DPIA. For example, this could be the party with the higher degree of control and knowledge of the targeting process, in particular the back-end of the deployed system, or the means of processing.
If special categories of personal data are processed in the context of targeting, then along with a legal basis under Art. 6 GDPR, a condition under Art.9(2) GDPR also needs to be established: the most relevant conditions in this context are (i) explicit consent and (ii) data manifestly made public by the data subject.
Data manifestly made public by the data subject: the EDPB clarifies that there must be a high threshold for this condition to apply. A case-by-case assessment will be needed, taking into account the following criteria:
The EDPB distinguishes between explicit and inferred/combined special categories of personal data. Assumptions or inferences regarding special category data would also constitute special category data. If the social media platform or the targeter categorise users as having certain religious, philosophical or political beliefs based on observed data, then this categorisation will constitute special category data, even if it is inaccurate.
Joint control arrangement: The GDPR requires joint controllers to determine their respective data protection responsibilities in an arrangement. The EDPB clarifies that the joint control arrangement between targeters and social media providers should encompass all joint activities and each party should provide to the other sufficient information to allow it to comply with its GDPR obligations. The EDPB further suggests that the joint arrangement should reflect the purposes of processing and the corresponding legal basis: although the parties are not legally required to use the same legal basis, the EDPB recommends doing so, to allow individuals to easily exercise their rights. Finally, the parties need to include specific information in their arrangement on how they will fulfil their GDPR obligations in practice: failing to do so, would be in breach of the accountability principle.
Level of responsibility: the EDPB observes that the targeting may be subject to “take it or leave it” joint control arrangements; however, this cannot serve to exempt either party from its GDPR obligations and both parties are bound to ensure that the allocation of responsibilities in the arrangement duly reflects their respective roles and relationships vis-à-vis the data subjects.
The EDPB further points out that the degree of the responsibility of the targeter and the social media provider in relation to specific obligations may vary. Quoting the Wirtschaftsakademie case, the EDPB notes that joint responsibility does not necessarily imply equal responsibility of the parties; their level of responsibility must be assessed on their actual role in the processing, including their ability to influence the processing on a practical level and the actual or constructive knowledge of each joint controller. Ultimately, supervisory authorities may exercise their powers in relation to either joint controller, as long as such joint controller is subject to the authority’s competence.
For further analysis on the concept of joint controller, see our article on EDPB’s guidelines on the concept of controller and processor, available here.
 C-210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH (“Wirtschaftsakademie”), C-40/17 Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV (“Fashion ID”), C-25/17 - Jehovan todistajat (“Jehovah Witnesses”).