Are you a website owner and wondering how GDPR affects Facebook advertising? How does GDPR affect the Facebook pixel, custom audiences, and lookalike audiences?
In this post, I will dive deeper into what marketers should be doing to comply with GDPR and the EU Regulations.
First, Consult Your Lawyer
I’m not a lawyer and this post should not be used as legal advice. I have done a lot of research and consulted my own lawyer.
Also note that many things are evolving almost minute by minute with these regulations. I will update this article with any major changes but many things are shifting as this unfolds.
Does GDPR Affect Me?
Short answer – Yes.
Even if you don’t do business in the EU, your website may use cookies and people from the EU can navigate there.
Even if you are a local company, people could opt in to your newsletter from the EU.
At the very minimum, you should:
- Update your Privacy Policy (not a bad thing to review anyway)
- Review your optin form design to inform people what they are opting into as well as a check box to ensure consent.
- Make sure your email lists are all gathered with consent (for example, no uploading all your LinkedIn contacts, or every person you’ve met at a conference). If they aren’t, delete those lists (they are against CAN-SPAM anyway).
This post isn’t meant to be an exhaustive list of all the changes you need to implement – just a highlight of some of the major issues and then a deeper dive into how GDPR affects Facebook advertising.
What are the risks of non-compliance?
There is a lot of fear-mongering over the big fines they are mentioning with GDPR violations but the probability that a small company outside the EU will run into legal issues is probably very small. But not out of the question.
Facebook Pixel and GDPR
Facebook has a lot of resources available for learning more about their approach to GDPR but here is what they say about using the Facebook Pixel:
When you use the Facebook pixel, you have to comply with the GDPR. Our terms provide that companies implementing our tools must comply with applicable laws when they use our tools. For companies operating in the EU, this includes having a valid legal basis to process data and under laws applying to cookies, obtaining prior informed consent for the storing of and access to cookies or other information on a person’s device.
The biggest issue that comes into play with the Facebook Pixel is who is the “Data Controller” and who is the “Data Processor”. The Article 4 GDPR Definitions are officially:
(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Then there are also “Joint Controllers” which add a little to the confusion.
Facebook has said that for the “majority of their services, they operate as the Data Controller” but are the Data Processor in the case of Data File Custom Audiences.
I think a gray area is whether we have the ability to control the data that is gathered by the Facebook pixel. While the Facebook pixel is installed on our websites, we cannot remove people who remove their consent from marketing.
That has to be done through the Facebook platform so that makes Facebook the Data Controller in that case.
We do have control over getting consent in the first place through a “cookie banner” displays for first time visitors and allows people to check that they agree to cookies or don’t agree to cookies.
BUT the challenge is that the pixel fires and tracks immediately when someone lands on the website unless you disable it first until the person has opted in.
And if you are using remarketing and not disabling the pixel until you get consent, you will be showing ads to people who have “opted out” of cookies on your site.
Facebook has just implemented a solution to delay the pixel firing until you get consent for developers: https://developers.facebook.com/docs/facebook-pixel/events-advanced-use-cases/v3.0#gdpr-update
This solution involves some coding and is little more advanced. There are plugin solutions (that I will cover later).
There are many differing opinions on whether you can just cover this in a privacy policy and tell people where they can opt out of Facebook Ads.
Facebook’s Cookie Consent section says this:
Getting Consent
Decide what action a user must take to consent. These are a few popular ways that websites and apps do this:
Navigating beyond a banner or notice Dismissing a banner or notice Clicking on an “I agree” buttonYou’ll need to communicate to users that by taking this sort of action, they are consenting. The EU regulator’s cookie guidance contains useful advice on how to do this.
Offering Choice
There are many ways to provide choice to users. Here are some options:
Provide your own opt-out that disables advertising-related uses of data collected from cookies If you use third-party plugins or pixels, link to the third parties’ privacy policies or consent mechanisms Point users to browser or device controls that may block cookies or limit ad trackingNot all of these or other options will suit your needs. Again, what works for you depends on the specifics of your website/app, what countries it is accessible from, and how you use cookies or other storage technology.
These examples feel a little murky to me.
I want a cookie banner that delays the Facebook pixel firing until approval only in EU countries but remains active for the rest of the world. I have not found a perfect solution for that (but you can see what I’m choosing to do later in this post).
Facebook Custom Audiences and GDPR
When you are using uploaded email lists or contact information into a Facebook Custom Audience, you are definitely the Data Controller at that point and need to make sure your contact information allows marketing.
If you have gathered emails or Custom Audiences from places like:
- LinkedIn Contacts (downloaded without consent from LinkedIn)
- Email addresses from business cards (loaded into your email system without consent)
- Purchase or scraped lists (gathered without consent)
- Shared Pixel information from other parties (without consent from the users)
Then you need to delete those Custom Audiences from Facebook and not market to them.
If you have uploaded email lists that have prior consent, then you can use them.
Another issue with Custom Audiences is that you have to keep your Custom Audience updated when people opt out.
So that means either using a tool to dynamically sync them (some providers have that capability) or you need to re-upload a new email list each time you advertise on Facebook.
You can technically manually edit your uploaded Custom Audiences but that’s a lot of manual labor IMO.
Facebook Lookalike Audiences and GDPR
Facebook Lookalike audiences are NOT affected by GDPR because they use a “seed” audience of one of your custom audiences and find all new people to put into the Lookalike Audience.
So the people who are in your current audience are not in the new Lookalike Audience and thus you do not need their permission to market to them.
Privacy Policy Update
You do need to update your Privacy Policy and state that you use cookies. Something like:
We use first-party and third-party cookies to compile aggregate data about site traffic and site interaction so we can optimize our website and create a better user experience for you.
There’s much more that needs to go into your privacy policy to comply with GDPR, this is just specific to the Facebook Pixel. Again, consult you lawyer to craft your specific Privacy Policy.
Also note that a link to your Privacy Policy needs to appear on all pages of your website and any page where you have an email optin. So if you are driving Facebook ad traffic to a lead magnet, make sure that page has a cookie consent banner, an email optin form that complies with GDPR, and a link to your privacy policy.
What I am doing with my Cookie Consent Banner
Since I haven’t found the perfect solution, I’m working with a free cookie consent banner solution that will allow you to request consent for people who are in the EU countries.
I’ve looked at many many cookie banner solutions, some free and some paid and I may make adjustments as more information and better technology comes to light.
Which Cookie Banner I am testing – Cookie Notice by dFactory.
I’m also using another plugin that specifically works with only this plugin to show the Cookie Consent Banner to only the countries that are affected by GDPR – Category Country Aware WordPress.
There are more instructions about this solution here:
http://wptest.means.us.com/european-cookie-law-bar/
Here is how you show your Cookie Consent Banner to only EU Countries for GDPR:
- Install the Cookie Notice WordPress plugin and configure the the Message, and the Refuse button.
- Install the Category Country Aware WordPress plugin and make sure you have the countries set to the EU.
You can test that the banner works by temporarily adding in your own country code and then removing it after you have verified that it’s working.
The country codes that you need to add into the Category Country Aware Plugin are: EU,AT,BE,BG,HR,CY,CZ,DK,EE,FI,FR,DE,GR,HU,IS,IE,IT,LV,LI,LT,LU,MT,NL,NO,PL,PT,RO,SK,SI,ES,SE,GB
Also note that you can use Script blocking with the Cookie Notice WordPress plugin BUT if you use the Country Aware plugin, then the people outside the EU will never get the “opportunity” for consent and so the Facebook pixel will not load. As of this writing, I’m not adding the Pixel script blocking but I will look for a better solution or more clarification on the regulations.
Cookie Notice GDPR Configuration
Category Country Aware WordPress Plugin Configuration
Make Progress towards GDPR Compliance
As you probably know, there are a lot of opinions out there and this will take some time to sort through and become more concrete. From what I’ve heard, as long as you are making efforts towards compliance and continuing to get better, you will not get in trouble. Larger companies have to be working harder with their legal teams and smaller companies are probably not at as big a risk of lawsuits. But definitely DO NOT ignore this!
Feel free to let me know what you have found in the comments below but again, I’m not a lawyer and the advice in this blog and in the comments should also be vetted by your legal team for your business.
Official Resources for GDPR
Facebook’s information on GDPR: https://www.facebook.com/business/gdpr
Facebook’s FAQs on GDPR: https://www.facebook.com/business/gdpr#faqs
Cookie Consent Guide for Facebook: https://developers.facebook.com/docs/privacy
Facebook’s terms: https://www.facebook.com/legal/terms/businesstools
European Commission’s overall outline about Data Protection: http://ec.europa.eu/justice/smedataprotect/index_en.htm
European Commissions information about Cookies: http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm
European Commissions Guidelines on Consent: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051
ICO’s guidelines on Cookies: https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/
Good Resources and articles on GDPR
Kinsta post about GDPR for WordPress users: https://kinsta.com/blog/gdpr-compliance/
Aweber’s 6 Myths about GDPR and Email Marketing although I think the Myth #2 screenshot example is not good because the optin isn’t telling people that they will receive additional information (if you are sending them more than the 20 videos).
Social Media Examiner’s article about How GDPR Impacts Marketers.
Amy Porterfield’s Podcast on GDPR: http://www.amyporterfield.com/2018/04/gdpr/
Suzanne Dibble’s Facebook Group for Online Entrepreneurs: https://www.facebook.com/groups/GDPRforonlineentrepreneurs/
Article from https://www.linkedin.com/pulse/regulatory-pitfalls-facebook-pixel-jeroen-schouten/