Companies Use Facebook Custom Audiences At Their Own Risk

If you’re consulting on Ad Tech, you better know how it works!

The Bayerische Landesamt für Datenschutzaufsicht(BayLDA) recently examined how 40 companies use Facebook Custom Audience (FCA). As a result, the BayLDA has issued a press release indicating how FCA should be implemented. The press release distinguishes between two FCA implementations: 1) Customer List Upload and 2) Facebook Pixel/Tag

1) Customer List Upload
In this implementation, a company uploads a list of its own customers to Facebook (then Facebook makes the decisions on who to serve ads). Despite any hashing, the upload represents a transfer of personal information to Facebook (since the hashes are unique and used by facebook to identify a user). Therefore, consent of the user is required before uploading his/her information to Facebook. If a user withdrawals consent, that person must be withdrawn from previously uploaded lists on Facebook (i.e., the full Customer List must be updated immediately).

2) Facebook Pixel/Tag
In this implementation, a company allows Facebook to track users by dropping Facebook owned and operated tag(s) on the company’s website(s). Since this allows Facebook to directly collect personal information (even of non-Facebook users), consent is required. As part of that consent, a company must notify a user Facebook will collect and process his/her data, including:
— what data will be collected/transferred
— how data is collected (e.g., via pixel/tag)
— how the data will be used (e.g., to serve targeted ads via FCA)
— the user will be tracked across websites
The company must also provide an opt-out mechanism, and notify users of its availability.

The BayLDA recommends the opt-out mechanism be persistent (e.g., use HTML5 storage rather than quickly expiring cookies), and prevent data from being sent to Facebook (e.g., prevent the pixel/tag from firing). Industry standard opt-outs (e.g.,, are insufficient, since they do not prevent the transfer of data. Referring users to is also insufficient, since the (i) the settings only stop ad targeting, not the transfer of data, and (ii) the settings are only available to Facebook users.

Finally, the BayLDA warned companies that if they are using FCA in violation of the law, the company using FCA – and not Facebook – will be subject to enforcement and penalties.
jbho: The BayLDA noted that most companies they audited failed to inform (or sufficiently inform) users of their use of Facebook pixels/tags, nor did they offer an opt-out of the pixels/tags. The BayLDA felt this could be done simply by “programming a few lines of javascript code with little effort,” but as yet have not provided guidance.

This is a tough one, as a the focus is largely theoretical. Managing and updating customer lists is possible, but what indicates a revocation of consent? Closing an account? Are there other flags that must be managed? And updating customer lists in real-time can be challenging as well. It would be more realistic to honor opt-outs in batches, with a reasonable time frame to prepare and sanitize lists.

With respect to pixels/tags, this could be much more difficult to manage, as there is more to it than a couple lines of code in a tag. It certainly would be helpful if browser makers could implement features allowing useres to pick and choose which cookies/pixels/tags they wish to allow (as was proposed in the initial draft of the ePrivacy regulation?). Looks like it might be time to do a deep dive on tag manger solutions, and see how these might be used help meet the (lofty) requirements here.

Overall, as I’ve reiterated elsewhere, enforcers know the technology. If you’re tasked with ensuring compliance, you need to know it too. Especially if you need to demonstrate the limits of technology, and the inherent conflict between what is being asked, and what is technically possible.

Technical ignorance is no longer an excuse. Per Thomas Kranig, Präsident of the Bayerische Landesamt für Datenschutzaufsicht (BayLDA), “Companies that do not know how such advertising tools actually work, can not properly inform their users. If you can not do this, you must not use such tools.

Don’t just take my word for it. Here’s another reason to know your Ad Tech:

UPDATE: 20Nov2018 – the BayLDA’s opinion was upheld in a suit brought in the regional court in Bayreuth. The court agreed a (mutually) hashed email is personal, and consent is needed to share with Facebook. A press release summarizes the initial opinion of the BayLDA, along with a link to how users can manage their Custom Audience settings.

If you can’t read German, here’s how to get there

FCA - VG Bayern - decision - how to get there

I found this to be particularly interesting, as I never knew this setting existed. I followed the instruction provided in the link, a found I am part of A LOT of different audiences. I expanded to over 1000 entries, and ultimately had to give up.

FCA - VG Bayern - decision - when i follow link

Perhaps most concerning, I’ve only ever interacted with about 20 of those 1000 (2%), and I NEVER interacted with ANY OF THEM on facebook. And I certainly NEVER gave any of these 20 the email address associated with my facebook account! How in the world did these people find me?

Try it yourself and see what you think.

Leave a Reply

%d bloggers like this: