Companies Use Facebook Custom Audiences At Their Own Risk

If you’re consulting on Ad Tech, you better know how it works!

The Bayerische Landesamt für Datenschutzaufsicht(BayLDA) recently examined how 40 companies use Facebook Custom Audience (FCA). As a result, the BayLDA has issued a press release indicating how FCA should be implemented. The press release distinguishes between two FCA implementations: 1) Customer List Upload and 2) Facebook Pixel/Tag

1) Customer List Upload
In this implementation, a company uploads a list of its own customers to Facebook (then Facebook makes the decisions on who to serve ads). Despite any hashing, the upload represents a transfer of personal information to Facebook (since the hashes are unique and used by facebook to identify a user). Therefore, consent of the user is required before uploading his/her information to Facebook. If a user withdrawals consent, that person must be withdrawn from previously uploaded lists on Facebook (i.e., the full Customer List must be updated immediately).

2) Facebook Pixel/Tag
In this implementation, a company allows Facebook to track users by dropping Facebook owned and operated tag(s) on the company’s website(s). Since this allows Facebook to directly collect personal information (even of non-Facebook users), consent is required. As part of that consent, a company must notify a user Facebook will collect and process his/her data, including:
— what data will be collected/transferred
— how data is collected (e.g., via pixel/tag)
— how the data will be used (e.g., to serve targeted ads via FCA)
— the user will be tracked across websites
The company must also provide an opt-out mechanism, and notify users of its availability.

The BayLDA recommends the opt-out mechanism be persistent (e.g., use HTML5 storage rather than quickly expiring cookies), and prevent data from being sent to Facebook (e.g., prevent the pixel/tag from firing). Industry standard opt-outs (e.g., youronlinechoices.eu, optout.aboutads.info) are insufficient, since they do not prevent the transfer of data. Referring users to http://www.facebook.com/settings is also insufficient, since the (i) the settings only stop ad targeting, not the transfer of data, and (ii) the settings are only available to Facebook users.

Finally, the BayLDA warned companies that if they are using FCA in violation of the law, the company using FCA – and not Facebook – will be subject to enforcement and penalties.
https://www.lda.bayern.de/media/pm2017_07.pdf
jbho: The BayLDA noted that most companies they audited failed to inform (or sufficiently inform) users of their use of Facebook pixels/tags, nor did they offer an opt-out of the pixels/tags. The BayLDA felt this could be done simply by “programming a few lines of javascript code with little effort,” but as yet have not provided guidance.

This is a tough one, as a the focus is largely theoretical. Managing and updating customer lists is possible, but what indicates a revocation of consent? Closing an account? Are there other flags that must be managed? And updating customer lists in real-time can be challenging as well. It would be more realistic to honor opt-outs in batches, with a reasonable time frame to prepare and sanitize lists.

With respect to pixels/tags, this could be much more difficult to manage, as there is more to it than a couple lines of code in a tag. It certainly would be helpful if browser makers could implement features allowing useres to pick and choose which cookies/pixels/tags they wish to allow (as was proposed in the initial draft of the ePrivacy regulation?). Looks like it might be time to do a deep dive on tag manger solutions, and see how these might be used help meet the (lofty) requirements here.

Overall, as I’ve reiterated elsewhere, enforcers know the technology. If you’re tasked with ensuring compliance, you need to know it too. Especially if you need to demonstrate the limits of technology, and the inherent conflict between what is being asked, and what is technically possible.

Technical ignorance is no longer an excuse. Per Thomas Kranig, Präsident of the Bayerische Landesamt für Datenschutzaufsicht (BayLDA), “Companies that do not know how such advertising tools actually work, can not properly inform their users. If you can not do this, you must not use such tools.

Don’t just take my word for it. Here’s another reason to know your Ad Tech:
http://sethgodin.typepad.com/seths_blog/2017/10/technical-skills-power-and-influence.html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: