How GDPR Affects Facebook Advertising

Are you a website owner and wondering how GDPR affects Facebook advertising?  How does GDPR affect the Facebook pixel, custom audiences, and lookalike audiences?

In this post, I will dive deeper into what marketers should be doing to comply with GDPR and the EU Regulations.

First, Consult Your Lawyer

I’m not a lawyer and this post should not be used as legal advice. I have done a lot of research and consulted my own lawyer.

Also note that many things are evolving almost minute by minute with these regulations. I will update this article with any major changes but many things are shifting as this unfolds.

Does GDPR Affect Me?

Short answer – Yes.

Even if you don’t do business in the EU, your website may use cookies and people from the EU can navigate there.

Even if you are a local company, people could opt in to your newsletter from the EU.

At the very minimum, you should:

  1. Update your Privacy Policy (not a bad thing to review anyway)
  2. Review your optin form design to inform people what they are opting into as well as a check box to ensure consent.
  3. Make sure your email lists are all gathered with consent (for example, no uploading all your LinkedIn contacts, or every person you’ve met at a conference).  If they aren’t, delete those lists (they are against CAN-SPAM anyway).

This post isn’t meant to be an exhaustive list of all the changes you need to implement – just a highlight of some of the major issues and then a deeper dive into how GDPR affects Facebook advertising.

What are the risks of non-compliance?

There is a lot of fear-mongering over the big fines they are mentioning with GDPR violations but the probability that a small company outside the EU will run into legal issues is probably very small.  But not out of the question.


Facebook Pixel and GDPR

Facebook has a lot of resources available for learning more about their approach to GDPR but here is what they say about using the Facebook Pixel:

When you use the Facebook pixel, you have to comply with the GDPR. Our terms provide that companies implementing our tools must comply with applicable laws when they use our tools. For companies operating in the EU, this includes having a valid legal basis to process data and under laws applying to cookies, obtaining prior informed consent for the storing of and access to cookies or other information on a person’s device.

The biggest issue that comes into play with the Facebook Pixel is who is the “Data Controller” and who is the “Data Processor”.  The Article 4 GDPR Definitions are officially:

(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Then there are also “Joint Controllers” which add a little to the confusion.

Facebook has said that for the “majority of their services, they operate as the Data Controller” but are the Data Processor in the case of Data File Custom Audiences.

I think a gray area is whether we have the ability to control the data that is gathered by the Facebook pixel.  While the Facebook pixel is installed on our websites, we cannot remove people who remove their consent from marketing.

That has to be done through the Facebook platform so that makes Facebook the Data Controller in that case.

We do have control over getting consent in the first place through a “cookie banner” displays for first time visitors and allows people to check that they agree to cookies or don’t agree to cookies.

BUT the challenge is that the pixel fires and tracks immediately when someone lands on the website unless you disable it first until the person has opted in.

And if you are using remarketing and not disabling the pixel until you get consent, you will be showing ads to people who have “opted out” of cookies on your site.

Facebook has just implemented a solution to delay the pixel firing until you get consent for developers:

This solution involves some coding and is little more advanced. There are plugin solutions (that I will cover later).

There are many differing opinions on whether you can just cover this in a privacy policy and tell people where they can opt out of Facebook Ads.

Facebook’s Cookie Consent section says this:

Decide what action a user must take to consent. These are a few popular ways that websites and apps do this:

  • Navigating beyond a banner or notice

  • Dismissing a banner or notice

  • Clicking on an “I agree” button

You’ll need to communicate to users that by taking this sort of action, they are consenting. The EU regulator’s cookie guidance contains useful advice on how to do this.

Offering Choice

There are many ways to provide choice to users. Here are some options:

  • Provide your own opt-out that disables advertising-related uses of data collected from cookies

  • If you use third-party plugins or pixels, link to the third parties’ privacy policies or consent mechanisms

  • Point users to browser or device controls that may block cookies or limit ad tracking

  • Use an industry resource that provides cookie choices, like the tools provided by the DAADAAC & EDAA

Not all of these or other options will suit your needs. Again, what works for you depends on the specifics of your website/app, what countries it is accessible from, and how you use cookies or other storage technology.

These examples feel a little murky to me.

I want a cookie banner that delays the Facebook pixel firing until approval only in EU countries but remains active for the rest of the world.  I have not found a perfect solution for that (but you can see what I’m choosing to do later in this post).