While most focus is on Facebook’s travails in Washington, the real threat for Facebook looms in Europe. The General Data Protection Regulation kicks in May 25, and it is poised to change how Facebook targets ads.
If anything, the level of public scrutiny on Facebook, thanks to the Cambridge Analytica scandal, has solidified that fact and put the kibosh on questions about whether Facebook will sail unhampered through GDPR compliance. Facebook will no longer be able to process news feed posts for ad-targeting purposes, unless those posts are marked “public” or “friends of friends” because they tend to include what the GDPR defines as “special categories of data,” according to sources. Ethnicity, religious beliefs, political affiliation and sexual orientation are the kinds of data defined as special categories.
“This means that although Facebook is sitting on top of a trove of personal data, it will have to start offering a form of ad targeting that does not process these data points, unless it can get explicit consent,” said Johnny Ryan, head of ecosystem for ad tech firm PageFair. “In the wake of the Cambridge Analytica issue, it is unlikely that people will volunteer this consent.”
Facebook will release an update this morning on how it will address the special categories point, specifically covering how it will ask Facebook users to make choices about information on their profile.
The social platform is in the challenging position of being classified as a data controller and a data processor under GDPR law. So for certain tools like Facebook’s Lead Ads, which allow advertisers to collect information from users directly from mobile ads on Facebook, both Facebook and the businesses that use that tool are data controllers, meaning both parties are responsible for ensuring compliance. Whenever Facebook matches an advertiser’s customer-relationship management data to its user database to create a custom audience for a campaign, Facebook is classified as a data processor. Whereas for Audience Network, Facebook is the data controller and therefore shoulders the corresponding responsibilities to data subjects, such as access, so it will need consent to continue operating Audience Network.
Some publishers have long complained that getting consent from users will be easy for Facebook due to its massive pot of logged-in users. This has led publishers, particularly in Germany, to criticize European regulators for having inadvertently handed more advantage to the Facebook-Google duopoly via the GDPR and drafted ePrivacy Regulation.
But obtaining that consent may have just become harder for Facebook, thanks to the heightened awareness around how political consulting firm Cambridge Analytica amassed data about more than 50 million Facebook users without their consent.
“We’ll continue to hear negative press out of Europe in particular because of ways in which their [Facebook’s] products may be viewed by some as noncompliant,” said Brian Wieser, senior analyst at Pivotal Research, “and because the U.K. Parliament and European regulators are going to continue exploring fake news and political interference data leaks, and Facebook will remain as a focus because of the degree to which they have enabled these problems.”
Behind the scenes, Facebook may have been working hard on GDPR compliance, but the platform has been publicly vague about how it’s addressing the new law. “GDPR and the draft ePrivacy Regulation create significant risk to Facebook’s business of tracking consumers across the web,” said Jason Kint, CEO of publisher trade body Digital Content Next.
“For years, Facebook has dragged its feet on answering questions about its practices, including most recently regarding the Cambridge Analytica scandal,” Kint added. “And we’ve only heard opaque talking points from Facebook executives about their GDPR compliance plans. My message to our European colleagues is to not let Facebook slide, but to require Facebook leadership to testify under oath before European Parliament about how it intends to comply with the GDPR and specifically how it intends to ask consumers for consent to surveil them across the web.”
Since the news about the Cambridge Analytica scandal broke, Facebook CEO Mark Zuckerberg has been on a mission to emphasize to the general public just how seriously it takes data privacy, while also having to appear in front of Congress. “Facebook is now being forced down to properly lean into the spirit of the [GDPR],” said Ryan.
A Facebook spokesperson said: “Like other companies, we are actively preparing for the GDPR to ensure that our products and services comply. We’ve brought together hundreds of employees across product, engineering, legal, policy, design and research teams. We’re also developing resources that help other organizations build privacy into their services. For example, we built a microsite to help answer questions from our advertising partners, and we’re hosting workshops on data protection for small and medium businesses, as well as updates via our Newsroom and our Facebook Business blog. The Facebook family of apps already applies the core principles in the GDPR, which are transparency and control. And we’re building on this to make sure that we’re ready to fully comply by May 25.”
Under the GDPR, Facebook will neither be able to collect and use data for behaviorally targeting ads, nor bundle consent to serve personalized ads, but it does have other options. It could, for example, follow in Google’s footsteps and introduce nonpersonalized ad services that do not rely on individual users’ personal data to inform the targeting, which is what exposes everyone to risk under the GDPR. There are other ways of creating personalized audience segments that aren’t reliant on people’s personal information — and that’s good enough for many marketers, according to Ryan.
“Facebook has tremendous reach. If they weren’t allowed to mine the personal data on the news feed, what could you still do for advertisers? A lot,” said Ryan. “It can put in place more broad, contextual ads, as long as it isn’t using personal data. Then, you can give the advertiser reach and compliance. Right now, it is giving them reach and risk. CMOs need to reach segments; brands need segments. There is a big part of the industry which is all about performance and direct response, and there is space for that in future, but the big spenders have always wanted to reach their segments. So, can they in the future without handling personal data and in a safe way [on Facebook]? Yes, they can.”
Download Digiday’s guide to GDPR for checklists, research and much more you’ll need to know before May 25.