The GDPR is coming and will change Facebook ad targeting
While most focus is on Facebook’s travails in Washington, the real threat for Facebook looms in Europe. The General Data Protection Regulation kicks in May 25, and it is poised to change how Facebook targets ads.
If anything, the level of public scrutiny on Facebook, thanks to the Cambridge Analytica scandal, has solidified that fact and put the kibosh on questions about whether Facebook will sail unhampered through GDPR compliance. Facebook will no longer be able to process news feed posts for ad-targeting purposes, unless those posts are marked “public” or “friends of friends” because they tend to include what the GDPR defines as “special categories of data,” according to sources. Ethnicity, religious beliefs, political affiliation and sexual orientation are the kinds of data defined as special categories.
“This means that although Facebook is sitting on top of a trove of personal data, it will have to start offering a form of ad targeting that does not process these data points, unless it can get explicit consent,” said Johnny Ryan, head of ecosystem for ad tech firm PageFair. “In the wake of the Cambridge Analytica issue, it is unlikely that people will volunteer this consent.”
Facebook will release an update this morning on how it will address the special categories point, specifically covering how it will ask Facebook users to make choices about information on their profile.
The social platform is in the challenging position of being classified as a data controller and a data processor under GDPR law. So for certain tools like Facebook’s Lead Ads, which allow advertisers to collect information from users directly from mobile ads on Facebook, both Facebook and the businesses that use that tool are data controllers, meaning both parties are responsible for ensuring compliance. Whenever Facebook matches an advertiser’s customer-relationship management data to its user database to create a custom audience for a campaign, Facebook is classified as a data processor. Whereas for Audience Network, Facebook is the data controller and therefore shoulders the corresponding responsibilities to data subjects, such as access, so it will need consent to continue operating Audience Network.
Some publishers have long complained that getting consent from users will be easy for Facebook due to its massive pot of logged-in users. This has led publishers, particularly in Germany, to criticize European regulators for having inadvertently handed more advantage to the Facebook-Google duopoly via the GDPR and drafted ePrivacy Regulation.
But obtaining that consent may have just become harder for Facebook, thanks to the heightened awareness around how political consulting firm Cambridge Analytica amassed data about more than 50 million Facebook users without their consent.
“We’ll continue to hear negative press out of Europe in particular because of ways in which their [Facebook’s] products may be viewed by some as noncompliant,” said Brian Wieser, senior analyst at Pivotal Research, “and because the U.K. Parliament and European regulators are going to continue exploring fake news and political interference data leaks, and Facebook will remain as a focus because of the degree to which they have enabled these problems.”
Behind the scenes, Facebook may have been working hard on GDPR compliance, but the platform has been publicly vague about how it’s addressing the new law. “GDPR and the draft ePrivacy Regulation create significant risk to Facebook’s business of tracking consumers across the web,” said Jason Kint, CEO of publisher trade body Digital Content Next.
“For years, Facebook has dragged its feet on answering questions about its practices, including most recently regarding the Cambridge Analytica scandal,” Kint added. “And we’ve only heard opaque talking points from Facebook executives about their GDPR compliance plans. My message to our European colleagues is to not let Facebook slide, but to require Facebook leadership to testify under oath before European Parliament about how it intends to comply with the GDPR and specifically how it intends to ask consumers for consent to surveil them across the web.”
Since the news about the Cambridge Analytica scandal broke, Facebook CEO Mark Zuckerberg has been on a mission to emphasize to the general public just how seriously it takes data privacy, while also having to appear in front of Congress. “Facebook is now being forced down to properly lean into the spirit of the [GDPR],” said Ryan.
A Facebook spokesperson said: “Like other companies, we are actively preparing for the GDPR to ensure that our products and services comply. We’ve brought together hundreds of employees across product, engineering, legal, policy, design and research teams. We’re also developing resources that help other organizations build privacy into their services. For example, we built a microsite to help answer questions from our advertising partners, and we’re hosting workshops on data protection for small and medium businesses, as well as updates via our Newsroom and our Facebook Business blog. The Facebook family of apps already applies the core principles in the GDPR, which are transparency and control. And we’re building on this to make sure that we’re ready to fully comply by May 25.”
Under the GDPR, Facebook will neither be able to collect and use data for behaviorally targeting ads, nor bundle consent to serve personalized ads, but it does have other options. It could, for example, follow in Google’s footsteps and introduce nonpersonalized ad services that do not rely on individual users’ personal data to inform the targeting, which is what exposes everyone to risk under the GDPR. There are other ways of creating personalized audience segments that aren’t reliant on people’s personal information — and that’s good enough for many marketers, according to Ryan.
“Facebook has tremendous reach. If they weren’t allowed to mine the personal data on the news feed, what could you still do for advertisers? A lot,” said Ryan. “It can put in place more broad, contextual ads, as long as it isn’t using personal data. Then, you can give the advertiser reach and compliance. Right now, it is giving them reach and risk. CMOs need to reach segments; brands need segments. There is a big part of the industry which is all about performance and direct response, and there is space for that in future, but the big spenders have always wanted to reach their segments. So, can they in the future without handling personal data and in a safe way [on Facebook]? Yes, they can.”
Download Digiday’s guide to GDPR for checklists, research and much more you’ll need to know before May 25.
‘None of this is celebrity for celebrity’s sake’: How publishers are trying to scale virtual events with high-profile star power
Scale "matters when making a media buy" for virtual events, according to Barry Lowenthal, CEO of media agency the MediaKitchen, and celebrity appearances help to achieve that.
‘An unprecedented period of Darwinian experimentation’: As sports return, Twitter eyes ad boost
The lack of match-day revenue has forced clubs to better understand the commercial value of platforms like Twitter.
‘The more culture you own’: Condé Nast pursues more revenue growth with new brand-strength metric
Condé Nast is hoping its new advertising measurement framework can drive growth for its digital ad and commerce businesses.
SponsoredThe race to frictionless consumer journeys is expanding beyond marketplaces
Compressing consumers’ path-to-purchase is the holy grail of advertising and marketing. When Jeff Bezos authored 1-Click in 2011, advertisers began to realize that in some cases — especially for consumables — awareness, consideration and purchase can all happen in seconds. Since then the rise of e-commerce marketplaces has forced a major shift in the design […]
‘Permission to think long term’: The Atlantic digs for deeper, smarter client partnerships
Atlantic Brand Partners will account for all The Atlantic’s business-to-business revenue, which is currently two-thirds of The Atlantic's overall revenues.
‘Re-architecting the entire process’: How Vice is preparing for life after the third-party cookie
Vice is working to bolster its first-party data strategy, improve its registration process and double down on contextual ads.