Companies using Facebook Custom Audience need separate customer consents
The Norwegian Data Protection Authority (Datatilsynet) has ordered a company to improve its consent solution so that it meets GDPR standards.
The background for the case was a complaint from an individual, who reacted to the fact that she received online advertising from the company.
The complainant, who had bought an online service from the company, started receiving direct marketing on Facebook and email without having consented to it.
The company argued that everyone who bought the service automatically agreed to marketing on Facebook and email. According to the company, the complainant has thus already consented to the marketing when she bought the service, as this was stated in the company's privacy statement.
Facebook Custom Audience is an ad targeting option that lets a company find its existing "audience" among people who are on Facebook. A company may use sources like customer lists, website or app traffic, or engagement on Facebook, to create an "audience" of people who already know your business. To create a Facebook Custom Audience, a company typically uploads customer information to Facebook, so that Facebook can match this information with existing Facebook profiles. Facebook will then use the information to send targeted marketing to individuals identified as potential "audience".
The company provided customer information to Facebook based on the company's customer lists. The company argued that its consent solution, whereby customers as part of placing orders for the services needed to accept targeted advertising in a privacy statement, with opt-out opportunity, constituted a valid consent. The company also argued that its consent solution was according to industry practice.
Datatilsynet concluded that the company's consent solution was not compliant with the GDPR article 4(11), article 6(1)(a) and article 7.
Pursuant to the GDPR article 4(11), consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Further, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language, cf. the GDPR article 7(2).
In Datatilsynet's opinion, the company's mechanism whereby customers needed to agree to its privacy statement, or not purchase the company's services, forced customers to consent to targeted ads on Facebook and email. It was not possible for customers to only purchase the online service without at the same time having to consent to targeted ads. In Datatilsynet's view, this did not fulfil the requirement for "freely given" according to the GDPR article 4(11). Datatilsynet ordered the company to rectify the consent solution, as well as deleting certain personal data about the customer.
In essence, the only way to make use of Facebook Custom Audiences in a way that in Datatilsynet's view is GDPR compliant, is through an affirmative and informed expression of consent, along with details in the privacy statement of what that means for further processing by Facebook.
We recommend companies to review the information they give and consents they collect, in particular to avoid non-compliant consent "bundling" and sharing with third party advertisers without sufficient legal basis.