Earlier this month the European Data Protection Board (EDPB) released draft GDPR social media targeting guideline that seek to give a greater understanding in relation to the roles and duties of those involved in managing social media platforms and set in stone consent rules.
There will not be a public consultation period that lasts until October 19 2020. This will allow all interested parties to provide any comment or feedback that they might have on the draft guidelines.
It is hoped that the new guideline will address issues related to the control that individuals’ have over their own data, challenges linked to discrimination and exclusion and online bullying or manipulation. The document goes into the the GDPR implications are in relation social media targeting and data used to complete this. It gives advice on how to adhere with the main obligations and outlines who is responsible to see that compliance is in place.
Draft GDPR Social Media Targeting Guidelines: Main Points
1. Targeting: Joint Control held by the Advertiser and Platform, Legitimate Interest
This means that an advertiser can request a social media platform to run adverts to account holders users that meet certain criteria using shared biographical data. it also states that the advertiser may picks times for displaying the adverts and download relevant information on the adverts that were displayed. in a case like this. the EDPB is proposing, the social media platform and the advertiser will act as joint controllers, This is due to the fact targeting is possible due to the tracking of dtaa by the platform and the advertiser is picking which subsets of data it wishes to target. Regarding a legal basis for data processing, consent and legitimate interest are regard are acceptable for this. In cases there there is a sole reliance on legitimate interest the reasons for this must be recorded as it will be gauged on a case-by-case basis.
2. Custom-Audience Targeting: Joint Control & Legitimate Interest
In relation to custom-audience targeting the EDPB is proposing that the advertiser and the platform act as joint controllers. It acknowledges that they act separately for data collection. The advertiser is in a position to depend on legitimate interest as a legal basis to run the campaign if it previously given adequate notice and allowed those to be targeted the chance to opt out.
3. Consent Necessary for Location-Based Targeting
Consent must be provided for location-based targeting and the advertiser and the platform act as joint controllers. This is due to the fact that because the social media platform has gathered the location data to allow location-based targeting, and the advertiser is opting to use that data for its advertising campaign(s). Consent is necessary as it monitors of individuals’ behavior.
4. Consent Required for Online Behavioral Targeting
In cases where online behaviors are being targeted the EDPB is proposing that the advertiser and the platform act as joint controllers. This is slightly more complicated as the social media platform must be able to show consent was given for the collection of data related to online behaviours and the website publisher must be able to prove that it was allowed to gather behavioral dfat also.
5. Extensive Behavioral Targeting/Profiling & Automated Decision-Making
The EDPB has suggested that businesses should review if extensive behavioral targeting is the same as profiling and says that consent may be required in situations where there is automated decision-making.
6. Special Category Data
Along with special category data handed over by individuals on their social media profiles, derivative data (e.g., assumptions or inferences) may also constitute special category data. This is typically not allowed to be processed so an exception will be required to do so. An example of an exception would be if the data has been already made public by the data subject.
7. Joint-Controller Arrangement Requirements
In order to comply with GDPR, Social media platforms and advertisers are required to determine their respective responsibilities as joint-controllers. For this to occur the arrangement:
- Should have enough in depth information regarding the processing operations being carried out by the social media provider and the targeter.
- List the aim of processing the data and the relevant legal basis for doing so.
- make available the essence of the arrangement should to those being targeted, listing ever aspects of data processing that takes occurs
8. Transparency Requirements
Individuals being targeted must be clearly informed in relation to the sort of processing activities being completed and the implications of this for them
The guidelines in full can be read here.