5 Ways the GDPR Will Affect Your Facebook Advertising

If your company operates in Europe or you use advertising to target European customers, chances are you know about the General Data Protection Regulation (GDPR). Since Facebook is such a popular platform for advertising, it had to put together a release on how advertisers (like you) are allowed to use data going forward. More importantly, Facebook needed to clarify how these new rules will change how businesses use the platform to target potential customers, build audiences, and store information. But, unlike your average law firm in Spain or software company in Nebraska trying to reach customers in the EU, Facebook isn’t a typical business. That’s because it’s both a data controller (meaning they handle personal data) and a data processor (meaning they work with personal data on behalf of other data controllers). While your business probably only fits into the first category, it doesn’t mean you’re off the hook. Today, we’ll examine Facebook’s recent announcement about GDPR compliance. Specifically, we’ll look at how it affects the millions of businesses that use the platform to advertise. But first, a quick overview of GDPR.

What Exactly Is the GDPR?

According to its own website, GDPR is “the most significant change in data privacy regulation in 20 years.”

gdpr logo

In essence, if your business is in the EU or you offer products or services to, observe the behavior of, people in the EU who are subject to data collection, GDPR requires you to be more up-front about what personal information you gather and what you do with it. Also, potential customers need to give you clear permission before you can collect and use their data. No funny business. Only complete transparency. As you can see, this gives consumers much more control over their personal data. It also strengthens their right to know about data breaches, to instantly access the information you’ve collected about them, and to have that information erased. If a consumer doesn’t want you to have their data, you’re obligated to respect their decision. Businesses that don’t comply face substantial penalties (up to 4% of their total global revenue). Companies around the world have been rushing to become GDPR compliant before the regulation’s implementation date of May 25, 2018. Facebook is one of those companies.

What Is Facebook Saying?

Unless you’ve been living off the grid for the past month, you know about Facebook’s recent troubles regarding how they manage user data. So, they’re making a big effort to be more transparent and proactive about GDPR protections. According to Facebook, their strategy for GDPR compliance focuses on three key principles: transparency, control, and accountability.

facebook gdpr protections

While this may sound like corporate jargon, it’s actually quite simple: Facebook will make it easier for people to understand what information Facebook has about them based on what they share, and they’re going to try much harder to be responsible with how others — advertisers — use that information. Yay! With that said, let’s examine some ways that Facebook’s response to GDPR — and thus, GDPR itself — will affect you as an advertiser.

What Each Advertiser Needs to Do

The same thing Facebook’s doing! You must inform potential customers about the type of data you’re collecting, what you’re doing with it, and who else might see it. Now, if you’re only using Facebook’s built-in targeting tools, you don’t have much to worry about. However, things are a bit different if you’re using tools like the Facebook Pixel or Custom Audiences (more on that later). You can find out more about GDPR compliance (or find the answers to more specific questions) on the EU’s FAQ page, but the key takeaway is this: You need to make sure you have a valid legal basis (for example, consent, a contractual requirement, or legitimate interest) to use consumer data. If you’re not compliant by May 25th, don’t try to blame Facebook. They clearly state, “Each company is responsible for making sure they follow GDPR, just like they’re responsible for following any other laws that apply to them today.”

Will the Facebook Pixel Be Affected?

According to Facebook, anyone who uses a Facebook Pixel “will have certain responsibilities under GDPR.” In its “Guide to Consent,,” Facebook provides examples of when you might need to get consent from potential customers before collecting their data, such as…

  • E-commerce websites that gather data about products people view for targeted advertising
  • Blogs that use cookies to gather general demographic data about their readers
  • Facebook advertisers who use the Facebook Pixel to track ad conversions or retarget potential customers on Facebook
facebook consent example gdpr

Getting consent is pretty simple. You need to tell visitors to your website what data you track, how you track it, and why. Then, they need to agree to it. You can do this with a cookie banner (no actual cookies involved) or by asking for their consent when they sign up, similar to what Facebook does: For more information on this and on GDPR compliance in general, I highly recommend visiting the EU and Facebook links mentioned earlier.

How About Instagram?

I recently overheard some tech security people talking about how “60% of people don’t know that Facebook owns Instagram.” If you were part of that group, consider yourself informed!

instagram gdpr

And because Facebook owns Instagram, Instagram will always be as GDPR compliant as Facebook. You don’t have to do anything special to use Instagram ads or get extra consent to leverage user data for targeting on the platform. The same applies to Messenger and WhatsApp.

A Special Note About Custom Audiences

This is where things get a bit more complicated. Let’s revisit the whole “data controller vs. data processor” distinction. When you add the Facebook Pixel to your website, Facebook — not you — is the data controller. This means they’re responsible for telling your potential customers that their personal data is being used for targeted advertising across Facebook’s platforms.

facebook custom audiences gdpr

However, when you use a data file to upload a custom audience to Facebook, Facebook is simply a data processor. This means you’re responsible for meeting GDPR standards before you upload that information to Facebook to use for targeting. How? Facebook is currently creating a Custom Audiences permission tool that will require you to prove that you obtained consent (although it’s still unclear what this “proof” will entail). We’ll give you more information as soon as it’s available.

Lead Ads Can Be Tricky

Facebook Lead Ads are a great tool for businesses; for some, they’re the most effective advertising tool available. Because of this, they come with their own set of rules.

facebook lead ad gdpr implications

According to Facebook, “With Lead Ads, both Facebook and the business are data controllers, which means both are responsible for ensuring compliance.” How exciting! Essentially, both you and Facebook need to inform potential customers that you’re processing their data. Fortunately, Facebook makes it easy to link your Lead Ad to your privacy policy, so you can get consent right away.

Final Thoughts

Any business that wants to reach customers in the EU must be GDPR compliant. While you don’t legally have to extend the same courtesies to potential customers in the US, doing so might ease their privacy concerns (and could help your business avoid a PR disaster like Facebook recently experienced).

The Complete Guide to GDPR for Advertisers

If you’re looking for more tips on…

  • What GDPR is
  • How Google Ads will be affected by GDPR
  • How Facebook will be affected by GDPR
  • How to get consent from paid traffic
Licensed under CC BY-NC-SA 4.0