Authored by Attorney-at-law Mathias Bartholdy
In the guidelines, the EDPB focuses on the increased use of services for targeting social media users. From a data protection perspective, targeting is associated with a risk of lack of transparency and user control. Learn more about the three key points of the guidelines below.
Loophole for list-based targeting based on balancing of interests
First and foremost, the guidelines provide scope for using personal data for list-based targeting, e.g. Facebook Custom/Lookalike Audiences, based on a balancing of interests. However, consent remains the safe option as the legal basis of processing. If the use of personal data for list-based targeting is based on a balancing of interests, it is important that you are able to prove that you made this deliberation in advance.
Use of tracking tools from SoMe providers leads to joint controllership
In addition, the use of tracking tools such as pixels, geo-targeting, like buttons, etc. on websites, made available by SoMe providers, typically leads to joint controllership between the owner of the website and the provider – which seems to be aligned with the CJEU’s previous decisions relating to such tools. It is therefore imperative that website owners using such functions address the issue of joint control. This includes entering into an agreement with the provider on the distribution of responsibilities. Website owners must also remember to include information on the joint controllership in their privacy policies for users of the website on which the tool is used.
Joint controllership requires the same legal basis of processing
The EDPB furthermore recommends that joint controllers use the same legal basis for processing the data for which they are joint controllers. Bearing in mind that agreements on joint controllership are, in practice, drafted unilaterally by SoMe providers, they will set the agenda, and website owners should therefore read such agreements carefully.
As website owners are also responsible for ensuring that the data provided are not used by the SoMe provider in a manner that is incompatible with the purposes for which the data were collected, they must inform the users of their websites about the purposes for which the SoMe provider processes the data in accordance with the agreement on joint controllership.
For further information, see the Guidelines on targeting of social media users of the European Data Protection Board.