On Monday September 7, 2020, the European Data Protection Board (EDPB) issued draft Guidelines 8/2020 on the targeting of social media users (the “Draft Guidelines”). The Draft Guidelines have far-reaching implications for social media platforms, advertisers, and adtech companies, as they will result in a clarification of the roles and responsibilities of the key stakeholders, and establish rules for consent.
The Draft Guidelines are open for public consultation until October 19, 2020. Interested companies can submit their comments to the EDPB.
The Draft Guidelines describe data protection risks associated with targeting of social media users, including individuals’ lack of control over their data, risks of discrimination and exclusion, and manipulation of individuals. The EDPB outlines the data protection implications by the type of targeting and data involved, discusses how to comply with key obligations, and which stakeholders are responsible for which obligations.
We have summarized the key takeaways below.
1. Targeting Leads to Joint Control Between Advertiser and Platform, Who May Rely on Legitimate Interest
According to the EDPB, the typical social media targeting example involves an advertiser asking the social media platform to display advertisements to users that meet certain criteria, such as users in a certain age group and/or in a certain geographical area. The advertiser can also indicate when the ads should be displayed. During and after the campaign, the platform provides the advertiser with relevant metrics.
The EDPB concludes that the social media platform and the advertiser are joint controllers in this case because the platform has developed the targeting criteria and holds the relevant data, while the advertiser defines the criteria for the specific campaign. The EDPB opines that both consent and legitimate interest could be suitable legal bases for data processing. However, reliance on legitimate interest must be assessed on a case-by-case basis, and the result of the assessment must be documented.
2. Custom-Audience Targeting Also Creates Joint Control and Could Be Based on Legitimate Interest
Custom-audience targeting involves an advertiser uploading data that it possesses, such as email addresses or phone numbers, to enable the platform to identify the advertiser’s intended audience among its users. Here too, the EDPB considers the advertiser and the platform to be joint controllers. However, the EDPB notes that the advertiser and the platform are independent controllers for the collection of the data prior to the campaign because the advertiser’s prior collection of email addresses is not “inextricably linked” to the targeting campaign. The advertiser can rely on legitimate interest to run the campaign if it previously provided appropriate notice and opportunity for users to opt out so that the campaign is within the individual’s reasonable expectations.
3. Location-Based Targeting Requires Consent
Location-based targeting allows advertisers to request that a platform display advertisements to individuals based on where they are, or where they have been. The EDPB concludes that the advertiser and the platform are joint controllers because the platform has collected the location data to offer location-based targeting, and the advertiser chooses to advertise based on that data. The EDPB opines that companies must obtain consent for location-based targeting because it constitutes monitoring of individuals’ behavior.
4. Online Behavioral Targeting Requires Multiple Stakeholders to Obtain Consent
Platforms also offer advertisers the ability to target users based on observations about the users’ behavior on the platform and third-party websites which incorporate the platform’s plug-ins and other tracking technologies. As with the other types of targeting, the EDPB believes that both the advertiser and the platform are joint controllers. In line with recent case law, the EDPB explains that the website publisher who allows the platform to collect behavioral data about the website’s visitors is jointly liable with the platform, and responsible for obtaining consent for the collection of visitor data. However, the platform must also obtain consent for its subsequent use of that data for behavioral targeting or any other purpose (see our blog post on the FashionID case).
5. Extensive Behavioral Targeting Constitutes Profiling, and May Involve Automated Decision-Making
Observing users’ behavior over time and across different websites, apps, or devices allows platforms to infer additional information about users’ interests or other characteristics, which can be used for behavioral targeting. The EDPB opines that If the collection of behavior involves cookies or similar technologies, consent is always required. In addition, according to the EDPB, companies should assess whether such targeting is profiling and involves automated decision-making that might require consent. The EDPB explains that the effect of targeted advertising on individuals will often not be significant enough to constitute automated decision-making. However, factors such as the intrusiveness of the profiling and the individual’s vulnerabilities can lead to automated decision-making (e.g., targeting financially vulnerable persons interested in online betting with advertisements for online betting services).
6. Special Category Data
The Draft Guidelines also discuss the notion of special category data in the context of targeted advertising. The EDPB states that, in addition to the special category data1 provided by individuals on their social media profiles, derivative data (e.g., assumptions or inferences) may also constitute special category data.
Because the processing of special category data is in principle prohibited, both the social media platform and the advertiser must ensure they can rely on one of the exceptions included in the GDPR to process such data. For instance, the processing may be lawful if the data has been manifestly made public by the data subject. In practice, companies will often be required to obtain consent from the affected individual.
7. Joint-Controller Arrangement Requirements
Social media platforms and advertisers are required to determine their respective responsibilities as joint-controllers to comply with their GDPR obligations. The EDPB advises that for this arrangement to comply with the applicable transparency requirements:
- It must have sufficiently detailed information regarding the processing operations taking place by the social media provider and the targeter.
- It should include the purposes of the processing and the corresponding legal basis together with specific information about how the GDPR obligations are fulfilled in practice. For example, both controllers will be responsible to ensure that enough information is provided to determine who will reply to data subject requests, or who should carry out a DPIA.
- The essence of the arrangement should be made available to the individuals in a manner that covers all aspects of data processing that takes place. Both the social media provider and the advertisers are responsible to ensure this.
8. Transparency Requirements
The EDPB reiterates that the mere use of the word “advertising” is not enough to inform the users that their activity is being monitored for the purpose of targeted advertising. Individuals should be clearly informed about what types of processing activities are carried out and what this means for them in practice.
As indicated above, the Draft Guidelines are subject to public consultation. The EDPB will review the result of the public consultation and may decide to update (part of) the guidelines before publishing a final version. In practice, the EDPB does take into account comments received during public consultation, but the substance of the draft guidelines often remains unchanged. Impacted companies should consider submitting comments to the EDPB and start assessing their current practices in light of this Draft Guidelines.
Wilson Sonsini Goodrich & Rosati routinely helps clients manage risks related to the enforcement of privacy and data protection laws, along with advising clients on general domestic and international privacy and data security issues. For more information, please contact Cédric Burton, Jan Dhont, Lydia Parnes, Chris Olsen, Tracy Shapiro or another member of the firm’s privacy and cybersecurity practice.
Nik Theodorakis, Bastiaan Suurmond, and Alexandre Lépine contributed to this alert.
 Special categories of personal data is defined in Article 9(1) GDPR as: “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, (…) genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.”