On September 7, 2020, the European Data Protection Board (the “EDPB”) published Guidelines on the Targeting of Social Media Users (the “Guidelines”). The Guidelines aim to provide practical guidance on the role and responsibilities of social media providers and those using targeting services, such as for targeted advertising, on social media platforms (“targeters”).
The EDPB explains that social media providers and targeters will be considered joint controllers when they effectively co-determine the means and purposes of a processing activity (i.e., the display of a specific ad via a targeting tool to a targeted audience). Conversely, the social media provider and the targeter will not be considered joint controllers for any processing operations taking place before the selection of the relevant targeting criteria or after the targeting and reporting is completed, or in which one of the controllers did not participate. In particular, the EDPB identified four specific scenarios, in which targeting is based on (1) data actively provided by the users to the social media provider or the targeter; (2) personal data provided by the user to the targeter; (3) data observed from the user’s use of a service or a product (“observed data”); or (4) data inferred from data provided by the users (“inferred data”). For each scenario, the EDPB explains the role of the parties and provides advice on the legal basis used to justify the processing for targeting purposes. The EDPB highlights in particular that:
- Both joint controllers must be able to demonstrate the existence of a legal basis justifying the processing of personal data. Consent or legitimate interest may be appropriate legal bases to justify a targeting activity if demonstrated by both parties. However, the EDPB emphasizes that legitimate interest would not be an appropriate legal basis for certain processing activities, such as intrusive profiling and tracking practices for marketing purposes, which would require collection of users’ consent. In addition, the EDPB stresses that the performance of a contract legal basis cannot be relied on when carrying out targeting activities.
- When processing involves social plug-ins, cookies or pixels, the social media provider and the targeter must comply with both the GDPR and the ePrivacy Directive, and as such must obtain users’ valid consent.
- The collection and use of inferred data typically involves profiling activities. As profiling typically constitutes an automated processing of data, in circumstances where the automated decision produces legal effects or significantly affects users, controllers may only rely on the user’s explicit consent, the necessity of the automated-decision making for entering into, or performance of, a contract, or authorization by EU or the controller’s Member State law.
In addition, the Guidelines provide information on the application of key data protection requirements and on the joint agreement social media providers and targeters must implement, including:
- Compliance with the transparency requirement: The EDPB states that the use of the word “advertising” alone is not sufficient to inform users that their behavior is monitored for targeted advertising purposes. As joint controllers, social media providers and targeters must agree on their respective responsibilities, including their duty to inform users of the processing, and should make the content of this agreement directly available to users by including a link on the social media platform and a reference in its privacy policy or on the targeter’s website or through link, such as “Why am I seeing this ad?” Joint controllers may agree that one of them will be responsible for providing information to users even though each party ultimately remains responsible for the processing activities under its control.
- Compliance with the right of access: To simplify the exercise of data subjects’ right of access, the social media provider and the targeter should designate a single point of contact for data subjects.
- Duty to carry out a Data Protection Impact Assessment (“DPIA”): Joint controllers are both responsible for assessing whether a DPIA is required. If so, the joint agreement should specify which one of the joint controllers is responsible for carrying out the DPIA as one of them may be better placed to assess the risks of the targeting activity.
- Processing of special categories of data: The social media provider and the targeter must determine whether the targeting activity involves the processing of special categories of personal data. If so, they must ensure that they can rely on one of the legal bases under Article 9 GDPR for the processing of such data for targeting purposes. The EDPB also distinguishes situations where processing involves special categories of data that are explicit, inferred, combined or made manifestly public and their legal implications.
- Adhering to a joint agreement and allocation of responsibilities: The social media provider and the targeter must conclude a joint agreement detailing the processing, allocating responsibilities between them and describing how the obligations that apply to both joint controllers will, in practice, be fulfilled. To establish this, the EDPB recommends taking into account the ability of each joint controller to influence the processing, and their actual or constructive knowledge, in order to determine their levels of responsibility. As the existence of joint controllership does not necessarily imply the equal responsibility of the joint controllers, the EDPB also highlights the importance of clarifying at what stage and to what degree each joint controller is responsible of the processing. Finally, the EDPB highlights that insofar as these joint agreements do not bind supervisory authorities, the competent supervisory authority may exercise its competence and powers in relation to either joint controller.
The EDPB is accepting comments on these Guidelines until October 19, 2020.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code