Social Media Targeting: what risks, roles and responsibilities?

Companies from around the world spend an estimated $600 billion a year on advertising. And according to the most recent forecast by media consultancy Magna, digital ad formats are set to represent an estimated 67% of total advertising sales. 

At the same time, many predict that the AdTech Industry could be the next big bubble to burst – with the regulatory pendulum swinging clearly towards data privacy (ie GDPR, California Consumer Privacy Act), the massive Covid-related fall in ad spending and the digital industry’s budding fratricide war (see Apple’s new App Tracking Transparency feature) all seemingly coming together to accelerate this trend. Either way, the AdTech industry, and the social media targeting practices which lie at its core, are both set to say around for the foreseeable future and as such, deserve our attention.

It is in this context that the European Data Protection Board (hereafter EDPB) - the independent body responsible for the consistent application of data protection rules across the European Union - released its guidelines on the targeting of social media users. 

The EDBP regularly issues guidance in the shape of recommendations, ‘best practices’ or guidelines. In its short life – the GDPR and the EDBP only just recently celebrated their third anniversary – the EDPB has managed to generate an impressive range of guidance, touching upon topics as varied as virtual voice assistants, connected vehicles and the territorial scope of the GDPR. The aim being to clarify data-related law (both primary and caselaw) and to promote a common understanding of EU data protection rules.

In the following article, we unpack the EDPB’s latest and detailed guidelines on social media targeting: these guidelines offer both a review of the different types of targeting which take place online, as well as an overview of the legal implications of social media targeting and of the respective obligations of all players involved, with reference to the GDPR’s framework of ‘data controllers’ and ‘data processors’. 

First off, what do we mean when we talk about social media targeting?

The EDPB guidelines begin with a useful terminology reminder: social media targeting is the practice by which natural or legal persons are able to “communicate specific messages to the users of social media” and in the interest of furthering specific ends (p.4). These ends can be of the commercial, political or even religious order and the messages generated may take a variety of shapes and forms, as an ad banner or as integrated content for example – but the common thread running through all social media targeting practices is always the “perceived fit between the person or group being targeted and the message that is being delivered” (p.4).

Who are the players involved?

Social media targeting typically involves, at the very least, the three following actors: 

  • social media users of course, who typically come into the ‘targeting’ picture when they create an account or profile on a social media platform – which they will usually do in order to stay in contact with friends and/or family, further their career objectives, or meet likeminded users with similar hobbies and/or interests;

  • social media providers: this is the supply side of the social media targeting operation; these are the platforms who determine what kind of data is collected at the point of account creation, as well as the kind of targeting services packages which may be offered on the basis of their user database; and

  • social media targeters: this is the demand side of the operation; these are the actors (usually businesses or influencers) who use the data that is gleaned through social media targeting in order to generate specifically tailored messages.

The EDPB notes the emergence of a fourth kind of actor within the AdTech industry: data brokers and/or data management providers, with an expertise in the intermediation of social media providers and targeters, as well as the aggregation of different data sources.

How does social media targeting work in practice?

Concretely, social media providers are able to slice and organize their databases of users into different categories.

These categories of social media users are then either: presented to the social media targeters, as potentially relevant market segments which the targeter may want to focus her ad spending on; other times, these categories are simply matched against the targeter’s own pre-existing categories (say, for instance, that a given targeter already possesses a list of her existing customers’ email addresses and is looking to expand her client base: in that case, she could ask the social media provider to target all the users but the ones she has already acquired, using email addresses as a discriminating variable).

 These categories may look very different from one social media provider to the other and will depend on each provider’s service offering. Despite these differences, three types of data are typically relied on to craft these categories: 

  • ‘provided data’: this is the term the EDPB uses to refer to the data that is actively provided by the user as part of her profile or account information; 

  • ‘observed data’: this refers to the data that is gleaned from a user’s direct activity on the social media platform, such as a ‘like’ or a specific hover rate over a given advertiser’s ad placement; and

  • ‘inferred data’: this is also data that is gleaned from a user’s activity on the social media platform -  the distinction with ‘observed data’ being that’ inferred data’ is the result of indirect associations with the user’s activity. Say, for instance, that a Facebook user ‘likes’ the official F1 fan page, then Facebook may (rightly, or not) infer that said user will also be receptive to ads promoting Lewis Hamilton-related paraphernalia.  

In this vein, one simple and very telling experiment is available to those of us who have Facebook accounts and who are looking to better understand how social media targeting pans out in practice.

One simple trip down ‘Settings’ > ‘Ads’ > ‘Ad Settings’ > ‘Categories Used to Reach You’ > and finally, ‘Interest Categories’, reveals the sometimes-accurate-sometimes-incongruous list of inferred categories which Facebook, and by extension social media targeters, rely on to summarise, categorise and eventually target each and every one of us individually.

Why is social media targeting of concern?

That social media targeting poses acute risks to society and individuals may seem like a platitude by now, given how commonplace this theme has become in conversations and debates ever since 2016. Despite this, EDPB guidelines make the sensible choice of going over these dangers once more, but in very clear and straightforward language - and amongst other things, reviewing these risks and their sheer magnitude helps to better explain the strict legal treatment afforded to social media targeting under the GDPR framework (see below).

Social media targeting represents an obvious risk to personal autonomy: despite the occasional bizarre and out-of-touch categories which Facebook labels us with, sometimes, social media targeting will hit just the right mark. The messages generated will be so accurate and fitting that they may influence an individual’s spending, religious or political behavior beyond what she could imagine or want.

Relatedly, social media targeting poses a particular risk for minors, who are not, under the current regime, shielded from social media categorizing and targeting: this poses an obvious risk from a developmental and cognitive point of view, as children may be subject to targeting during some of the most formative years of their lives and while not necessarily having the necessary hindsight and experience to understand what impact this may have on them.

There are also many concerns surrounding discrimination on the basis of social media targeting: the EDPB guidelines remind us that even when a category is not directly or overtly discriminatory in nature, it may still have discriminatory effects in practice. The concern is also that these discriminatory categories (whether overtly discriminatory or not) could be and are in effect used to, allocate certain essential social endowments (such as housing, loans or mortgages).

A final type of concern centers around the issue of privacy: as has been mentioned above, social media targeting is, in part, based on inferred and observed data - which may reveal more than what a data subject had planned for or even imagined to share with other legal or natural persons.

How is social media targeting to be approached from a legal standpoint?

It appears then that social media targeting is a complex and protean process, involving a multitude of players: with this in mind, how is it to be approached from the vantage-point of the GDRP framework?

(I) Legal Basis

The first legal question that needs to be elucidated is that of the lawfulness of processing: social media targeting is a form of data processing and like every other data processing, it shall only be considered lawful under the GDPR if the players involved in the processing activities are able to demonstrate the existence of a legal basis for doing so. The relevant provision here is article 6 of the GDPR. From the onset, the EDPB guidelines specify that article 6 (1) (b) - where data processing is necessary for the performance of a contract - is hardly ever an adequate basis to justify social media targeting. This is because while the personalization of content (whether integrated or not) may sometimes be an expectation of social media users, the “targeting of social media users cannot be considered as an intrinsic aspect of any services or necessary to perform a contract with the user” (16).  

The EDPB guidelines specify that it is most often consent (art. 6-1-a), sometimes legitimate interest (art. 6-1-f), which may constitute the legal basis for social media targeting. For the latter, the EDPB guidelines remind us that in order to be considered valid, a ‘legitimate interest’ justification must meet the following three cumulative conditions: (i) a legitimate interest must exist; (ii) the social media targeting must be necessary to achieve said legitimate interest; and (iii) the legitimate interest must be balanced against the data subject’s interests or fundamental rights and freedoms. That is to say that a social media provider or targeter’s economic profitability is not enough, in and of itself, to constitute a legitimate interest under the meaning of article 6 (1) (f).

(ii) Legal Roles

The second legal consideration which needs to be addressed is that of the distribution of responsibilities and roles throughout the social media targeting process: the GDPR rests different obligations on different actors’ shoulders, depending on whether these actors are data controllers or data processors.

Under the GDPR, the data controller is the entity which determines the means and the purpose of the data processing.

Here, the EDPB Guidelines leave little room for doubt: in a very thorough and clear passage, the EDPB guidelines explain that in most, if not all cases, both the social media targeter and the social media provider are considered controllers of the targeting process.

That is to say that social media targeting gives rise to a joint controllership scenario.

The relevant variable here is the players’ capacity to determine the purpose of the processing, with the EDPB reminding us that both the absence of ‘access to the personal data concerned’ (16)  and the existence of ‘take it or leave’ it conditions - which may be imposed by the social media provider to the social media targeter (38) - are indifferent here.

The EDPB adds that the existence of a “mutual benefit arising from the same processing operation” may be a further indication of joint-controllership, since the purposes pursued by the social media targeter and the social media provider would seem to be inextricably linked (15).

It is easy to see how the social media targeter could be deemed to be determining the purposes and the means of the social media targeting: it is crystal clear when it is the targeter herself that requests the social media provider to target a given user base, using a certain category; and in the slightly less straightforward scenario where the targeter chooses to “use the services offered by the social media provider” (15), the EDPB clarifies that the targeter is also deemed a controller of the means and purposes in this scenario and by sole virtue of choosing the services. 

As for social media providers, the EDPB is categorical that they shall virtually never “qualify as a processor as defined by article 4 (8) GDPR” (15). This is because in all of the following cases – ie when the social media provider develops certain targeting criteria or categories; when the social media provider decides to use the personal data possessed by the social media targeter to match it against its own records; or when the social media provider develops software code (such as cookies) which allows for the automatic collection of observed data – the social media provider can be deemed to determine the purposes and the means of the processing.  

(iii) Legal Responsibilities

As we’ve discussed before in a previous Gerrish Legal article, joint controllers have the same obligations as any other controller but are jointly and severally liable for GDPR violations with their co-controller. The only difference here is that joint-controllers can come to an arrangement as to the division of labour (and liabilities) as between themselves to be operated for certain of these obligations.  

The EDPB guidelines look at three of these obligations and how they are to be treated under joint-controllership: 

  • Duty to respond to data subject’s right of information: articles 13 and 14 of the GDPR contain an exhaustive list of information pieces to be provided to the data subject, by the data controller. Although both controllers are responsible for meeting this obligation, the EDBP specifies that the two controllers may, in a transparent manner, designate a priority contact point (“especially in cases where only one of the controllers interacts with the users” p. 27), as well as their respective information responsibilities regarding certain parts of the social media targeting process, by way of an arrangement between each other;

  •  Duty to respond to data subject’s right of access, right to erasure and right to object: the relevant provisions here are (respectively) articles 15, 17 and 21 of the GDPR, with the EDPB specifying that the two controllers may decide amongst themselves who should be in charge of responding to the data subject access requests in priority -again by designating a single point of contact. The guidelines specifiy that, in spite of the foregoing, neither controller can prevent the data subject from exercising her rights against either of them  (29-30);

  • Duty to conduct a Data Protection Impact Assessment (DPIA), if applicable: article 35 of the GDPR covers the circumstances under which a controller is required to conduct a DPIA (the general rule being that a DPIA is necessary “where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons”). The guidelines specify that « if a DPIA is necessary”, both joint-controllers shall be “responsible for fulfilling this obligation” (30). The EDPB guidelines remind us that a DPIA “should tackle the entire processing of personal data” which entails that the joint controllers shall share relevant information with one another.

Social media targeting is a complex and pervasive practice. As always, should you have any queries regarding this topic or your compliance with the GDPR, please do not hesitate to contact us!

Article initially published by Leila Saidi @ Gerrish Legal, June 2021

Previous
Previous

GDPR, WhatsApp & E-commerce: luxury shopping to enter a new dimension

Next
Next

UK: New Legislation for Online Safety