The Guidelines  aim to clarify the roles and responsibilities of social media providers and ‘targeters’ with regard to the processing of personal data for the purposes of targeting social media users.
Many users will be aware of the targeting of adverts on social media platforms and how personal data is used beyond individuals’ reasonable expectations. This can result in a lack of transparency, control and can influence the behaviour and choices of individuals. The Guidelines outline how ‘Targeting services make it possible […] to communicate specific messages to the users of social media in order to advance commercial, political, or other interests’. The targeting of social media users involves not just the act of ‘selecting’ the individuals or groups of individuals that are the intended recipients of a particular message (the ‘target audience’), but involves an entire process carried out by a set of stakeholders which results in the delivery of specific messages to individuals with social media accounts. The ICO’s investigation into Cambridge Analytica was one example of such issues involving targeting users on social media platforms.
What are the risks posed by social media targeting?
Targeting of social media users may involve uses of personal data that go against or beyond those individuals’ reasonable expectations and thereby infringes applicable data protection legislation.
- Undermining users’ ability to exercise control over personal data: social media platforms combine personal data from third-party sources with data disclosed by users of their platform, resulting in personal data being used beyond the initial purpose and in ways the individual could not reasonably anticipate.
- Discrimination and exclusion: targeting of social media users may involve criteria that, directly or indirectly, have discriminatory effects relating to an individual’s racial or ethnic origin, health status or sexual orientation, or other protected qualities of the individual concerned. For example, the use of such criteria in the context of advertising related to job offers, housing or credit (loans, mortgages) may reduce the visibility of opportunities to persons within certain groups of individuals.
- Possible manipulation of users: targeting is used to influence behaviour and choices of individuals – such as purchasing decisions as consumers or even political decisions. An analysis of content shared through social media can reveal information about the emotional state of an individual and when that individual is expected to be more receptive and therefore influenced in thought process and behaviour.
- Children: targeting can influence the shaping of children’s personal preferences and interests, which in turn affects their autonomy.
The Guidelines recognise that the increase in concentration and limited number of major actors in the markets of social media and targeting may also increase risks to the rights and freedoms of a substantial number of individuals. The combination of more in-depth profiling of individuals and ever-increasing degree of market and information power, threatens to diminish the data protection and freedom granted to social media users.
Targeting of Social Media Users
Who is involved?
Targeting of social media users involves a variety of different actors:
- Social media providers: offer an online service that enables the development of networks and communities of users, among which information and content is shared
- Social media users: individuals who are registered with the service (i.e. those who have an ‘account’ or ‘profile’).
- Targeters: organisations that use social media to direct specific messages at a set of users who have been selected on the basis of specific parameters or criteria. Typical examples include:
- Brands who use social media to advertise their products and to increase brand awareness.
- Political parties are also increasingly making use of social media as part of their campaigning strategy.
- Charities and other non-profit organisations also use social media to target messages at potential contributors or to develop communities.
- Other actors involved in the targeting process include adtech companies and data brokers.
Social media users may be targeted on the basis of provided, observed or inferred data, as well as a combination of these datasets:
Following CJEU case law, the EDPB will consider social media providers and targeters when determining the purposes and means of processing and will treat their relationship as joint controllership when they decide what advert to display to which person. As part of this joint controllership, both the social media providers and targeters must be able to demonstrate the existence of a legal basis for their use of personal data.
Legal bases for processing
The most likely legal bases to apply under GDPR in the targeting context are:
Other data protection issues
1. Transparency: Information presented to data subjects regarding how their personal data will be processed should be concise, transparent, and presented in an intelligible and easily accessible form using clear and plain language. The mere use of the word ‘advertising’ is not enough to inform users that their activity is being monitored for the purpose of targeted advertising. Instead, individuals should be informed if a profile will be built based on their online behaviour and what types of personal data will be collected to build such profile. Individuals should be provided with the relevant information directly on the screen and through layered notices.
2. Right of access: an easy to use mechanism must be in place to enable individuals to exercise their data subject rights such as right to erasure, to object and right of access. The Guidelines suggest that individuals be given remote access to a secure system through which the individual can access their data and through which those individuals can check their profile, including the sources used to develop it, the identity of the targeter, the criteria for targeting, as well as recipients of their personal data. As joint controllers, the social media provider and targeter can determine a single point of contact for data subjects to exercise their rights but this does not exclude the possibility for data subjects to exercise their rights against each controller.
3. Data Protection Impact Assessments (DPIAs): joint controller should check whether a DPIA is required, taking into account current criteria identified in EDPB guidelines on DPIAs. Both joint controllers need to assess whether a DPIA is necessary and are both responsible for completing the DPIA. Whether a DPIA is required will depend on:
- the nature of the product or service advertised
- the content of the message or way the advert is delivered
- the purpose of the advertising campaign and its intrusiveness
- if the targeting involves the processing of observed or inferred data.
4. Special categories of data: special category data includes, for example, data about an individual’s health, racial or ethnic origin, biometry, religious belief or political opinion. If special categories of personal data are processed in the context of targeting, then along with a legal basis under Art. 6 EU GDPR, a condition under Art. 9(2) EU GDPR also needs to be established: the most relevant being: (i) explicit consent; and (ii) data manifestly made public by the data subject. Whether the latter conditions applies will depend on:
- the default settings of the social media platform (whether the individuals actively changed these settings from private to public)
- the nature of the social media platform (e.g. a platform designed for business professionals to connect or an online dating platform)
- the accessibility of the page where the special category data is published (i.e. whether an account is required to access this information)
- how visible it is to the individual that the information will be public (i.e. is there a continuous banner on the page?)
- whether the individual has themselves published the special category data or this information is published by a third party (e.g. a user’s friend) or is inferred.
5. Joint controllership: targeters and social media providers are required to determine their respective data processing operations (for which they are jointly responsible) in an arrangement. Both the social media provider and the targeter must be aware of and have sufficiently detailed information regarding the specific data processing operations taking place. The Guidelines clarify that the arrangement should reflect the purposes of processing and the corresponding legal basis as well as documenting how the arrangement will be fulfilled in practice.