Home  ›  Can I Upload Phone Numbers to Facebook Custom Audiene

Can I Upload Phone Numbers to Facebook Custom Audiene

Written By Tuesday, April 12, 2022 Add Comment Edit

Facebook Custom Audiences is a valuable tool for many online marketers, but the muddied little hole-and-corner is the difficulty in making information technology compliant with the GDPR and ePrivacy rules. I explicate the bug and how to overcome them.

one Summary

Facebook Action and GDPR/ePrivacy Compliance Custom Audition Created from:
Customer List or Pixel/App Tracking 		Custom Audience Created from:
Direct Facebook Appointment
Is it compliant to CREATE a Custom Audience? Probably yes, if you lot nerveless the personal information in a compliant fashion in the kickoff place. Yes, if your Facebook presence is GDPR compliant.
Is it compliant to Annunciate to a Custom Audience on Facebook? Yes, needs consent (which few advertisers have). Yes, if your Facebook presence is GDPR compliant.
Is it compliant to create a "Lookalike Audience" on Facebook? Yep, needs consent (which few advertisers accept) . Yep, if your Facebook presence is GDPR compliant.
Is it compliant to Annunciate to a "Lookalike Audience" on Facebook? Yeah, merely only if you tin create the Lookalike Audience in a compliant fashion in the first place. Yes, but only if y'all can create the Lookalike Audience in a compliant fashion in the first place.

2 Scenario

Your company ACME Widgets Ltd (the "advertiser") wants to promote its health widgets to people using online advertising, e.g. in Facebook and Google ads, and through traditional email marketing.

A news organisation named Global News Ltd (the "publisher") provides a free website and app to provide news and is funded by the adverts it displays.

Ads on the Global News Corp website/app are chosen and presented in real-fourth dimension by a third party "ad network", such equally Facebook or Google.

3 What is a Custom Audience?

A Facebook Custom Audience is a group of Facebook user accounts that have been matched to a dataset that an advertiser provides, e.g. ACME Widgets Ltd uploads a list of 100 customer electronic mail addresses for which Facebook matched 75 Facebook accounts which becomes a Custom Audience to apply within Facebook.

There are really iii types of Custom Audience based on where the data comes from:

  1. Client List – A listing of contact information that you supply to Facebook (Facebook names this a "customer list"), due east.g. email addresses of customers who may or may not be Facebook users.
  2. Pixel/App Tracking – People that have interacted with your website (pixel) or app (SDK), who may or may non be Facebook users.
  3. Facebook Engagement – Facebook users that have interacted with your Facebook/Instagram presence, due east.g. liked your Facebook Page or accessed your Instagram contour.

4 How do I create a Custom Audience?

An advertiser uploads to Facebook a list of contact information or selects a cohort of previously tracked pixel/app/Facebook interactions. Facebook matches the data for the advertiser and creates the Custom Audition list of Facebook users.

v Is information technology compliant to CREATE a Custom Audience?

5.one Customer List and Pixel/App Tracking Users

Summary – probably aye, if you collected the personal data in a compliant fashion in the first place.

For the sole human activity of creating a Custom Audition (and not actually using it yet), a number of processing activities have to occur:

  1. Advertiser collects the personal information from the user, eastward.grand. email, phone, Pixel event.
  2. Advertiser stores the personal data.
  3. Advertiser sends the personal data to Facebook (in a hashed form).
  4. Facebook matches the personal information against Facebook user data it already controls.
  5. Facebook creates a list of matched Facebook user accounts (the "Custom Audition").
  6. Facebook retains this Custom Audience inside the Advertiser's business relationship.

For each of these processing activities nosotros first need the Advertiser (the Data Controller here) to establish a lawful basis. Likely examples are shown below in bold.

  1. Advertiser collects the personal data from the user, east.g. email, phone, Pixel. [Consent, Legitimate Interest or Contract]
  2. Advertiser stores the personal data. [Consent, Legitimate Interest or Contract]
  3. Advertiser sends the personal data to Facebook (in a hashed course). [Possibly Consent or more likely Legitimate Interest]
  4. Facebook matches the personal information against Facebook user data it already controls. [Legitimate Interest]
  5. Facebook creates a list of matched Facebook user accounts (the "Custom Audition"). [Legitimate Involvement]
  6. Facebook retains this Custom Audience within the Advertiser's Facebook account. [Legitimate Involvement]

We at present need to examination whether those stand up to scrutiny.

The beginning and near common issue is with collecting the personal information in the first identify, such as when an email list has been purchased without the users knowing or if the user has not given affirmative consent to Facebook Pixel tracking. In the case of an advertiser not having gained cookie consent, retargeting based advertisement is off the tabular array, whether that be through Facebook, Google or any other cookie integrated provider.

The next big question is whether the personal data may exist sent to Facebook. In this narrow instance of solely creating the Custom Audience, Facebook states that it acts as a Data Processor and has no additional rights over using the created data, e.grand. information technology is not allowed to enrich its dataset with this new matched knowledge that a user has purchased from Height Widgets Ltd. On the basis of a Data Controller to Information Processor relationship (ACME Widgets Ltd to Facebook), legitimate interest is the likely selection for a lawful basis. Consent is too an option for the Controller, but realistically few Controllers want to inquire a customer if they are permitted to send their data to Facebook.

After uploading the data, Facebook will then perform the matching of your data confronting their own users and create a listing for you to use later on. These processing actions are well divers by Facebook and ones that you have specifically requested. Facebook are acting equally a Data Processor for you here, simply in parallel are acting as a Data Controller in the matching of their own data for which they take permission via Facebook users' agreement with their Terms of Service (past being a Facebook user you concord to being "matched" with advertiser data).

Facebook states that equally a Data Processor, "Facebook volition not requite access to or data about the Custom Audition(s) to third parties or other advertisers, use your Custom Audition(s) to append to the data that we have about our users or build interest-based profiles, or use your Custom Audience(s) except to provide services to you, unless nosotros have your permission or are required to practise and then by law." Again, legitimate involvement would be the obvious choice for this information processing.

With legitimate involvement in listen, is information technology valid and is it off-white?

This assessment will depend on many factors and sentence calls of how well Facebook can be trusted. You may take the view that Facebook should be taken on its give-and-take that it will purely act as a Data Processor. You may accept the view that Facebook has repeatedly shown poor privacy behaviour and that with no manner to audit Facebook'due south use of your data they should not exist trusted.

If you lot follow Facebook's stance so you would rely on legitimate interest to upload your data to Facebook and have them create your Custom Audition.

(Simply having a Custom Audience is pointless if you're not going to use it, so we need to explore the compliance of the various uses cases.)

5.ii Facebook Engagement Users

(Reminder – here we're talking well-nigh users of Facebook that are directly engaging with a Facebook property, eastward.chiliad. Facebook.com)

Summary – yes, if your Facebook presence is GDPR compliant.

When a company such as Summit Widgets has its own corporate Facebook presence, e.g. a Facebook Page, it is acting equally a Joint Controller with Facebook (see 2018 ruling). In turn, ACME must care for its Facebook presence like its website by providing a Privacy Notice and explicate its collection and utilise of personal data. With those in place, Elevation is able to piece of work with Facebook in a fair and transparent way to build upward a detailed agreement of its audition in a defined list of Facebook users.

6.one Customer List and Pixel/App Tracking Users

Summary – yes, but merely if you accept consent, which you probably don't have.

This question is all-time divide into two parts, compliance against the GDPR and compliance confronting ePrivacy Laws (PECR/ePrivacy Directive/European union land's implementation of the ePrivacy Directive).

GDPR Compliance

When advert through Facebook, Facebook acts as both a Data Processor and Data Controller of the data. Facebook states that i of the means is acts equally a Information Processor for advertisers is when, "Facebook processes data on an advertiser'southward behalf in order to measure the performance and reach of advertising campaigns and report back insights about the people who saw and interacted with the ads." Note how narrow this processing action definition is – specifically providing analytics dorsum to the advertiser when they run an advertising campaign. Facebook states that in most scenarios information technology is a Data Controller, and through the omission of whatever other mention of interim as a Data Processor inside advertizing campaigns we must assume that Facebook is indeed the Information Controller for the running of ad campaigns for advertisers. This seems logical, with Facebook using its ain decisions on when and how to advertise to users, and how it volition employ all the meta data around the ad campaign for enriching its own dataset (such every bit whether a user actually likes widgets).

Nosotros've previously covered the validity of using legitimate interest as a lawful basis for Facebook acting as a Data Processor. But now nosotros must also consider a lawful ground for letting Facebook annunciate with our data when interim as a Data Controller. As soon equally you tell Facebook to annunciate to a Custom Audience you lot are authorising Facebook to utilise your data for their own purposes and "learn" from your data. Since this is unlikely to be a purpose you tell your users about, or ane that they would expect, you would probable fail whatsoever tests of transparency or fairness and fall short in any legitimate involvement balancing test.

There is the view that by having a Facebook account together with its configurable advertising settings, a user agrees to receive retargeting from Facebook and any of its advertisers. This is only half true, with the user agreeing to receive the retargeting, but non authorising simply whatever advertiser to share that data with Facebook in the first place.

Facebook Ad Settings
Facebook User Ad Settings

An instance of a problematic scenario would exist if a teenage girl purchased a pregnancy testing product from Top Widgets. She might have blocked the Facebook Pixel cookie on Meridian's website every bit she didn't want her website purchase to be tracked past Facebook, even though she is a big fan of Facebook. ACME uses her email to create a Custom Audience inside Facebook, and subsequently she receives targeted ads on Facebook for more than pregnancy testing kits. In principle she was happy to encounter ads on Facebook, but did not want her Facebook profile to include annihilation sensitive, such as her pregnancy test and certainly didn't want to see ads for it. And the just style Facebook knew this sensitive information well-nigh her was through an action that ACME took. Facebook was not to blame here. She is at present seeing related ads for nativity control and maternity habiliment and is even more unhappy.

Since legitimate interest may be hard to demonstrate here, consent would be the respond to ensure the user was happy with Facebook advertisement to them.

ePrivacy Compliance

In parallel to the data protection requirements of the GDPR we must consider the rules around eCommuncations, such as those on cookies and Straight Marketing. Assuming that we already take consent for whatsoever cookie tracking (such as with a Facebook Pixel), the question is whether Facebook advertising is a course of Direct Marketing.

Traditional retargeting where an advertizing is shown to a cookie tracked device with most no agreement of the user'south identity is generally not seen as Direct Marketing. Just Facebook is substantially different, with Custom Audiences being a list of known existent people whose data you lot already possess. Advertising to a Custom Audience is most identical to email marketing, where a promotional message is being sent to known individuals with whom yous have a relationship. Equally such, I would argue that the rules around Direct Marketing do apply to Facebook advertising to a Custom Audience.

These rules require either affirmative, informed consent from the user (every bit higher up with the GDPR) or a "Soft Opt-in" use of legitimate involvement. A major issue here is the marketing channel being used. When choosing to consent or not opt-out of straight marketing, an individual should be given a choice of what marketing channel they agree to, e.yard. email marketing, SMS marketing, social media marketing. If an advertiser is relying on consent or Soft Opt-In but does non specifically have permission for marketing via Facebook, then it won't be valid for that communications channel. Dorsum to the example above, the daughter may have been happy receive email marketing from ACME for future promotions on pregnancy testing kits, and thus consented to email marketing, but she did not give consent for marketing via Facebook.

The merely real way of making Facebook advertising to Custom Audiences compliant is through an affirmative, informed expression of consent to Facebook advertising (along with particular in the Privacy Detect of what that means for further processing past Facebook). Sadly, few information controllers ever gain this user consent, and thus are on dangerous basis with their Facebook advert to Custom Audiences.

6.2 Facebook Appointment Users

Summary – aye, if your Facebook presence is GDPR compliant.

In this scenario ACME Widgets is interim every bit a Joint Controller with Facebook, and your users have all accustomed both Facebook's Terms of Service/Privacy Settings and your Privacy Detect. To and then target known Facebook users for advertising within Facebook would require a lawful basis, for which Legitimate Interest would be likely to suffice, if your Privacy Notice explains y'all would do this.

7 What is a "Lookalike Audience" on Facebook?

Advertisers can find similar people to their existing audiences by using Facebook's "Lookalike Audition" feature. Advertisers choose a "source audition" which is a Custom Audience you define, e.k. fans of your Facebook Folio. Facebook then tries to find other Facebook users that are unknown to the advertiser, due east.g. those that share similar interests and demographic profiles.

eight Is information technology compliant to CREATE a "Lookalike Audience" on Facebook?

All the processing activities that have place within the Lookalike Audience feature have Facebook in the Data Controller office. We can split these into two buckets of Facebook activity, understanding the shared attributes within the Custom Audience, and so matching these to individual Facebook user profiles for creating a new list. The offset stage requires some intelligent piece of work by Facebook to make up one's mind what similarities your Custom Audience has, since substantially you lot have supplied a list of 1,000 random Facebook users and but told Facebook that you believe they belong together. It's now for Facebook to determine why – something many marketers struggle to calculate alone and gladly plough to the likes of Facebook for automatic aid. Again, this is the advertiser giving new information to Facebook and letting Facebook use the data for its own enrichment.

For case, you lot supply a listing of 1,000 Facebook users in a Custom Audience that yous know are meridian purchasers of your baldness curing widget. Facebook analyses the 1,000 user profiles and finds a preference amongst these users towards motor racing events and home renovation Facebook Pages. This is a theory that Facebook tin use in future matches and test in future ad campaigns, due east.g. by targeting baldness related products at members of a DIY company'south Facebook page, or in reverse by targeting DIY advertising campaigns at your very own Facebook Page members. Marketers are generally happy with this arroyo, since they go the new audience to target and they have helped enrich the Facebook "graph" to hopefully do good them in the future.

8.1 Customer List and Pixel/App Tracking Users

Summary – yes, merely only if you accept consent, which you probably don't have.

Since nosotros're in the same situation every bit advertising to a Custom Audience (where we are giving Facebook our information, enriching its information set and letting Facebook practise anything it wants with it), legitimate involvement as a lawful ground is a stretch, and consent from the users involved our only real option.

8.ii Facebook Engagement Users

Summary – yeah, if your Facebook presence is GDPR compliant.

In this scenario ACME Widgets is interim as a Joint Controller with Facebook, and your users have all accepted both Facebook's Terms of Service/Privacy Settings and your Privacy Notice. To then perform the shared attribute analysis would require a lawful basis, for which Legitimate Involvement would exist likely to suffice, if your Privacy Observe explains you would do this.

8.3 Lookalike User Matching

Facebook's matching of its theoretical contour confronting other Facebook users to create the Lookalike Audience is outside of your control and doesn't involve any of your personal data. So we don't actually need to care almost this phase. But we do demand to consider how we advertise to this new Lookalike Audience nosotros possess in a compliant fashion.

Summary – yep, but only if you tin can create the Lookalike Audition in the first place in a compliant fashion.

The key deviation between a Lookalike Audition and a Custom Audience is that as an advertiser you accept no ability to identify individuals within a Lookalike Audience just can inside a Custom Audience. As far as you are concerned, a Lookalike Audience contains no personal data that you can process and thus is not subject to the GDPR or any rules around Direct Marketing. It is untargeted advertising in the sense that you don't know who volition see information technology, but you promise they have like habits and buying behaviour to your Custom Audition list.

Since you're not processing personal data in a Lookalike Audience ad campaign, the likes of GDPR will not stand in your fashion. You've just got a tall gild to be able to create your Lookalike Audience in the first place in a compliant manner.

flemmingjoincte71.blogspot.com

Source: https://consent.guide/making-facebook-custom-audiences-gdpr-compliant/

0 Response to "Can I Upload Phone Numbers to Facebook Custom Audiene"

Post a Comment

Subscribe to: Post Comments (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel