GDPR & the major social networks: what you need to know

The GDPR comes into force this Friday and, as you might have seen over the last few weeks, all the major social networks have been communicating changes to their privacy policies and advertising options.

As a business who interacts with European consumers, it’s not just your internal data and processes that your going to need to rethink – if you run ads on the likes of Facebook, Twitter, Snapchat and LinkedIn this new legislation may have a bigger effect than they had first thought. Some targeting options, for example, may no longer be available.

Have you listened to our interview with Matthias Matthiesen of IAB Europe yet? We sat down with him a few weeks back to discuss the impact GDPR will have on social advertising.
With a view to keeping you updated on all the latest, we thought we’d collate the key changes and announcements from the major social networks:

Facebook

Facebook, and some other social networks, are in the tricky position of being classed as both a data controller and a data processor under the new privacy legislation. For some ad formats, like Lead ads, Facebook is a data controller because the form filling data is being captured on the Facebook platform itself. For other activities, like allowing the integration of an advertiser’s CRM data in order to build custom audiences, Facebook is in the role of data processor. The social giant therefore needs to take a whole host of actions to achieve compliance. In terms of actions taken, as well as asking users to agree to their updated terms of service and data policy, Facebook has prompted users worldwide to choose:

• Whether they want Facebook to use data from partners, such as other websites, to show them ads.

What about custom and lookalike audiences?

A number of advertisers have been asking whether these audience building options would be affected. In terms of custom audiences on the whole, each Facebook advertiser is responsible for the data they use to target people. Advertisers will be able to continue building these audiences as normal, and Facebook (in their role as a data controller in this case) will assume the database is GDPR compliant. Ensuring you can use your database for ad targeting will mean putting in place a process to specifically ask permission to use data in custom online advertising. You’ll need to make sure all of your website forms (and other places you collect the personal information from prospects and customers) include this as a specific opt-in field.

From a user perspective with lookalike audiences, Facebook users will be able to dive down in detail on why they are seeing a specific ad, and then choose to hide or block an or advertiser if they want to. Ad preferences give users the power to add and remove themselves for targeting interests.

Crucially, however, when a user registers on Facebook, they must accept in the contract that they will be targeted with ads. The question is not whether or not you will see ads, but whether they will they be customized to your profile, interests and behaviour or not.

Twitter

In late April, Twitter announced its approach to complying with the GDPR, in a blog post from Data Protection Officer, Damien Kieran. While not a lot of detail was provided on how the product will change for European users, a section of the Twitter website now states, We will create a bespoke experience that offers increased transparency around what we do with your data and how it is stored by Twitter’94.

Twitter has also updated it’s privacy policy, making it easier for users to manage personal information. Part of this has been as simple as making it visually clear and easy to use, as well as adding a download button and optimizing it for mobile and web.

In his blog post, Kieran goes on to mention: “Specifically, you’ll be encouraged to review our updated policies in full. You’ll then be brought to your individual Settings and Privacy section, where we will ask you to review your key current settings. You can leave them all as they are, modify each, and learn more about any of the individual settings before making a change…” While many other networks have already done so, Twitter will roll out privacy setting review notifications on May 25, and only to those users who have set an EU country as their location in their account.

Snapchat

Of all the social networks we cover, Snapchat may be in a unique position with the looming GDPR regulations due to its traditionally younger user base. Part of the new regulation includes a provision on children’s personal data, noting an individual must be over the age of 16 to consent to the processing of their data. A large percentage of Snapchat’s 187 million daily active users are younger teenagers, meaning the new regulation requires a change to the way Snapchat operates.

In response, Snapchat recently announced that it would no longer store location history for users under 16 years age. Geo-location features in Snapchat, as well as Snap Map which was launched around a year ago, allow users to view location-based snaps from their friends and other contacts who are close by.

Added to that, Snapchat has recently made some changes to it’s app, which make it easier for users to opt-out of certain high-level audience segments. Snapchat users are now able to opt-out of all first and third-party data targeting, if they wish to, in which case they will be shown non-personalized ads. A new privacy center will also allow Snapchat users to clear their search history, location data and Story settings.

LinkedIn

LinkedIn considers itself to be a data controller, and therefore has primary responsibility for ensuring compliance with GDPR. If, however, a LinkedIn member takes data off the platform, that user will then become the data controller and will be responsible for complying with the GDPR themselves.

When someone joins LinkedIn, they must expressly agree to terms which include the receiving of promotional and other messages from LinkedIn and their partners. Having said that, a member can already control which messages they receive by adjusting their communication preferences on the Privacy Settings page or using the unsubscribe options in the footer of messages as applicable (e.g. Sales Navigator InMails).

Focussing specifically on InMail – can you continue sending cold outreach messages via this tool? LinkedIn notes in their Help Center: In many cases, customers will not need to take any additional action to use LinkedIn’s Sponsored InMail products. However, if customers are providing personal data to LinkedIn to target Sponsored InMails, Customers should ensure that they have a legal basis and right under GDPR to provide LinkedIn any personal data (even in hashed email form) for advertising purposes. In other words, you can continue using InMail as you have been, but you must ensure that any additional data you are using to target these messages is GDPR compliant.

LinkedIn’s Sales Navigator tool has also been refreshed, with a view to complying with the GDPR. As well as a new UI and some new functionality, steps have been taken to ensure Sales Navigator meets GDPR requirements not only for European users, but for customers around the world. Part of this will see users able to export and delete their own Sales Navigator data. For more information, visit LinkedIn’s GDPR FAQ page.