On 7 September 2020, the European Data Protection Board (“EDPB”) adopted draft guidelines on the targeting of social media users (the “Guidelines”).  The Guidelines aim to clarify the roles and responsibilities of social media providers and “targeters” with regard to the processing of personal data for the purposes of targeting social media users.

Targeting services allow natural or legal persons (i.e., targeters) to communicate specific messages to the users of social media in order to advance commercial, political or other interests.  The Guidelines state that the mechanisms social media providers can use to target users, as well as the underlying processing activities, may pose significant risks to users, including loss of control over their personal data, discrimination and exclusion as a result of targeting on the basis of special categories of personal data, and manipulation through misinformation.  The Guidelines also raise specific concerns in relation to children.

The Guidelines consider (i) the actors and roles involved in targeting on social media, and (ii) the application of key data protection requirements and key elements of the arrangements between the actors.

The Guidelines identify the following actors in the targeting process:

  • Social media providers are entities who offer online services that enable the development of networks and communities of users, among which information and content is shared.  The Guidelines note that social media providers have the opportunity to gather large amounts of personal data relating to users’ behavior and interactions, both on- and off-platform to generate insights about those users. Importantly, the Guidelines provide that this is not limited to “traditional” social media platforms, but also dating platforms, video-streaming platforms and computer games with a social function (such as allowing players to play in groups).
  • Targeters are natural or legal persons who use social media services to direct specific messages at a set of social media users on the basis of specific parameters or criteria (known as “micro-targeting”) in order to advance commercial, political or other interests, e.g., as part of raising brand awareness or a campaign strategy.
  • Users are individuals who have registered with a social media a service, as well as those who are not registered but who can access and use some or all of the service’s features. Users may be considered “data subjects” in accordance with Article 4(1) of the GDPR.
  • Other actors may be relevant depending on the nature and structure of the targeting, such as players in the adtech market (e.g., ad networks or ad exchanges).

The Guidelines explain how social media providers and targeters may target users on the basis of provided data, observed data and/or inferred data, as well as a combination thereof:

  • Provided data is data the user actively provides to the social media provider and/or the targeter, e.g., their e-mail address, age or name.
  • Observed data is data passively provided by the user to a social media provider by virtue of their use of the service, such as through their activity on the platform (e.g., content the user has shared, consulted or liked), or the devices on which the user accesses the social media services (e.g.,  geo-location data, mobile telephone number).
  • Inferred data is data that is created by the controller on the basis of provided or observed data, e.g., a social media provider or a targeter might infer that a user is likely to be interested in a certain activity or product based on their web browsing behaviour or network connections.

The respective data protection roles (i.e., controller, processor or joint controller) and associated responsibilities of social media providers and targeters will depend on the nature and structure of the targeting, as well as the source(s) of the personal data involved.  The Guidelines contend that in many cases, the social media provider and the targeter will be joint controllers for at least some of their processing activities involved in targeting.  In those cases, the Guidelines state that the social media provider and the targeter must put in place a joint controller agreement (“JCA”) which encompasses all processing operations for which they are jointly responsible and the essence of the JCA must be made available to the user.  The JCA should also be sufficiently detailed to ensure each of their respective responsibilities are clearly delineated. However, while each controller may have different degrees of responsibility in relation to specific obligations under the JCA, they each remain responsible for the compliance of processing as a matter of principle.

The Guidelines also address how targeting can comply with other principles and obligations under the GDPR, including transparency and the right of access, the use of data protection impact assessments and the lawful bases and derogations for the use of special categories of personal data for targeting purposes.

The Guidelines are open for public consultation until 19 October 2020.  We will continue monitoring their progress until they are finalized.

This post was written with assistance from Stacy Young, a trainee solicitor in the London office.