On 7 September 2020, the European Data Protection Board (“EDPB”) adopted draft guidelines on the targeting of social media users (the “Guidelines”).  The Guidelines aim to clarify the roles and responsibilities of social media providers and “targeters” with regard to the processing of personal data for the purposes of targeting social media users.

Targeting services allow natural or legal persons (i.e., targeters) to communicate specific messages to the users of social media in order to advance commercial, political or other interests.  The Guidelines state that the mechanisms social media providers can use to target users, as well as the underlying processing activities, may pose significant risks to users, including loss of control over their personal data, discrimination and exclusion as a result of targeting on the basis of special categories of personal data, and manipulation through misinformation.  The Guidelines also raise specific concerns in relation to children.

The Guidelines consider (i) the actors and roles involved in targeting on social media, and (ii) the application of key data protection requirements and key elements of the arrangements between the actors.

The Guidelines identify the following actors in the targeting process:

  • Social media providers are entities who offer online services that enable the development of networks and communities of users, among which information and content is shared.  The Guidelines note that social media providers have the opportunity to gather large amounts of personal data relating to users’ behavior and interactions, both on- and off-platform to generate insights about those users. Importantly, the Guidelines provide that this is not limited to “traditional” social media platforms, but also dating platforms, video-streaming platforms and computer games with a social function (such as allowing players to play in groups).
  • Targeters are natural or legal persons who use social media services to direct specific messages at a set of social media users on the basis of specific parameters or criteria (known as “micro-targeting”) in order to advance commercial, political or other interests, e.g., as part of raising brand awareness or a campaign strategy.
  • Users are individuals who have registered with a social media a service, as well as those who are not registered but who can access and use some or all of the service’s features. Users may be considered “data subjects” in accordance with Article 4(1) of the GDPR.
  • Other actors may be relevant depending on the nature and structure of the targeting, such as players in the adtech market (e.g., ad networks or ad exchanges).

The Guidelines explain how social media providers and targeters may target users on the basis of provided data, observed data and/or inferred data, as well as a combination thereof:

  • Provided data is data the user actively provides to the social media provider and/or the targeter, e.g., their e-mail address, age or name.
  • Observed data is data passively provided by the user to a social media provider by virtue of their use of the service, such as through their activity on the platform (e.g., content the user has shared, consulted or liked), or the devices on which the user accesses the social media services (e.g.,  geo-location data, mobile telephone number).
  • Inferred data is data that is created by the controller on the basis of provided or observed data, e.g., a social media provider or a targeter might infer that a user is likely to be interested in a certain activity or product based on their web browsing behaviour or network connections.

The respective data protection roles (i.e., controller, processor or joint controller) and associated responsibilities of social media providers and targeters will depend on the nature and structure of the targeting, as well as the source(s) of the personal data involved.  The Guidelines contend that in many cases, the social media provider and the targeter will be joint controllers for at least some of their processing activities involved in targeting.  In those cases, the Guidelines state that the social media provider and the targeter must put in place a joint controller agreement (“JCA”) which encompasses all processing operations for which they are jointly responsible and the essence of the JCA must be made available to the user.  The JCA should also be sufficiently detailed to ensure each of their respective responsibilities are clearly delineated. However, while each controller may have different degrees of responsibility in relation to specific obligations under the JCA, they each remain responsible for the compliance of processing as a matter of principle.

The Guidelines also address how targeting can comply with other principles and obligations under the GDPR, including transparency and the right of access, the use of data protection impact assessments and the lawful bases and derogations for the use of special categories of personal data for targeting purposes.

The Guidelines are open for public consultation until 19 October 2020.  We will continue monitoring their progress until they are finalized.

This post was written with assistance from Stacy Young, a trainee solicitor in the London office.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Photo of Shona O'Donovan Shona O'Donovan

Shóna O’Donovan is an associate in the technology regulatory group in the London office. She advises clients, particularly in the technology industry, on a range of data protection, e-privacy and online content issues under EU, Irish and UK law.

Shóna advises multinational companies…

Shóna O’Donovan is an associate in the technology regulatory group in the London office. She advises clients, particularly in the technology industry, on a range of data protection, e-privacy and online content issues under EU, Irish and UK law.

Shóna advises multinational companies on complying with EU and UK data protection and e-privacy rules. She regularly defends clients in regulatory investigations and inquiries, and provides strategic advice on incident response. She advises clients on existing and emerging online content laws, including those affecting intermediary services and audiovisual media services. In this context, she regularly advises clients on the intersection between online content and privacy rules.

Shóna also counsels clients on policy developments and legislative proposals in the technology sector, and the impacts of these developments for their business.

In her current role, Shóna gained experience on secondment to the data protection team of a global technology company. In a previous role, she spent seven months on secondment to the European data protection team of a global social media company.

Shóna’s recent pro bono work includes providing data protection advice to the International Aids Vaccine Initiative and a UK charity helping people with dementia, and working with an organization specializing in providing advice to states involved in conflict on documenting human rights abuses.