Guidelines 08/2020 on the targeting of social media user

The need to adopt an harmonized European framework on the targeting of social media user (hereinafter also referred to as “Social media targeting”) comes from their significant role and development achieved in the online environment over the past decade.

For the purposes of these guidelines, social media are understood as online platforms where individuals register themselves in order to create “accounts” or “profiles” to interact with one another by sharing user-generated or other content and to develop connections and networks with other users. At the same time, many social media services can, however, also be accessed by individuals without having registered (i.e. without creating an account or profile), with the sole difference that this last category access to limited characteristics respect to the others individuals registered.

A distinguishing characteristic of targeting is the perceived fit between the person or group being targeted and the message that is being delivered. The underlying assumption is that the better the fit, the higher the reception rate (conversion) and thus the more effective the targeting campaign (return on investment). Organisations now have the ability to target individuals on the basis of a wide range of criteria. For the reason that, such criteria may have been developed on the basis of personal data which users have actively provided or shared, or which has been observed or inferred, either by the social media provider or by third parties, and collected (aggregated) by the platform or by other actors (e.g. data brokers) to support ad-targeting options, targeting mechanisms need to grant the compliance with the data protection law.

The main aim of these guidelines is therefore to clarify the roles and responsibilities of the main actors, the potential risks for the rights and freedoms of individuals and to tackle the application of key data protection requirements (such as lawfulness and transparency, DPIA, etc.).

The combination and analysis of data originating from different sources, together with the potentially sensitive nature of personal data processed in the context of social media, creates risks to the fundamental rights and freedoms of individuals. From a data protection perspective, many risks relate to the possible lack of transparency and user control with particular reference to the role of the different actors and the processing operations involved.

A second category of risk relates to potential possible manipulation of users. Targeting mechanisms are, by definition, used in order to influence the behaviour and choices of individuals, whether it be in terms of their purchasing decisions as consumers or in terms of their political decisions as citizens engaged in civic life.

The potential adverse impact of targeting may be considerably greater where vulnerable categories of individuals are concerned, such as children. In fact, targeting can influence the shaping of children’s personal preferences and interests, ultimately affecting their autonomy and their right to development.

With specific reference to the role of parties involved, social media providers offer an online service that enables the development of networks and communities of users, among which information and content is shared. Social media services are typically offered through web browsers or dedicated apps, often after having requested the user to provide a set of personal data to constitute the user’s “account” or “profile”.

The social media provider determines the functionalities of the service. This in turn involves a determination of which data are processed, for which purpose, under which terms, as well as how personal data shall be processed. This allows for the provision of the social media service but also likely the provision of services, such as targeting, that can benefit business partners operating on the social media platform or in conjunction with it.

These guidelines use also the term “targeter” to designate natural or legal persons that use social media services in order to direct specific messages at a set of social media users on the basis of specific parameters or criteria. Targeters can engage in targeting to advance commercial, political, or other interests.

Targeters may directly use targeting mechanisms offered by social media providers or enlist the services of other actors, such as marketing service providers, ad networks, data management providers (DMPs) and data analytics companies. These actors are part of the complex and evolving online advertising ecosystem (which is sometimes known as “adtech”) that collects and processes data relating to individuals (including social media users) by, for example, tracking their activities across websites and apps. Data brokers and data management providers are also relevant actors playing an important role in the targeting of social media users.

As stated in the judgments Wirtschaftsakademie (C-210/16), Jehovah’s Witnesses (C-25/17) and Fashion ID (C-40/17), the CJEU decided that the administrator of a so-called “fan page” on Facebook must be regarded as taking part in the determination of the purposes and means of the processing of personal data. According to the submissions made to the CJEU, the creation of a fan page involves the definition of parameters by the administrator, which has an influence on the processing of personal data for the purpose of producing statistics based on visits to the fan page; therefore, the administrator also participates in determining the purposes of the processing of personal data as a “Controller”.

The administrator is a joint controller for the processing of personal data of the visitors of its ‘page’, together with the social media provider. These controllers may be involved at different stages of the processing of personal data and to different degrees. In such circumstances, the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case

In Fashion ID, the CJEU decided that a website operator can be a considered a controller when it embeds a Facebook social plugin on its website that causes the browser of a visitor to transmit personal data of the visitor to Facebook. The qualification of the website operator as controller is, however, limited to the operation or set of operations in respect of which it actually determines the purposes and means. As a result, the CJEU ruled that the liability of the website operator is: “limited to the operation or set of operations involving the processing of personal data in respect of which it actually determines the purposes and means, that is to say, the collection and disclosure by transmission of the data at issue.

The role of these actors involved changes regarding with the source of personal data as follows: a) to “Provided data” (information actively provided by the data subject to the social media provider and/or the targeter); b) observed data provided by the data subject by virtue of using a service or device or c) targeting on the basis of “inferred data” or “derived data” are created by the data controller on the basis of the data provided by the data subject or as observed by the controller.

Other legal requirements that all actors may keep in mind to be compliant with data protection law regard the arrangement of joint controllership, pursuant to Article 26 GDPR. The arrangement has not to be superficial and incomplete but it should therefore contain (or refer to) all necessary information to enable both parties to comply with their obligations under the GDPR, including their respective responsibilities and duty to comply with the principles under Article 5(1) GDPR, to provide the information referred to in Articles 13 and 14 GDPR. and to demonstrate their “accountability”.

Additionally, both joint controllers should check the list of processing operations “likely to result in a high risk” adopted at national level under Article 35(4) and recitals (71), (75) and (91) GDPR to determine if the designated targeting matches any of the types of processing operations subject to the requirement to conduct a DPIA, accordingly to Guidelines of EDPB on the data impact assessment. 

If the processing involves special categories of data, controllers process these data if they can meet one of the conditions set out in Article 9(2) GDPR only, such as having obtained the data subject’s explicit consent or the data have been manifestly made public by the data subject.

These guidelines are very important for all sectors of the market given the wide application of all players of profiles, accounts, profiled advertising and use of social networks. They must bear in mind that all these activities involve the processing of data of interested parties that must be protected and that the regulations on the application of personal data, with particular regard to these guidelines under comment, impose specific obligations that are not only formal but substantial.