Is Facebook Custom Audiences compatible with German data protection law?

With its “Custom Audiences” tool, Facebook promises advertisers to target both existing and potential customers directly. However, the ability of Facebook Custom Audiences to let advertisers reduce wastage when deploying their ads is just one side of the coin. The other is the fact that, ever since it was launched back in 2014, doubts have been raised as to the tool’s compliance with privacy laws, in particular by the Bavarian Data Protection Authority (BayLDA). We already reported on the supervisory authority’s assessment on the risk of administrative fine proceedings in its 6th activity report for 2013/2014. On page 30 of its recently published 7th activity report for 2015/2016, the BayLDA points out that the use of Custom Audiences is currently being investigated in a random selection of businesses that operate websites with integrated online shops, and that the imposition of fines is still being discussed. Yesterday, the BayLDA once again expressed its opinion on the admissibility of Custom Audiences in a press release (in German); when it comes to data protection, it still takes a critical view of the tool.

Contents

How does Facebook Custom Audiences work? Facebook essentially offers two product specifications for the deployment of dynamic ads: “Custom Audiences from your Customer List” and “Custom Audiences from your Website”. The former lets the advertiser upload certain customer lists to Facebook – based on emails, phone numbers, Facebook user IDs or mobile advertiser IDs – from its CRM database, which are then ‘hashed’, meaning they are transformed into checksums (hash values), and subsequently compared with other checksums generated from Facebook user data. If the checksums match, then existing and potential customers can be deliberately shown targeted ads on Facebook, Instagram and in apps and on mobile sites via Audience Network. Facebook also provides this feature to retailers for the ‘point of sale’ area, calling it Offline Custom Audiences. In the case of Custom Audiences from your Website, the target group extends to visitors to the advertiser’s own website. This means it is possible to tailor ads, for example, for potential customers who have put a product into the shopping basket, or customers who have already purchased products. This involves incorporating a tracking pixel (Facebook Pixel) in the head section of the advertising company’s website, which marks website visitors and recognises them the next time they visit the social network. To this end, Facebook explains, the pixel uses browser information, visited websites and a hashed Facebook ID of the website user. This makes it possible for advertisers to employ retargeting, i.e. to target website visitors again with Facebook ads by means of Facebook ID-based cross-device tracking. Since 2016, Facebook has offered website operators a so-called “Advanced Matching” feature for the Facebook Pixel. By installing the ‘extended’ pixels, for example at an online shop’s checkout or on a registration page, customer data entered there, such as a person’s email address, phone number, first and last names, town, postal code, gender and date of birth as well as transaction data, can be transmitted to Facebook automatically. This apparently also uses hashing. Details on the functionality and implementation of the Facebook Pixel can be found here (in German). In addition, there are further options such as “Custom Audiences from your Mobile App”. Finally, it is also important to mention the creation of so-called Lookalike Audiences, which makes use of the spreading effects of the vastly interwoven Facebook network to target users who resemble an existing Custom Audience, the fans of an existing Facebook page or users of a Facebook Pixel.

Is Facebook Custom Audiences’ use of customer lists permissible under data protection law? In its press release published yesterday, the BayLDA assumes that the permissibility of using Custom Audiences from customer lists must depend on consent having been granted within the meaning of Section 4a of the Federal Data Protection Act (BDSG). Despite the use of the hashing process, it argues that the data transmitted are at least personal for Facebook, which is why the procedure requires justification from a data protection perspective. It found no evidence of any legal basis for such activities. In fact, despite the use of the “SHA-256” hashing algorithm, which can certainly be described as state of the art, one cannot assume that any effective form of anonymization occurs. This is because the data are merely in pseudonymized form, meaning they can be described as personal data from Facebook’s perspective. Facebook could theoretically compare the uploaded CRM data with those in its own system and thus clearly assign the data provided to a specific Facebook user. The hash values only prevent re-identification by third parties. But that’s unlikely to be the end of the debate. It is true that the BayLDA takes into account the recent decision of the ECJ in the “Breyer” case, according to which legal bases not considered to be of pertinence should always involve a balancing of interests, so as to ensure the interpretation’s compliance with European law in harmony with Art. 7 letter (f) of the EU Data Protection Directive. Due to the use of pseudonymization as an expression of a protective instrument, it seems impossible to completely rule out a balancing of interests in favour of the advertiser, although the BayLDA assesses such a balancing of interests differently. One might also question the assessment of the addendum which Facebook makes available to advertisers. It has not yet been conclusively established whether this document can be considered a contract for the commissioned processing of data within the meaning of Section 11 of the BDSG. In the absence of any mention of this in its press release, the BayLDA appears not to assume that the contract may have a legitimating effect on the transmission of the data. This legal question can also be judged differently, because the agreement expressly also refers to the subsequent use, and the advertiser is supposed to be fully responsible for the further processing.

Is Facebook Custom Audiences’ use of website visitors permissible under data protection law? Contrary to a handful of media reports, the BayLDA has by no means declared “Custom Audiences from your Website” to be lawful. In fact, it has indicated that Section 15 Para. 3 Sentence 1 of the German Telemedia Act (TMG) would only be considered a suitable permissive rule if the conditions were met in full. The supervisory authority takes the view that website operators do not currently implement the right of objection in the manner required under data protection law. The information requirements arising from Sections 13 Para. 1 and 15 Para. 3 Sentence 2 of the TMG would need to be fulfilled, which includes specifying the parties responsible (website operator and Facebook), the product name, the type of personal data, the processing purposes, information about cross-site tracking as well as instruction on the ‘opt-out’ procedure. For the classical design of Website Custom Audiences, reference may be made to Section 15 Para. 3 Sentence 1 of the TMG as a permissive rule, since the retrieved data sets can be regarded as pseudonymized usage data. If, on the other hand, Advanced Matching is used and all inventory data are transmitted to Facebook additionally, this precludes any recourse to Section 15 Para. 3 of the TMG. It is doubtful whether the general statutory justifications can also be used here, because there are limits to simply citing the ‘balancing of interests’ clause under Art. 7 letter (f) of the EU Data Protection Directive, especially considering the extent to which data subjects’ data are passed on to Facebook. As regards the implementation of the right of rejection, it should be pointed out that, in the “Terms for Custom Audiences From Your Website” published on 13 January 2017, the advertiser is reminded of its duty to offer means of objecting to retargeting. Reference is made to the provision of links to ‘opt-out’ solutions as part of self-regulatory programmes for usage-based online advertising organised by associations like the “European Interactive Digital Advertising Alliance (EDAA)” and the “Digital Advertising Alliance (DAA)”, which Facebook also adheres to. The BayLDA also stressed that such general opt-out possibilities are inadequate. Indeed the supervisory authority has reason to believe that user behaviour is recorded despite being deactivated on the platforms. Equally unhelpful, it is argued, is the feature Facebook provides in its settings for Facebook members to deactivate ads, because this only serves to prevent the display of advertising messages, but not the processing of data in the background. Instead, it is up to advertisers to create their own means of ‘opting out’. One conceivable option requiring little effort would be for them to implement their own ‘opt-out’ cookie by programming corresponding JavaScript code. According to the BayLDA, this would require a “persistent HTML5 storage object” with an unlimited validity period. However, it should be borne in mind that smaller companies in particular may simply lack the capacities for their own ‘opt-out’ solutions. In this context, it is up to Facebook to create similarly direct ‘opt-out’ alternatives that can be accessed via a button in its privacy policy, as is already practised by Google Analytics and Adobe Analytics. In instances where e-commerce providers configure their websites in such a way that browser data, along with users’ hashed Facebook IDs, are transmitted to the social network, it is still unclear to what extent – if at all – the former have a responsibility in terms of data protection pursuant to Art. 2 letter (d) of the EU Data Protection Directive. The necessary legal certainty may be provided by the pending preliminary ruling procedure at the ECJ on the responsibility of website operators who integrate social plugins directly into their sites. The structure of the processing operations is comparable in this respect.

What about using Facebook Custom Audiences for now? The BayLDA at least makes it clear for companies in its own federal state that by using the tool they risk administrative fine proceedings and even prohibition orders. They also face the threat of warnings and lawsuits from competitors, because advertising-related data protection regulations are largely defined as market conduct provisions within the meaning of Section 3a of the Act against Unfair Competition (UWG). Ultimately, the newly introduced Section 2 Para. 2 Sentence 1 No. 11 of the Injunctive Relief Act (UKlaG) enables consumer associations to object to corresponding data protection violations by means of warnings and lawsuits. A similar approach by data subjects themselves is thus also conceivable. All in all, the unclear legal situation means that tools like Facebook Custom Audiences pose at times considerable risks for companies in Germany. Thanks to the individual tracking pixel code on the respective website, competitors can also determine at any time whether violations have ceased or are being perpetuated. But the old adage that he who is without sin should cast the first stone even applies in matters concerning data protection. And companies whose operations are 100% data protection-compliant are a little bit like unicorns – no one has ever seen one. At present, the only way for advertisers to completely cover their own backs is to obtain consent from data subjects. Besides this, the Bavarian data protection authority attaches great importance to providing transparent information in the privacy policy about how everything works and about the required right of objection. In the case of Custom Audiences from customer lists, the advertiser can implement data subjects’ right of objection or revocation by means of instructions in Facebook’s Power Editor, for example by deleting the respective target group. Facebook at least says that it will remove the hashed data completely. Until Facebook provides an ‘opt-out’ solution for Website Custom Audiences, advertisers should consider developing their own ‘opt-out’ cookies. The attorneys-at-law at Spirit Legal would be glad to advise you on implementing the individual product specifications of Facebook Custom Audiences.