On 7 September 2020, the European Data Protection Board (hereinafter, “EDPB“) published Guide 8/2020 on the targeting of users of social medias (hereinafter, the “Guide“).

The aim of the Guide is to (i) identify the main subjects involved in social media advertising, and the responsibilities of their actions in these; (ii) identify the main risks and challenges posed by advertising campaigns aimed at users of these digital platforms.

The Guide begins by clarifying that the concept of “social media” must be understood in the broadest possible sense. In other words, it establishes the concept of “social media” as any online platform that allows the development of networks and communities among users, in which information and content can be shared.

Main subjects involved on social media

  • Users: registered or not on social media, including cases where they register under pseudonyms, but which can be individualised.
  • Providers: those who offer the service on social media and determine which data is processed, the purposes of such processing and the terms of such processing.
  • Advertisers: natural or legal persons who use the social media to direct specific messages to a particular group of users who meet certain parameters or criteria. They are those who determine the message and/or the audience of the message based on the characteristics, interests and/or preferences of the users.
  • Marketing service providers, data management providers, brokers and analysts who collect and process user data in accordance with their activity on social media.

Main risk of user trageting

The EDPB starts from the following targeting scheme or directed advertising, depending on how the personal data is obtained: (i) those directly and actively provided by the user; (ii) those obtained indirectly via the use made of the social media; or (iii) those inferred and generated by advertisers or publishers on the basis of the above categories. These targeting mechanisms carry a number of risks:

  • Carrying out processing that exceeds the privacy limits in terms of profiling activities carried out on social media and access by third parties. In other words, there is a high percentage of users who are unaware of their loss of control over personal data simply because they enter certain on social media.
  • Possibility of discrimination and exclusion, both directly and indirectly through the use of automated tools.
  • The misuse of the capacity to influence users, which becomes apparent in cases of manipulation in the purchase decision or in electoral processes.
  • The possible combination of data from social media with information obtained outside them, and the over-monitoring of people.

Main guidelines of the guide regarding the targeting of users on social media

We take a look to the main guidelines of the guide regarding the targeting of users on social media

Co-responsibility

It is important to highlight the co-responsibility between the social media editor and the Advertiser, who determines the criteria for selecting the most appropriate target audience. Both parties decide on the data to be collected, the purpose and the means jointly. Furthermore, this co-responsibility cannot be general but only applies to the specific campaign.

The Guide indicates what the co-responsibility agreement should contain and the levels of responsibility of the advertiser and the publisher of the social media. The obligations derived from Directive 2002/58/EC, of the European Parliament and of the Council, of 12 July (E-Privacy Directive) and the rules of automated data processing of Article 22 of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April (RGPD) are taken into account.

Apart from this, the main legal bases for the processing of data are consent and legitimate interest. In other words, the data would be processed in accordance with the principles of adequacy, necessity and proportionality in relation to the interests and rights of the users. Whereas, some processing operations cannot be based on such legitimate interest, for example when a user is processed and monitored through different platforms, websites, locations, etc.

Furthermore, co-responsible parties must jointly determine whether and to what extent an impact assessment is carried out.

Treatment of special categories of data

The media provider and the recipient must determine whether the counselling activity involves the processing of special categories of personal data. If so, they must ensure that they can rely on one of the legal bases in Article 9 of the Data Protection Act for the processing of such data for selection purposes. The EDPB also distinguishes situations where processing involves special categories of data that are explicit, inferred, combined or made manifestly public and their legal implications.

Transparency

It must be made clear how its use of the social media and the activities that the co-responsible parties carry out will be monitored, and it must not be forgotten to report within the framework of co-responsibility in the terms of Articles 13 and 14 RGPD, and Article 26 RGPD. If further processing is carried out, apart from co-responsibility, compliance with Articles 6.4 and 14.4 RGPD must not be forgotten.

Given the fact that social media is currently one of the main channels of communication and a source of information and influence on the user, the presence of guidelines such as that of the EDPB is necessary to ensure their protection and respect for European regulations.