In a statement released on 4 January 2023 by the Irish Data Protection Commission (DPC), which acts on behalf of the European Union, it is announced that a fine of €390 million has been imposed on the Meta Group (Facebook, Instagram and Whatsapp). The cause? The failure to comply with the transparency obligations of the GDPR.
Indeed, after an investigation, the Data Protection Commission considers that “users did not have sufficient clarity on the processing operations that were carried out on their account”.
User consent required for targeted advertising
It must be said that this decision is not surprising. On these social networks, it is likely that you have already noticed small advertising windows without even being asked for your consent or being allowed to refuse this type of content.
On one hand, these banner ads help customers see products or services that interest them and make for a more pleasant user experience when they browse your site. On the other hand, they can be discriminatory if it is a more personal issue. In any case, although this type of marketing is more or less effective, it is still prohibited if the user does not give their consent.
Meta now has three months to bring its processing operations into compliance with GDPR. Meta must obtain users’ consent to use their personal data by offering them an opt-in or opt-out option.
The meaning of the opt-in and opt-out options
“Opt in” option means obtaining the consent of the person to whom the advertisement is addressed: if he/she has not said “yes”, it is “no”. In this case, you are not allowed to send them advertising content.
Conversely, the “opt-out” option is when the person receiving the advertisement has not objected: if they have not said “no”, it is “yes”. If this is the case, you have the green light to share your targeted ads.
Steps to ensure compliance with targeted advertising
As a business or organisation, you have the responsibility and the obligation to comply with the GDPR: asking users for consent to see your targeted ads is just one of them. Here are 3 steps to staying compliant with consent-based targeted marketing:
Step 1: Know the regulations that apply to you
Get an overview of the privacy and data protection laws that apply to your company’s activities. For example, if your business has customers in the EU, you will need to review the requirements put in place by the GDPR to make sure their personal data is managed properly.
Step 2: Obtain user consent before serving targeted ads
Generally, banner ads are best used to illustrate the desires or needs of consumers. However, they are still prohibited if consent is not given. Although it is not a “contractual obligation”, obtaining consent from your users to provide customised advertisements is the right step to take. In accordance with the GDPR law, consent must be obtained through opt-in.
In addition to running targeted ads on your own platform, you may in some cases be running them on third-party platforms. In this case, you will also need to obtain user consent and ensure that your organisation understands the policy requirements of the third-party platforms with regard to consumer data. Your users’ privacy is your responsibility and you have the duty to respect it.
Step 3: Use understandable, concise and clear communication
As stated in Article 5(1)(a), Article 12, and Article 13(1)(c), GDPR highlights the need for transparency about personal data processing when communicating with data subjects. As a company, make sure you use clear, concise and easy to understand language for your users. So inform them about the personal data you collect and how you use it.