The Danish rules on spam are an implementation of the rules on unsolicited communications in the ePrivacy Directive (02/58/EC) and the Directive on protection of consumers in respect of distance contracts (97/7/EC) and the DCO’s decision can thus contribute to interpreting these provisions in light of the relatively new Audience marketing practice.
Facebook’s Audience marketing functions enables businesses to target specific audiences of consumers who also have a Facebook account. The way it works: You provide one or more e-mail addresses to Facebook which in turn targets ads towards Facebook users with these e-mail addresses. You can also ask Facebook to target consumers who “look like” (has similar interests, etc.) the consumers behind the e-mail addresses – something called “Lookalike Audiences”. The e-mail addresses are used as “identifiers” but not as means for communication, as the e-mail addresses are not used by Facebook to send messages.
This marketing practice seems to raise some issues in terms of the law, both regarding marketing but also data protection. The DCO only commented upon the first issue; however the last issue is of relevance as well and will be analysed later on.
The marketing issue
The main task for the DCO was to identify what type of communication the Facebook ads are. Are they “direct electronic communication” (like SMS or e-mail) or “other means of communication”? This is essential in order to figure out whether consent is needed or not. In Denmark “direct electronic communication” requires active prior consent (opt-in).
The reasoning from the DCO was in this case very limited, but the DCO reached the conclusion that ads in the Facebook news-feed were to be characterised as “other means of communication”. Therefore no prior consent was needed provided it was possible to opt out from future commercial communications from that individual provider. As Facebook enables its users to hide ads and not receive ads from that particular source anymore, this was, according to the DCO, sufficient to fulfil this requirement because an opt-out facility was provided.
The marketing practice of using e-mail addresses to target consumers with ads on Facebook was therefore permitted according to the Danish Marketing Act.
It’s unfortunate that the DCO didn’t comment further upon why Facebook ads in the news-feed are to be considered other means of communication. We will however provide our own opinion in this regard at the end of this article.
The data protection issue
But before that, we will touch open the very relevant data protection aspect of the issue.
In this regard, there are two initial questions; (1) are Facebook processing personal information and (2) does Facebook act as a data controller or data processor in this regard?
Regarding the first question; if you take a look in the Custom Audience Terms, Facebook hashes the e-mail addresses on the provider’s computer before they are transferred to Facebook. However hashed information is still considered personal information as it relates to the original e-mail from which the hash is created. There is some debate regarding this, but for the sake of this article, the hash will be considered personal information.
Regarding (2); Facebook further states in the Custom Audience Terms that the hashed e-mail addresses “will only be used for the matching process, will not be shared with third parties or other advertisers and will be deleted promptly after the match process is complete“. In other words, Facebook doesn’t use the e-mail address for its own purpose which means they only process the information on behalf of the advertiser. Facebook therefore acts as data processor in this regard. Whether the Custom Audience Terms fulfil the requirements for being a valid data processing agreement is beyond the scope of this article.
The next question is; does the advertiser have a legal basis to use the e-mail addresses for this particular purpose? If the addresses are just gathered from LinkedIn contacts, then consent is probably absent.
The only relevant legal basis for processing in this regard seems to be the data controller’s overriding interests; does the advertiser have an overriding legitimate interest, compared to the data subject, in using the data subject’s e-mail address for Audience Marketing?
The purpose of marketing is in itself not an illegitimate interest. Also, the e-mails are hashed instantly, vastly improving security, and from the above, we know that the marketing practice is only considered “other means of communication” – a less invasive way of marketing. These things considered, good arguments can be made for allowing processing under the overriding interest-rule.
And finally; are the data subject properly informed? (In this context, the question will be answered according to the GDPR).
The time frame of this obligation (among other) depends on whether the e-mail address is collected from the data subject directly or from another source (e.g. LinkedIn). If the information is collected from the data subject, information must be provided “at the time when personal data is obtained” (GDPR art. 13), whereas if the information is not collected from the data subject, the information must “just” be provided (GDPR art. 14). Preamble 61 of the GDPR provides further guidance in this regard: “Where personal data can be legitimately disclosed to another recipient, the data subject should be informed when the personal data are first disclosed to the recipient“.
This means that in the above-mentioned example where the e-mail addresses are collected from LinkedIn, the data subjects must be informed before or at the time of passing the e-mail address on to Facebook. It is, in other words, possible to collect the e-mail address for this use, without informing the data subject at the moment of collection.
Concluding remarks and considerations
In conclusion, marketing via the Facebook Custom Audience functions are allowed under certain circumstances.
Regarding data protection, the overriding interest-rule is of particular interest; both in terms of the differing interests in each situation, but also in terms of how a relevant Data Protection Authority or court might apply it.
It’s also important to notice that the DCO’s interpretation (or the lack thereof) of how to consider Facebook ads on the news feed in a marketing law context might differ from country to country. There does, however, seem to be some good arguments supporting this interpretation.
Facebook ads appear on the “news-feed” (and sometimes in the right side bar). They don’t have the direct, personal character of an e-mail or an instant message in the Facebook Messenger, but they also don’t have the indirect, general character of normal ads on websites e.g. newspaper websites. They are somewhere in between, because the ads are based on your profile and therefore directed to you, but at the same time they don’t appear in “intimate places”, like your personal e-mail or text-message inbox.
It is however still a grey area and the increasing sophistication of marketing targeting algorithms can make Facebook ads, banners, etc. even more direct and “personal” than an e-mail or IM; some even think this is already the case.
It’s difficult to say where the line is drawn and the answer for now must be that it depends on the specific case, the state of the technology and what consumers in general should expect and not expect.