Unless you've been living under a rock, you will know that Facebook has been in hot water with regards to data privacy and the Cambridge Analytica saga. 

This has acted as the catalyst to spark more talk about the General Data Protection Regulation (GDPR) which comes into effect on May 25th, 2018.

In this article, I'm going to explain what the GDPR is, how it will affect your business, and the impact it will have on running Facebook ads.

What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation is EU regulation impacting the data protection and privacy of all individuals living within the EU, in regards to how businesses collect and use their data.

gdpr

In a nutshell, the GDPR is making it harder for Facebook and other tech companies to share or leverage user data without consent.

Once this regulation goes live (May 25th, 2018), businesses that fail to meet the GDPR regulations can face fines of up to 4% of total revenue for that year (yes, 4%!).

If your business processes data relating to any European citizen, and you monitor or use their data, then this will impact you even if your business is not registered in the EU.

New opt-in feature on Facebook

The Facebook ecosystem right now runs like this: if you agree to use Facebook, Facebook will collect and make use of data to improve your user experience, and it will categorize you into specific interest groups or demographics based on your online footprint on Facebook, Instagram, WhatsApp, and other affiliate websites they own.

When GDPR regulation comes into action, Facebook will need to ask users for permission to collect their data.

Users can choose to opt out from everything if they wish. A user will also be able to ask Facebook to export all their data and hand it to them.

Users who opt out of having data collected will be allowed to use the Facebook platform without restrictions. 

If a user decides to opt in, then each time Facebook releases a new feature where user data will be mined or collected, they will need to ask the user again to opt in or opt out from the feature.

Users could be asked several times per year to opt out if Facebook makes several platform updates.

Opting in to one feature does not allow Facebook to automatically opt them in to all new updates.

The regulation also makes it clear that mining data to improve user experience or for marketing purposes is too vague and are not valid reasons any longer.

Facebook upgrading their privacy settings

Facebook has stated that it will soon launch a new privacy center tool that will act as a central database for users to control how their personal data is collected and shared.

They are also boosting posts and being more transparent about what data advertisers collect.

Data controller and data processors

To get a better idea on how this will impact your advertising efforts on Facebook and your business, you'll need to understand what a data controller and data processor is and what your responsibilities are.

Data controller – This is an entity that collects data. If you're uploading email lists on Facebook, then you're the data controller and must ensure that data meets GDPR regulations if you collect data from European citizens.

The key thing to realize here is that even if your business does not operate in the EU, the law still applies to you if you hold data of EU citizens.

This means, you'll need to show:

  • how your data was collected,
  • what you'll be using the data for,
  • that each user has agreed to you having their data,
  • how long you'll hold their data for,
  • that users have had the chance to opt out, and
  • that users are able to access all the data you have on them if they want.

For custom audiences, lookalikes, Instagram ads, and Lead Ads, your business will be the data controller.

When using Facebook's own detailed targeting, Facebook will be the data controller and it will be its job to ensure data meets the GDPR.

Data processor – This is the entity that handles, processes, and protects the data. In almost every case this will be Facebook and you'll have little to worry about.

Only when you run Lead Ads asking for personal data of users will you be the data processor. In this case you must make sure you comply with the GDPR when handling data of any European citizens.

Failure to comply may result in a fine of up to 4% of your company's total revenue.

How will the GDPR impact Facebook ads?

The first thing you need to understand is that Facebook users can opt out of how Facebook uses their data, but they cannot opt out from seeing ads on Facebook.

You'll still be able to use all the features as normal, but you'll have less data to work with when targeting the EU.

For example, if you decide to target the interest hot yoga after May 25th, 2018, then the size of that interest group may be 30% smaller as a result of users opting out of data sharing.

This 30% can still be targeted through Facebook, but you'll need to use more basic interest targeting such as location, age, or gender.

If you target the EU heavily, you'll need to make minor adjustments to the top of your funnel because the quality of the audience you now target will be weaker with limited information. 

Failure to adjust may result in you needing to buy more ad inventory than before, lowering your bottom line.

Or it may be beneficial; brands may leave the platform if they cannot open up ad inventory and lower ad spend.

Personally, I think there may be a short-term impact on running ads, but smart marketers always find a way to play within the rules and still win. You just need to make sure they are on your team.

What does this mean for you?

If you're operating in the EU or collecting personal data on European citizens, then the GDPR regulation will apply to your business.

This article is just an opinion piece on what this new regulation means for Facebook and advertisers. You should seek legal advice if you're confused about the GDPR and how it will impact your business.

What are your thoughts on the GDPR, and where do you see Facebook going next?