Facebook’s Commitment to GDPR
When Facebook serves as a data processor advertisers are responsible for ensuring data they share complies with the GDPR. If you’re using Facebook’s data file Custom Audience product to reach your customers, you must ensure compliance for their processing of the personal data for the purpose of serving advertising to those customers. For all Custom Audiences you target on Facebook, you should:
- Get specific consent from individuals to store and use their personal data
- Disclose that data may be used to target advertising
- Allow individuals to opt out of sharing their data
- Not block individuals from using your site if they opt out.
Lead Ads may also raise some interesting questions for data privacy, though Facebook’s GDPR team is still in the process of reviewing this product suite.
In most cases, Facebook serves users and advertisers as a data controller. If you’re using Facebook’s on-platform advertising tools, Facebook’s serving of the advertisement is undertaken using its own data as a data controller, and they are responsible for ensuring compliance including by providing notice and establishing a legal basis. Businesses can be confident that Facebook as a data controller complies with the GDPR in this case.
You can view the official statement from Facebook, in its entirety here.