Select Page

Ok, there are a lot of questions out there right now around how GDPR will affect Facebook ads and in particular, custom audiences.
Custom audiences include Lookalike audiences based on data you currently have, ie; mailing list/ customer list etc. These are SUCH an effective way of reaching new audiences that there is understandably some confusion around how they will work after GDPR, considering you are using customer data for a purpose other than direct marketing.

I have written a long post on it and sparked a discussion on my closed Facebook group FB Ads for Success (feel free to join).

Facebook have published a document outlining their responsibilities when the GDPR changes come into effect on May 25th 2018.

The information revolves around when FB is acting as a data controller (when they are providing us with data from their site or pixel) and when they are acting as a data processor (when we are creating customer audiences and they are processing the data we provide).

Read the full document here

This is their statement under FAQ’s which answers the question I am being asked the most.

Q: Under GDPR, do we foresee any restrictions in the way that brands use our platform and solutions?
A: When an advertiser is the data controller (e.g. data file custom audiences), they must ensure compliance with applicable law, including ensuring a relevant legal basis (for example, consent, contractual necessity or legitimate interests). Brands can continue to use Facebook platforms and solutions in the same way, but they are responsible for ensuring compliance with the applicable GDPR rules.

So essentially – if you are providing data for Facebook to create an audience for, then you are the Data Controller and as such, must ensure your data is collected in a compliant way, with proof of specific consent.
I know this is confusing for a lot of people and honestly, there isn’t a huge amount of clarity around it (even from Facebook).

My overall advice right now is to follow the steps your email provider (Mailchimp/ Getresponse etc) put in place, as their responsibilities include making the process easier for us by introducing new opt in processes.
The key word is consent, if you have a clear sign up process which states what the data will be used for, then you are in a good position.

Have you taken any steps yet to get your business GDPR ready? I would love to hear below.