Cold medicine when you catch the flu, outdoor clothing when you want to go hiking, diapers after you searched for baby care – targeted advertising on Facebook is everywhere. What many users don’t understand is how exactly advertisers target them on Facebook.
Facebook’s Custom Audience tool is one of many ways in which advertisers can find specific audiences on the platform. The tool allows them to get their message to people they already know, such as clients from their online shops or subscribers of their newsletters. It is one of the foundations of Facebook’s billion-dollar advertising business. It is also illegal, the way it is often used today.
Here’s how Custom Audience works: Advertisers upload a list with customer contact information like email addresses or phone numbers. Facebook then matches these with its own data to identify the desired audience. “In none of the cases we investigated, had companies informed their users, subscribers or customers that their contact information will be shared with Facebook”, explains Kristin Benedikt, head of the internet division at the Bavarian Data Protection Authority, in an interview with netzpolitik.org. Her office recently banned advertisers from using the tool and uploading people’s data to Facebook without explicit user consent. The Higher Administrative Court of the federal state of Bavaria upheld the decision in late 2018, after an online shop had appealed it.
We are certain that Facebook obtains additional information about users from matching email addresses, regardless of whether a person is already registered with Facebook. At the very least, custom audience data shows Facebook that a user is also a customer of a particular company or online store. This may seem harmless in many cases, but we have observed insurance companies that have uploaded email addresses, also online shops for very specific products. When an online pharmacy or an online sex shop shares their customer list with Facebook, we cannot rule out that this reveals sensitive data. The same applies when someone visits the online shop of a political party or subscribes one of their newsletters. In all of these instances custom audiences reveal granular insights. Facebook adds this information to existing profiles and continues to use it, without notifying users or giving them a chance to object.
Wide-ranging implications for other Facebook tools
Defenders of the tool such as the data broker Acxiom [PDF] point to the fact that the data matching only happens after the data has been hashed. Hashing is a popular pseudonymization technique that turns the advertisers’ customer data such as email addresses or phone numbers into short fingerprints before they are matched by Facebook, which does the same with its own data. In our interview Kristin Benedikt explains that from a data protection perspective this doesn’t change anything: “When one of the partners in the process can translate the hash code, the procedure cannot be anonymous. The whole purpose of Custom Audience is to find and address selected users.”
Benedikt argues that the decision has implications for the use of other Facebook tools, such as Lookalike Audience and the Facebook Pixel, even though the regulator only looked at the use of the specific version of Facebook Custom Audience that relies on contact lists. The Lookalike Audience tool allows advertisers to reach out specifically to people who have similar data profiles to those in their existing databases. The Facebook Pixel allows them to target people on Facebook who have previously used their websites and apps. Benedikt:
In our opinion usage of the pixel method also requires user consent in order to be permissible. Data processing under the pixel method is particularly extensive, tracking users across different websites and devices. This also applies to non-Facebook users. For users visiting a website tracking is neither expectable nor recognizable. Only those who are technically sophisticated can detect data processing in the background. This is neither transparent nor does the user have a real choice here.
Other European DPAs are showing interest
The case was decided under the federal German data protection law before the European Data Protection Regulation came into force in May 2018. “Nevertheless, we think that the relevant principles still hold under the GDPR”, Benedikt explains. She stressed that her office rules out that advertisers could rely on another legal basis for the data transfer. “At most, there would be the so-called balancing of interests. But in a case like this, in which the processing is opaque, the interests of data subjects in the protection of their data clearly outweighs the companies’ interest in advertising and sales.”
German Data Protection Agencies (DPAs) are organized between the 16 federal states and the federal government. In her interview with netzpolitik.org Kristin Benedikt explains that the Bavarian enforcement action has been coordinated with other German DPAs, giving reason to believe that this interpretation of the law is not unique to the Bavarian DPA.
According to Benedikt, DPAs in other European countries have also expressed interest in the court’s decision, “and asked us for the basis of our prohibition of using Custom Audiences. So far we only received encouraging feedback. From our perspective it actually is a very clear matter anyhow.“
After we published the interview on netzpolitik.org, a PR agency that represents Facebook reached out to us and pointed us towards the following section in the terms and conditions for Facebook’s Custom Audience tool: „Facebook will not give access to or information about the custom audience(s) to third parties or other advertisers, use your custom audience(s) to append to the information we have about our users or build interest-based profiles, or use your custom audience(s) except to provide services to you, unless we have your permission or are required to do so by law“ (emphasis added). While this passage can give the impression that Facebook wouldn’t add Custom Audience data to existing profiles, it leaves more than enough room for exception and shifts responsibility to advertisers („unless we have your permission“).
We’ve asked Facebook’s PR agency to explain how Facebook actually uses custom audience data, and specifically comment on claims that Facebook adds the data it obtains from advertisers to existing user profiles. Facebook declined to answer repeatedly.