Privacy & Data Protection

Targeting consumers on social media platforms

Author: Preslav Baldzhiev

In its development, technology has always strived for accessibility and efficiency. Following these two principles, letters have been replaced by e-mails, which in turn give way to messages sent through social media platforms. This has allowed such platforms as Facebook, Twitter, Instagram, and others to engage so many users that few are those who do not yet have an account/profile.

The impact social media platforms have on their users has not gone unnoticed by traders and entrepreneurs who want to market their goods and services to many consumers. This small detail is the key to the so-called ‘targeting’, which is at the heart of social networks as we know them, namely, full of ads for products that consumers need.

What is targeting?

Targeting is a tool whose sole purpose is to show an ad to a certain category of people. Targeting uses a specific set of personal data (age, location, email address, etc.) to create the criteria by which the target group will be selected. The target group will receive the ad in various forms – by sending an email message, displaying an ad on a web page or newsfeed on the social media platform, and some advertisers use phone calls to offer their goods and services. (most often these are mobile operators). To be lawful, targeting must be based on one of the legal grounds set out in Article 6 of the GDPR. From this explanation, four categories of participants involved in targeting can be identified:

  • Users – These are the people who make up the target group. The target group is determined by criteria that are based on the personal data provided by the user. The user is a person who is registered to use a service, in this case a person who has created an account/profile on a social media platform.
  • The Social media platform provider – This is a natural or legal person who has developed and who provides a certain online service through which its users develop their e-communities. In these e-communities, users can share their ideas and exchange information. Every social media platform provider is a Data Controller – in order to create a Social media profile/account the user must provide their personal data (different social media platform process different personal data).
  • Targeter – These are natural or legal persons that use the services of a social media platform to direct a specific message (advertisement) to a group of users of the same social media platform, which group is composed of specific parameters and criteria (target group). Targeting such messages (ads) can be done in different ways – by placing an advertising banner, by receiving the message at an email address, by placing an ad in the newsfeed and others. In most cases, the targeter also acts as a Data Controller.
  • Other relevant actors – This includes Data brokers. Data brokers are individuals who collect information (such as interests, locations visited, dates of birth, etc.) and determine a person’s interests. This information is offered to larger companies, which in turn use it for targeting purposes. Often, social media platform providers also act as information brokers.

Since the social media platform provider and the targeter can act as Data controllers in a targeting campaign, an agreement should be reached between them to define their responsibilities and obligations as such.

As Data controllers, they may process any information that is not defined as a special category of personal data. Special categories of personal data are information such as racial or ethnic origin, political views, religious or philosophical beliefs or trade union membership, as well as the processing of genetic information, biometric information for the sole purpose of identifying an individual, health information or information for the sexual life or sexual orientation of the natural person. There is also an exception to this rule (Article 9 (2) of the GDPR), the most important being the data subject’s permission to process such information.

What are the risks of targeting?

Targeting turns out to be a mixed blessing, mostly because of the processing of personal data. Such processing can endanger the fundamental rights and freedoms of citizens, and the most common problems are:

  • Personal data loss or misuse – The most striking example of such misuse is the scandal with Cambridge Analytica and Facebook in 2018.
  • Manipulation – Messages that are partially or completely incorrect can be directed to a specific target group. This problem has become extremely acute against the background of fake news that have flooded the Internet in recent months.
  • Lack of free access to information – This is a similar case to manipulation. Targeted people can be shown the same type of messages that defend the same opinions on a given issue. At the same time, the target group may be „flooded“ with excessive information, among which the essential data may be lost.
  • Discrimination – Discrimination is an extremely complex issue. A targeting can be defined as discriminatory only because it has excluded a certain group from the target audience.

Targeting mechanism

Targeting is possible by three different mechanisms, depending on how the used information is provided:

  • Targeting consumers on the basis of provided data;
  • Targeting consumer on the basis of observed information;
  • Targeting consumers on the basis of inferred data.

Targeting consumers on the basis of provided data to the Social media platform

Here, the information provided is any type of information that the user has provided to the social media platform provided or the targeter. Most often this is information that the user enters when creating a profile/account in the relevant social media platform (date and place of birth, age, gender, etc.). There are joint Data controllers (the social media platform provider and the targeter) only for those processes for which they have jointly determined the manner and purpose of the processing of personal data – they cannot be joint Data controllers before the targeting criterion is created or when using the data after the targeting campaign has ended.

In this case, Data controllers may base the targeting on two legal grounds:

  • Consent of the user (data subject) – “Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (Article 4(11) GDPR). Consent can always be used, but for it to be a valid legal ground, it must meet several conditions:
    • The Data controller should be able to demonstrate that the data subject has freely given his or her consent.
    • If the consent is given by a declaration concerning other matters, the request for consent must be clearly distinguishable from everything else.
    • The data subject must be able to withdraw his consent as easily as he has given it.
  • Legitimate interest – The reference to a legitimate interest as a legal grounds can be made if three conditions are met simultaneously:
    • The data controller must pursue a legitimate interest;
    • The processing of personal data is necessary to achieve this legitimate interest;
    • The fundamental rights and freedoms of the data subject should not take precedence over the legitimate interest.

When there are joint Data controllers, each of them must prove their legitimate interest and the need to achieve it – it may vary depending on the situation.

Targeting consumers on the basis of provided data to the Targeter

In this case, the user provides his information directly to the targeter, who uses the personal data for the purposes of advertising on social media platforms. Such targeting is based on the “list-based” principle – the targeter provides the social media platform provider with a list of email addresses or phone numbers. The social media platform provider checks the data provided by the targeter with those he has collected and, depending on the criteria, the matching ones are added or subtracted from the target group. The targeter and the social media platform provider act as separate Data controllers during the initial collection of information (before targeting). From the moment the targeter provides the social media platform provider with the list of collected email addresses and telephone numbers, they begin to act as a joint Data controller and are in this role until one of them does not delete the data.

Targeting can be based on two legal grounds:

  • Consent of the user (data subject) – The requirements for the given consent also apply here;
  • Legitimate interest – A legitimate interest would be a valid legal ground if the consumer is aware that:
    • His personal data will be used to advertise similar or identical goods/services that he uses;
    • He has the right to object both before the beginning of the processing and against any subsequent processing of his personal data.

Targeting consumers on the basis of observed information

The observance is a mechanism used by social media platform providers to monitor the behavior of their users (locations, browser history, etc.). Such collection of information is possible through:

  • Pixel-based targeting – Coded fragment are embedded in the targeter’s website for pixelated targeting. When a user visits, these fragments are activated and they start sending information to the respective social media platform provider until the visitor leaves the site. This principle is similar to the security of a shopping center – the user visits the store (in this case the website), the cameras (coded fragments) track his every move and give information to the security guards (providers of the social media platform). An example of such a fragment are cookies.

When using pixel-based targeting, the targeter and the social media platform provider act as joint Data controllers, because by embedding the coded fragment, the targeter influences the way the social media platform collects information. On the other hand, such data collection would not be possible without the developed social media platform code.

A key element of pixel-based targeting is user awareness – the controller of a website using pixeling must notify each user who visits his website about the service used and ask for his consent.

  • Geo-targeting – Geo-targeting is a function that determines the target group based on its location. This is possible through the GPS system, and in some cases through the cells of mobile operators. In order for the targeter to collect information via the GPS function of the mobile device, the GPS function must be turned on and the relevant application/site must have permission to track the location of the user. There are also joint Data controllers (the targeter and the provider of social media platform) – the provider, because he collects data about users, and the targeter, because he can determine the location of users, according to his criteria (example: the criterion is to show ads of users who are at a distance of 400 meters from a particular store).

Targeting consumers on the basis of observed information can only be based on the Consent of the user (data subject). Consent is the only valid legal ground, as it will process information that is directly related to the behavior of the user and his location. All rules that bind the Data controller apply here.

Targeting consumers on the basis of inferred data

The inferred data is information that the Data controller has created on the basis of the personal data that he has collected (whether provided directly by the user or observed). Thus, the Data controller can obtain additional information about users as interests, based on the history of pages visited, keywords used in search engines, shared and liked the content, and others (profiling). To make it clearer, all this can be explained with an example: A user notes in his profile that he is a fan of French cheeses. From this, it can be concluded that the same consumer would like certain varieties of red wine that go well with his favorite food. There are also joint Data controllers here.

Profiling itself is “any form of automated processing of personal data, in the form of the use of personal data to assess certain personal aspects related to an individual, and in particular to analyze or forecast performance aspects, the professional duties of that individual, his economic situation, health, personal preferences, interests, reliability, conduct, location or movement.”

The legal ground will depend entirely on the specifics of the case, and each of the grounds set out in Article 6 (1) of the GDPR may be applicable to a specific situation.

Regarding profiling, it is important to mention that it leads to a certain automated decision (in this case, whether to show ads or not), which in turn can have a significant impact on the subject of the automated decision. The assessment of whether such influence would take place is made on a case-by-case basis by Data controllers. The data subject may not be the subject of the automated decision itself if it would give rise to significant legal consequences. There are exceptions to this rule:

  • If the data subject has consented to such decisions;
  • If the automated decision concerns the conclusion of a contract between the data subject and the Data controller;
  • If the controller is authorized by EU law or by a Member State of which the data subject is a national.

Agreement between a joint Data controller

As mentioned above, two or more Data controllers must enter into an agreement setting out their responsibilities and obligations (Article 26 (1) of the GDPR). As the agreement will also be provided to the data subject, it must contain:

  • Information about the Data controllers;
  • Information about the Data protection officer (if any);
  • Information about the supervisory authority;
  • The purposes and legal grounds for the collection and processing of personal data (if the processing is based on a legitimate interest, it must be indicated);
  • Recipients of the collected personal data;
  • Term for which the data will be stored and processed;
  • Rights of the data subject (right to rectification, right to be forgotten, right to withdraw consent, right to appeal to a supervisory authority, etc.);
  • How are the duties and responsibilities distributed among the joint Data controllers:
    • The responsibilities of joint Data controllers are not always joint and several. In most cases, the responsibilities are determined by their participation in the processing of personal data and by the actions they have taken in this regard.

Data Protection Impact Assessment

The Data Protection Impact Assessment shall be carried out “Where a type of processing, in particular, using new technologies, and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons” (Article 35 GDPR). Such an impact assessment is necessary if the nature of the advertisements, the advertised products/services, or the way in which they are advertised may have a serious effect on the target group, which effect needs to be further investigated. In the case of joint Data controllers, both need to participate in the implementation of the assessment, unless otherwise agreed in the agreement between them (even if only one controller performs the impact assessment, this does not exclude the responsibility of the other).

An impact assessment must contain at least:

  • a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • an assessment of the risks to the rights and freedoms of data subjects; and
  • the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

Conclusion

Targeting has become a powerful advertising tool provided by social media platforms. On the one hand, it is useful both for the targeter who is looking for potential customers and for the consumer who would benefit from the offered product/service, but on the other hand – the use of such mechanisms proves how wrong is it to claim that a person can remain anonymous on the Internet. To ensure the security and protection of users visiting cyberspace, the EU pays close attention to any change in online services and changes its legislation in a timely manner to keep pace with the developing world.

This material prepared by Preslav Baldzhiev aims to provide more information about targeting consumers on social media. It does not constitute a legal opinion and cannot be interpreted as individual consultation on any concrete facts or circumstances. The advice of a specialist should be obtained for specific questions and situations. For more information on the above-mentioned issues and individual consultations, please contact the team of the law firm of Krasimira Kadieva at 00359 882 308 670 or make an inquiry using the contact form of the website. Since 2017 Preslav Baldzhiev is a law student at Sofia University “St. Kliment Ohridski “, having previously graduated from the High School of mathematics and natural science “Acad. Nicola Obreshkov” in Burgas. In February 2020 he took a course for industrial property representatives at the Patent Office of the Republic of Bulgaria in the field of trademarks, geographical indications, and industrial designs. He is interested in intellectual property, personal data protection, commercial and law on obligations and contracts and also regularly attends conferences, practical courses, seminars, and webinars.

error: Content is protected !!