New draft guidelines from the European Data Protection Board (EDPB) on social media are clarifying roles and responsibilities for platforms, users and advertisers. The draft guidelines are open for public consultation until October 19, 2020 and can have far reaching implications if not watered down by lobbyism.
When SoMe (social media) tagets users based on detailed profiles about the users, the social media platform and the advertiser are joint controllers and both consent and legitimate interest can be legal bases for data processing. In the latter case it must be on a case-by-case basis, and the result of the assessment must be documented.
With custom-audience targeting, where the advertiser gives the social media platform access to data about their own customers, EDPB sees the advertiser and the platform as independent controllers. The advertiser can rely on legitimate interest to run the campaign, “if it previously provided appropriate notice and opportunity for users to opt out so that the campaign is within the individual’s reasonable expectations,” according to Wilson Sonsini.
If advertisers use location-based targeting on SoMe to target individuals, where they are, the advertiser and the platform are joint controllers (the platforms are collecting location data if we allow them) and advertisers must obtain consent for location-based targeting. Legitimate interest can thus not be used here.
If SoMe gets data via third-parties, e.g. from plug-ins placed at other websites, who then allow the SoMe platform to get data on their users, the advertiser and the platform are joint controllers. When allowing this, the third-party website are jointly liable with the platforms in the way they treat personal data and thus must not only get consent for its own collection of data but also for the social media’s use of that data.
When it comes to collecting data over time and from various gadgets and used for automated decision making, consent is always required.
‘Advertising’ is simplified
We often hear that individuals say, I don’t care about getting ads for this and that. But using ‘advertising’ in explaining massive collection of data and profiling is too simplified, according to the EDPB. Individuals should be clearly informed about what types of processing activities are carried out and what this means for them in practice.