Lead Gen Blog

GDPR and Facebook: all you need to know to keep advertising safely

By Dario Villi | No Comments | 15th February 2021


If you are a seasoned marketer, there is a high probability you use Facebook Ads to grow your business. To keep advertising safely on Facebook, you need to know all about GDPR and Facebook.

Sure you are wondering what GDPR and Facebook have in common. Before we delve into that, let’s look at the meaning of GDPR.

GDPR (General Data Protection Regulation) is a European law that stipulates businesses should protect the personal data and privacy of the EU audience for transactions that take place within the EU member states.

This concerns many advertisers, with as much as 52.8% of Digital Marketers considering government regulation or the threat of regulation as an obstacle in their ability to leverage user data.

On the other hand, according to a Cisco Customer Privacy Survey taken in 2019, 84% of their respondents expressed their concern for data privacy. They believed that they should have more control over how their data is processed, and 80% of those people even went to far as to mention that they would be willing to take action to defend it.

It goes without saying that businesses of all sizes need to be ever more careful in handling data security and customers’ privacy. According to research from Oxford Economics, the main reason for mistrust in the tech industry for 64% of people is the misuse of their personal data, and a survey conducted by The Harris Poll found out that 75% of people that don’t trust a company with their data wouldn’t buy from that company, no matter how great its products and services were.

And again, according to the same Cisco Customer Privacy Survey that was mentioned just above, 48% of respondents said that they have already switched companies due to their data-sharing practices.


As you can see from the figure above, not only are the majority of people concerned about the misuse of their personal data within a company, but the percentage of concerned people has risen from year-to-year.

The issue of privacy is a serious one. If you want to know more about GDPR, in general, don’t miss out on our “dummy guide” on this topic.

So, to go back to GDPR and Facebook, what changes exactly?

It changes the rules for companies that collect, store, or process data on EU residents. That includes Facebook, Google, and other companies that use large amounts of data. It also involves companies that have a digital presence in the EU and companies around the world that use people’s personal data in the European Union.

Why is GDPR important?

GDPR helps to protect people’s privacy. Many people are concerned about their privacy and losing important information. A research carried out on 7,500 consumers in France, Germany, Italy, the UK and the U.S by RSA Data Privacy & Security Report revealed that 80% of consumers said lost banking and financial data is a top concern while lost security information such as passwords and identity information like passports or driving license was cited as a concern for 75% of the respondents.

From these numbers, we can understand that people are concerned about their data being stolen on multiple levels and throughout multiple industries. The GDPR aims to protect that data, no matter what it is.

Again going back to the Cisco Customer Privacy Survey of 2019, 47% of their respondents said that they trust a company that abides by GDPR regulations to handle their data more than one that does not.

Types of data protected by GDPR

GDPR and Facebook

In order to successfully comply with the GDPR law, you need to know the type of data affected. Below are seven specific data that needs protection:

  • Identity information such as name, address, ID numbers

  • Web data such as location, IP address, cookie data, and RFID tags

  • Health and genetic data

  • Racial or ethnic data

  • Political opinions

  • Sexual orientation

How does this affect your company?

As a marketer, if you use, store, manage or analyze data of any kind, it means GDPR affects your company.

As an advertiser that uses Facebook, GDPR also affects you whether you do business in the EU because if your website uses cookies, visitors from the EU can visit your pages and even opt into your newsletter. Below are the main implications of GDPR on Facebook Ads:

  • Complying GDPR on Facebook Ads means you have to inform your subscribers how you will use their data

  • Complying with GDPR on Facebook means that people must give their consent before you use their data. They are also free to withdraw their consent whenever they want.

  • Complying with GDPR on Facebook means it is mandatory for you to show your customers their information whenever they demand to see it.

  • Complying with GDPR on Facebook means it is required that users must be able to edit any information they want

  • Complying with GDPR on Facebook made it mandatory that users can delete their information whenever they want.

Complying with the GDPR best practices does not limit or hinder advertisers

It simply means that users must give permission for their information to be used and that advertisers must be transparent about how they are going to use them.

To give an example, when generating leads via Facebook Lead Ads you must link your privacy policy in the ad in order to collect consent to use the data (see the example below). You can also create a specific form’s field, either mandatory or optional, to ask for user consent (read more about it here), which a lot of advertisers are taking advantage of.


GDPR and Facebook

This is not bad news for businesses. If anything, it means that businesses will collect only the personal information of the people who are really interested in a specific product or service – which most likely will drive better results.

Amy Manus, vice president of the southeast region at Goodway Group, a programmatic partner agency, believes that GDPR will be beneficial for advertisers also in another way. In fact, the new GDPR regulation will force companies to rethink and refine their strategy around what data matters, how to collect it, and how to implement it – while at the same time letting go of all the data not needed and potentially dangerous in terms of a law violation. She believes that “streamlining their approach and strategy for how and what data they use is a necessary exercise many marketers have been putting off for some time.

GDPR is, therefore, an opportunity for companies to improve their business practices and strategies. In a report by the IBM Institute for Business Value published in May 2018, 59% of surveyed executives said that GDPR is “an occasion for transformation or a spark for new data-led business models”.

Get access now and Unleash the Power of new Facebook Conversions API

Facebook and GDPR

Facebook is an extremely innovative company that is on top of this whole GDPR thing. Since the GDPR has gone into effect on May 25th, 2018, Facebook has done everything it possibly can to make sure they abide by the GDPR regulations and protect your data according to the new law.

In fact, Facebook can be quoted as saying the following:

‘Data protection is central to the Facebook Companies (Facebook and Messenger, Instagram, Oculus, and WhatsApp). We comply with current EU data protection law, which includes the GDPR. Our GDPR preparations were led by our Dublin-based data protection team and supported by the largest cross-functional team in Facebook’s history.’

Facebook provides plenty of information on the regulations and exceptions of the GDPR. Under the GDPR, a company can legally process a person’s data if the following requirements are met:

Contractual necessity

  • The data being processed must be necessary for the service provided to the individual, and outlined thoroughly in the contract between Facebook and said, individual.

  • The data being processed must be accompanied by freely given and specific consent by affirmative action.

  • Under that same exception, people have the uninfringeable right to withdraw consent at any time.

  • The person giving the consent must be at or over the age of consent. otherwise, given by or authorized by a guardian or parent.

  • Explicit consent must be given for some processing. For example, in special categories of personal data.

Legitimate interests

  • Data may be processed if a business or third party has a legitimate interest that is not overridden by the individuals’ rights or interests.

  • Processing must be halted if the individual objects to it.

GDPR and Facebook products that the law affects

1. GDPR and Facebook Pixel

As an advertiser on Facebook, you probably use Facebook Pixels on your website to give your users a better experience and to know the people that use your services or products to show them relevant ads on Facebook.

The thing is, GDPR affects the use of Facebook Pixel. If you are using Facebook Pixel on your website, you are liable to comply with GDPR. Some examples of cases where you will need to get the prospects’ consent include:

  • A retail website that uses cookies to collect information about the products people view on the site to target ads to people based on their activity on the site

  • A blog that uses an analytics provider who uses cookies to capture aggregate demographic info about its readers

  • A news media website that uses a third-party ad server to display ads, when the third party uses cookies to collect information about who views those ads

  • A Facebook advertiser who installs the Facebook or Atlas pixel on its website to measure ad conversions or retarget advertisements on Facebook

If you fall into any of the four categories above, you will need to obtain consent from your users. You can do this by showing a message when the page loads for the first time. This is referred to as a “cookie banner” to tell users how to give their consent.

Secondly, you can also obtain consent when they are signing up for your offer. A free tool you can use is cookie consent notification. It will display consent notification for users to accept or reject on your webpage.

The second thing you need to consider is GDPR and Facebook Custom Audiences.

2. GDPR and Facebook Custom Audiences

Custom Audiences are audiences from your email list. You can upload the audiences to your Facebook Ads to target them directly. GDPR affects Facebook custom audiences too.

To understand why we need to introduce the concept of “data controller” and “data processor”.  Depending on its role as a data controller or processor, a company has different responsibilities under the GDPR. A company is a ‘data controller’ when they decide the purpose of how to process the data they collected, whilst it is a ‘data processor’ when it processes the data on behalf of the data controller (like Facebook does, in most situations).

What exactly is a data controller?

Uploading email lists or contact information into a Facebook custom audience makes you a data controller. GDPR stipulates that as a data controller, you must ensure that your subscribers give their consent before you can market to them. If you have email lists from LinkedIn contact, email addresses from business cards, purchased or scraped email lists, and shared pixel information from other parties without users’ consent, you need to delete the information from your Facebook ad account. You cannot market to them according to the GDPR law. You are only allowed to market to users who have given you their consent.

The data controller also has the responsibility to choose the data processor it submits the data to, such as Facebook, for example, verifying that it is GDPR compliant.

Also, on the path of compliance, you must ensure that your custom audience lists are continuously updated so you can weed out those subscribers who have opted out of your list. This means they have withdrawn their consent from your marketing list.

The best way for companies to go about to avoid manual work and the risk of human error is to automatically sync their custom audiences through a third-party middleware, like LeadsBridge

LeadsBridge: A Facebook trusted partner

LeadsBridge is a cloud-based integration platform both GDPR and Privacy-Shield compliant with a strong focus on privacy-safe best practices. For example, in the case of Facebook Custom Audiences, LeadsBridge will convert the personal data in HASHED keys in real-time (in VCPU memory) without storing any sensitive data in any place.

Using LeadsBridge helps companies to safely and automatically sync their Custom Audiences, making sure they are always updated with people who gave permission to be targeted. It’s both easy to use and free to try out so that you, too can create bridges between your favorite marketing tools.

The third thing to consider is the GDP and Facebook Lookalike Audiences.

3. GDPR and Facebook Lookalike Audiences

Unlike Lead Ads and Custom Audiences, GDPR does not affect Lookalike Audiences.

GDPR and Facebook

The reason is that Lookalike Audiences use a “seed” audience of one of your Custom Audiences to search for new people to add to the Lookalike audience. You don’t need their permission to show your ads to them. However, to be more careful about GDPR and Facebook Lookalike Audiences, you should update your privacy policy.

This means you need to inform your audiences about how you intend to use their data. Insert your privacy policy on your landing pages. The point here is to be transparent about how you use the data.

You can consult your lawyer to help you draft a suitable privacy policy that will ensure you use GDPR and Facebook lookalike audience with consent.

You also need to add a link to your privacy policy on every page of your website, this includes pages with email opt-ins. For instance, if you are driving traffic from a Facebook ad to a lead magnet, ensure that the page has a cookie consent banner, an email opt-in that complies with GDPR, and a link to your privacy policy.

What are the risks of non-compliance with GDPR and Facebook Ads?

Good question!

Many people speculate that non-compliance with the GDPR laws will attract heavy fines, especially for big brands. But small businesses can also run into legal issues. Companies that violate GDPR best practices may be fined up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater.

In its first preliminary report, the European Data Protection Board stated that only 52% of the 206,326 cases reported have been resolved, so many more are to be expected. So far the average GDPR fine has been roughly €66,000 if we exclude the 50 million€ fine received by Google from the French data protection agency, which is currently the largest GDPR related fine on record. The smallest being a measly 28€.


The advertising world has entered a new era concerning data privacy and digital customer interactions. Making sure you comply with GDPR when using Facebook Ads will keep you away from potential infringements. You need to ensure that you comply with the law, especially if your business is dealing with EU audiences.

It’s important to stress again that complying with the GDPR best practices is not a limit for advertisers but rather an opportunity to step up their data-led business models while meeting the new law requirements. 

To make a recap about the main Facebook advertising features, both the Facebook Pixel and Facebook Custom Audiences require businesses to ask for the user’s consent to collect their personal information and explain clearly how they will be used. Facebook Lookalike Audiences, on the other hand, do not need the same requirements, so they can be adopted as usual.

What is your experience with GDPR and Facebook Ads? Let us know in the comments.

Download Now the Facebook Insider's Hacks ebook

Dario Villi

I am passionate about marketing and writing. I also like to make videos. I create content for a living!

Automation Tools for Facebook Advertisers

Better tracking, better conversions, better audiences, better results.