GDPR & Facebook: all you need to know

If you are a seasoned marketer, you probably are well-acquainted with Facebook Ads. However, in order to advertise safely on Facebook, you’ll need to know all about Facebook Lead Ads and GDPR.

You might be wondering what GDPR and Facebook have in common. Well, in this article, we are going to dive into the meaning of GDPR and how it has affected social media marketing and lead generation strategies.

Table of contents

In addition, we’ll introduce automation integrations that help you get the best out of your Facebook Ads campaign, such as:

GDPR (General Data Protection Regulation) is a European law that stipulates businesses should protect the personal data and privacy of the EU audience for transactions that take place within the EU member states.

It implements the rules for companies that collect, store, or process data on EU residents. That includes Facebook, Google, and other companies that use large amounts of data. It also involves companies that have a digital presence in the EU and companies worldwide that use people’s data in the European Union.

In 2022, 45% of Europeans were still worried about their privacy, even after GDPR was officially adopted in 2018. This fact concerned many advertisers, who continue to view these regulations as an obstacle to their ability to leverage user data. However, what is most concerning is that 41% of marketers admit to not fully understanding both the law and best practices that regulate the use of consumers’ data. Considering the recent friction between Meta and European Union regulators, matters have not been getting any easier.

On the other hand, a Consumer Privacy study led by TRUSTe/NCSA found that 92% of online customers mention data security and privacy as a concern. And according to a report, 70% of customers think companies don’t use their data responsibly.

It goes without saying that businesses of all sizes need to be ever more careful in handling data security and customers’ privacy. Especially since the scale and complexity of GDPR can easily lead up to hundreds of millions of euro in financial penalties.

According to research published by Oxford Economics in 2019, the main reason for mistrust in the tech industry for 64% of people is the misuse of their personal data. It’s clear there is still a significant disconnection between consumers, their personal data, and how the companies that collect it should use it.

challenges organizations face — Source: SuperOffice

Discover all you need to know about GDPR compliance implementation here.

GDPR’s sole purpose is to protect people’s privacy. Many people are concerned about their privacy and losing important information. A study carried out by RSA Data Privacy & Security Report revealed that among 7,500 consumers in France, Germany, Italy, the UK, and the U.S., 80% of consumers said that unprotected banking and financial data is their top concern. Additionally,75% of the respondents expressed their concern about lost security information such as passwords and identity information like passports or driving licenses.

From these numbers, we can understand that people are concerned about their data being stolen on multiple levels and throughout multiple industries. The GDPR aims to protect that data, no matter what it is.

In order to successfully comply with the GDPR law, you need to know the type of data affected. Below are seven specific data that need protection:

Identity information such as Name, Address, ID numbers
Web data such as Location, IP address, Cookie data, and RFID tags
Health and genetic data
Racial or ethnic data
Political opinions
Sexual orientation

The EU General Data Protection Regulation covers a broad spectrum of marketing practices, both offline and online. As a result, almost every company which is actively trading in the EU needs to consider how the GDPR will affect its marketing activities.

However, complying with the GDPR regulations is a challenging task, especially when it comes to digital advertising.

In addition to basic requirements such as using an EU national language and EU currency_to stay compliant with the EU trade regulations_you’ll need to find out whether you are:

Subjected to the GDPR (for non-EU companies).
Up to date with consent-based marketing systems. This includes cookies, IP addresses, cookies, web beacons, tracking pixels, GPS data, etc.
In need of requesting “new” consent from all or some of existing customers.
In need of a new system to streamline the right to request consent, and safely store and transfer data.

Depending on how your company functions and the nature of your products, you want to create processes whereby your user can see and interact with your consent request. This way, you can obtain their personal data consensually and automatically.

As a marketer, if you use, store, manage or analyze data of any kind, it means GDPR influences your company.

As an advertiser who uses Facebook, GDPR also affects you if you are doing business in the EU. For example, if your website uses cookies, visitors from the EU can visit your pages and even opt into your newsletter. The main implications of GDPR on Facebook Lead Ads is as follows.
Complying with GDPR on Facebook Ads means that:

You have to inform your subscribers how you will use their data;
People must give their consent before you use their data. They are also free to withdraw their consent whenever they want;
It’s mandatory for you to show your customers their information whenever they demand to see it;
Users must be able to edit any piece of information they want;
Users hold the right to delete their information whenever they want.

Facebook Lead Ads’ compliance with GDPR simply means that users must give permission for their information to be used. On the other hand, it requires advertisers to be transparent about how they are going to use it.

For example, when generating leads via Facebook Lead Ads, you must link your privacy policy in the ad to collect consent to use the data (see the example below). You can also create a specific form’s field, either mandatory or optional, to ask for users’ consent.

In short, this is not all bad news for businesses. If anything, it means that businesses will collect only the personal information of the people interested in a specific product or service_which will most likely drive better results.

GDPR is an opportunity for companies to improve their business practices and strategies. In a report by the IBM Institute for Business Value published in May 2018, 59% of surveyed executives said that GDPR is “an occasion for transformation or a spark for new data-led business models”.

Facebook’s lead generation privacy policy

According to Facebook’s lead gen policy, you can run lead ads on Facebook or Instagram in a compliant manner if you maintain a privacy policy. This is to inform users about what you will do with their information for maximum transparency and building trust with your audiences.

The privacy policy must be placed where it is easy for users to find (in the website footer or an app’s settings menu). You’ll need to have a privacy policy that is both accurate and explicit about the user data storage and usage, for instance:

The types of information do you gather
How this data is used
Whether you share this information with third-party entities
Whether users can control or delete the information whenever they want to
Your terms and conditions for complying with legal requests
Whether you inform customers if privacy procedures are modified
How users could contact you in case of doubts or receive further info
Including the effective date of your privacy policy

The privacy policy for Facebook Lead Ads requires you to include a link to your privacy policy in the Privacy section. However, the privacy policy cannot be linked directly via a PDF file, image, or direct download.

GDPR has affected marketing and how to do it properly mostly from 2 main standpoints: data permissions and data access.

Data permission

According to GDPR regulations, you can’t just assume that leads want to receive your promotional content and be contacted by you with offers and deals. Instead, you have to give them the option to make a deliberate choice to be contacted. How? By expressly asking for their consent.

This is easily made by adding a checkbox inside your web form (for example) that your potential customers have to actively click on in order to give consent to be contacted. Also, you need to explain clearly what exactly you’re asking permission for and the purpose for which you’re going to use the data shared with you.

You understand how this has also affected how businesses conduct lead generation. GDPR compliance automatically makes it “harder” for you to reach a larger audience since they need to actively give their consent. However, those who do give out consent are necessarily interested in what you have to offer – and, therefore, more likely to convert. So, while you might collect fewer lead data, there’s a chance that data is of a higher quality and generates a higher conversion rate.

We could say lead generation and GDPR actually go hand in hand: quality over quantity and a win-win for both parties. If you’d like to dig deeper into this topic, read our article about consent and permission-based marketing.

Now, let’s take a look at the example below for a visual representation of what to do and not do, to clearly understand how GDPR has affected marketing.

Contact form example for lead generation and GDPR — Source: SuperOffice

Data access

Given that people in the EU have the right to be forgotten – therefore, the right to have outdated or inaccurate personal data removed – GDPR also gives people a chance to have more control over their shared personal info. This means that not only can they decide whether or not to share it, but also to access it and revoke permission at any time.

Therefore, you have to ensure that your users can easily access their data and revoke permission to use it. How? That’s actually pretty easy. Inside your promotional emails, add a clearly visible “Unsubscribe” button linking to their customer profile, where they can manage their email preferences.

Take a look at the example below for another practical representation of how GDPR has affected marketing.

An example of how GDPR has affected marketing — Source: SuperOffice

The connection between GDPR and social media marketing might seem a little blurry on the surface, but they are in fact strictly related. Here’s how!

Ever since GDPR came into the picture, running remarketing ads to EU users requires that these individuals have already agreed to have their data processed. This must be done either through a previous, already existing sign-up or by creating an opt-in disclaimer about data usage within the ad.

On the one hand, this adds a few extra steps to your campaign, which provides users with more opportunities to drop out of your funnel. On the other hand, users who do go through with the process of giving consent are actually interested in your offer, and therefore more likely to convert.

To respect GDPR and social media marketing restrictions, just make sure you’ve thoroughly reviewed where and how you use lead data in your social media marketing strategy and clearly state that to the user, in order to gather consent.

Before interacting with your ad and opting into whatever your offer is, GDPR and social media marketing restrictions require users to accept your privacy terms. This apparently insignificant action is actually pretty important, especially if users are required to take additional actions afterward – like filling out a form – once they’re on your ad.

Especially when browsing from mobile devices, you can understand how having to tap or scroll through the entire privacy policy might interrupt your user’s experience prior to opting-in. With that said – if you are offering a valuable product or service – there is no way this can be an actual make-or-break deal for the user.

Since the GDPR has officially become effective on May 25th, 2018, Facebook has done everything in its power to make sure they abide by the GDPR regulations and protect data according to the new law.

In fact, Facebook stated:

“Data protection is central to the Facebook Companies (Facebook and Messenger, Instagram, Oculus, and WhatsApp). We comply with current EU data protection law, which includes the GDPR. Our GDPR preparations were led by our Dublin-based data protection team and supported by the largest cross-functional team in Facebook’s history.”

Facebook provides plenty of information on the regulations and exceptions of Facebook Lead Ads and the GDPR. Under the GDPR, a company can legally process a person’s data if the following requirements are met:

Contractual necessity

The data being processed must be necessary for the service provided to the individual, and outlined thoroughly in the contract between Facebook and the mentioned individual.

The data being processed must be accompanied by freely given and specific consent by affirmative action.
Under that same exception, people have the uninfringeable right to withdraw consent at any time.
The person giving the consent must be at or over the age of consent. Otherwise, given by or authorized by a guardian or parent.
This is to protect kids on the Internet from having their data used.
Explicit consent must be given for some processing, for example, in special categories of personal data.

Legitimate interests

Data may be processed if a business or a third-party entity has a legitimate interest that is not overridden by the individuals’ rights or interests.
Processing must be halted if the individual objects to it.

[adding the new policies]

Get help navigating through GDPR landscape by using LeadsBridge’s integrations. Our data bridges enable you to easily and automatically connect Facebook Lead Ads to all your favorite marketing & advertising tools, and achieve GDPR-compliant & real-time lead data transfer.

Learn more about lead generation with Facebook Lead Ads and remaining GDPR-compliant.

Here are a few examples of Facebook Lead Ads integrations by LeadsBridge.

As an advertiser on Facebook, you probably use Facebook Pixels on your website to give your users a better experience and know the people who use your services or products to show them relevant ads on Facebook.

The thing is, GDPR directly affects how advertisers utilize Facebook Pixel; If you are using Facebook Pixel on your website, you are liable to comply with GDPR. Some examples of cases where you will need to get the prospects’ consent include:

A retail website that uses cookies to collect information about the products people view on the site to target people based on their site activity with ads.
A blog that uses an analytics provider who uses cookies to capture aggregate demographic info about its readers.
A news media website that uses a third-party ad server to display ads, while the third party uses cookies to collect information about who views those ads.
A Facebook advertiser who installs the Facebook or Atlas pixel on its website to measure ad conversions or retarget advertisements on Facebook.

If you fall into any of these four categories, you’ll need to obtain consent from your users. You can do this by showing a message when the page loads for the first time. This is referred to as a “cookie banner” to tell users how to give their consent.

Secondly, you can obtain consent when they are signing up for your offer. A free tool you can use is cookie consent notification. It’ll display a consent notification for users to accept or reject on your webpage.

Or, you could install a server-based solution that allows you to track users’ behavior without relying on cookies: Facebook Conversions API. This tool performs as a top cookie-less tracking solution that marketers can use in addition to Facebook pixel. Find all the integrations for Facebook Conversions API with your favorite CRM and marketing apps.

Check out these top integrations available for Facebook Conversions API.

Need more info? Here’s everything you need to know about Facebook Conversions API.

The Conversion Leads Optimization delivery option is the new feature for Facebook Lead Ads, helping advertisers improve the targeting quality of their campaigns. To put it in a few words, it helps present your ads to users who are most likely to become customers. To do that, however, you’ll need to feed your audience segments (including user data) back to Facebook, so that the platform can know who might be most interested. To sync this data and use Facebook Conversion Leads Ads, you’ll have to first implement Facebook Conversions API.

The GDPR legislation also affects conversion optimization under the new Consent rules, which control how companies can or cannot get consent from users to process their data (and later get in touch with them for marketing purposes).

With LeadsBridge, you can streamline the entire process using reliable integrations and transfer data securely. These data bridges ensure that your CRM is integrated with Facebook automatically and in real time.

Facebook pixel privacy policy: What you need to know

The Facebook pixel contains five types of data sets:

HTTP Headers: Including any data in HTTP headers (IP addresses, web browser information, page location, document, redirect, and organic visitors).
Pixel Specific Data: Containing pixel ID and cookie.
Button click data: Including the buttons clicked by website visitors, the CTA labels of those buttons, and the landing pages of those buttons.
Optional values: Additional information about the visit through custom data events, such as custom data events.
Form field names: Including website field names (email, address, and quantity).

The Facebook Pixel Privacy Policy mentions that any use of the above data must be compliant with current GDPR regulations. Additionally, it states:

When using a Facebook image pixel or other Facebook Business Tools, you or a service provider must hash your Contact Information according to Facebook requirements before transmission.”

You or any of your third-party partners must not place pixels associated with your Business Manager or advertising account on websites that you do not own without Facebook’s written authorization.

Additionally, you need to display a clear and prominent notice regarding the collection, sharing, and use of Facebook Business Tools Data, allowing users to opt out of data collection for targeting ads and providing information on how they can contact you for further inquiries or clarifications. Ensuring privacy and security is essential for GDPR compliance and maintaining trust with your audience.

You must also illustrate and affirm that you have displayed a clear and prominent notice regarding the collection, sharing and use of Facebook Business Tools Data, including:

A clear and prominent notice on each web page where Facebook pixels are used that links to a page clearly explains:

Third parties, including Facebook, may use cookies, web beacons, and other storage means to collect or receive information from websites or from the Internet and use that data to provide measurement services and to target ads.
How users can opt out of the collection and use of information for targeting ads.
Where you can access the mechanism for making that choice.”

Custom Audiences are audiences from your email list. You can upload the audiences to your Facebook Ads to target them directly. GDPR affects Facebook Custom Audiences too.

To understand why we need to introduce the concept of “data controller” and “data processor”. Depending on its role as a data controller or processor, a company has different responsibilities under the GDPR. A company is a “data controller” when they decide the purpose of how to process the data it collected. At the same time, it is a “data processor” when it processes the data on behalf of the data controller (like Facebook does, in most cases).

What exactly is a data controller?

Uploading email lists or contact information into a Facebook Custom Audience makes you a data controller. GDPR stipulates that as a data controller, you must ensure that your subscribers give their consent before you can market to them.

For example, if you have email lists from LinkedIn contact, email addresses from business cards, purchased or scraped email lists, and shared pixel information from other parties without users’ consent, you need to delete the information from your Facebook ad account. And according to the GDPR regulation, you cannot market to them, since you don’t have their consent.

The data controller also has the responsibility to choose the data processor it submits the data to, such as Facebook, for example, verifying that it is GDPR-compliant.

Also, you must ensure that your Custom Audience lists are continuously updated so you can weed out those subscribers who have opted out of your list. This means they have withdrawn their consent from your marketing list.

The best way for companies to avoid manual work and the risk of human error is to automatically sync their Custom Audiences through a third-party provider like LeadsBridge.

LeadsBridge: A Facebook trusted partner

LeadsBridge is a cloud-based integration platform both GDPR and Privacy-Shield compliant with a strong focus on consent-based marketing practices. For example, in the case of Facebook Custom Audiences, LeadsBridge will convert personal data in HASHED keys in real-time (in VCPU memory) without storing any sensitive data in any place.

LeadsBridge allows companies to safely and automatically sync their Facebook Custom Audiences, ensuring their data remains updated; this means refreshing lists with the data of the users who gave permission to be targeted and eliminating the info of those who opt-out.

How to use LeadsBridge’s automation solution? Here are a few examples of integrations with Facebook Custom Audiences.

Unlike Lead Ads and Custom Audiences, GDPR does not affect Lookalike Audiences.

The reason is that Lookalike Audiences use a “seed” audience of one of your Custom Audiences to search for new people to add to the lookalike audience. It makes a great option for top-of-funnel marketing since you don’t need these users’ permission to show your ads to them. However, to be more careful about GDPR and Facebook Lookalike Audiences, you should update your privacy policy.

This means you need to inform your audiences about how you intend to use their data. This can be done by inserting your privacy policy on your landing pages or including clickable links on your lead capture forms. The point here is to be transparent about how you use the data.

You can consult your lawyer to draft a suitable privacy policy that will ensure you use GDPR and Facebook lookalike audiences with the necessary consent-marketing implications.

You’ll also need to add a link to your privacy policy on every page of your website; this includes pages with email opt-ins. For instance, if you are driving traffic from a Facebook ad to a lead magnet, ensure that the page has a cookie consent banner, an email opt-in that complies with GDPR, and a link to your privacy policy.

Great question!

Many people speculate that non-compliance with the GDPR laws will attract heavy fines, especially for big brands. But small businesses can also run into legal issues. For example, companies that violate GDPR best practices may be fined up to 4% of the annual worldwide turnover of the preceding financial year.

In its first preliminary report, the European Data Protection Board stated that only 52% of the 206,326 cases reported had been resolved, so many more are to be expected. So far, the largest GDPR fine was imposed on Amazon Europe by Luxembourg’s National Commission for Data Protection (CNPD). The fine equaled a sum of €746 million to this top retailer for not getting consent from its users before storing advertisement cookies.

Facebook-Cambridge Analytica case study

Speaking of the legal consequences of breaching the users’ data privacy, let’s have a look at the Facebook-Cambridge Analytica case study.

Meta has agreed to pay $725 million to settle a lawsuit claiming the improper use of users’ information with Cambridge Analytica, which is a data analytics firm used by the previous U.S. president, Donald Trump’s campaign.

According to this case, the data of 87 million people was used without their knowledge. Meta, however, claims that these users have consented to the practices and faced no factual damages.

“The amount of the recovery is particularly striking given that Facebook argued that its users consented to the practices at issue, and that the class suffered no actual damages,” the plaintiffs’ lawyers stated in the court filing.

Facebook’s data leak to Cambridge Analytica also roused a global reaction, leading to government investigations into the company’s privacy directions over the past several years.

In 2020, Facebook CEO Mark Zuckerberg provided testimonies before Congress and also agreed to a $5 billion fine (as part of the Federal Trade Commission’s privacy case).

However, this case goes back still a few years before that. In 2015, Facebook detected a data privacy violation back to a Cambridge University psychology professor, who used a personality test to harvest users’ data and passed it to Cambridge Analytica. Allegedly, this data was used to influence the U.S. election results.

Currently, Meta has agreed to pay $725m to settle legal action. However, the next court hearing is set for March 2, 2023, during which a federal judge is expected to finalize the settlement.

Final thoughts

The advertising world has entered a new era concerning data privacy and digital customer interactions. Making sure you comply with GDPR when using Facebook Lead Ads will keep you away from potential infringements. You’ll need to ensure that you comply with the law, especially if your business is dealing with EU audiences.

It’s important to stress again that complying with the GDPR best practices is not a limit for advertisers but rather an opportunity to step up their data-led business models while meeting the new law requirements.

To recap the main Facebook advertising features, both the Facebook Pixel and Facebook Custom Audiences require businesses to ask for the user’s consent to collect their personal information and explain clearly how they will be used.

Unlike many other service providers, LeadsBridge doesn’t sell ads or trade user info. Instead, we offer automation to bridge the gap between your apps, in total compliance with GDPR and advertising regulations in the EU. Read our terms of service.

Discover all our possible integrations for getting the best out of your Facebook campaigns.

Dario Villi

GDPR and Facebook: How to keep advertising safe