FAQ: How to stay compliant with Online Ads

This FAQ should not be regarded as legal advice or assistance and Voyado AB does not accept any liability for its correctness, use, and applicability to your business. Always consult your legal counsel for actual legal advice.

 

Which personal data is processed when using the Facebook Custom Audiences synchronization?

When synchronizing an audience or segment to a mapped Facebook Ads account, Engage will transmit the following hashed personal data (hashing using sha 265 algorithm) information with Facebook:

  • Email address, phone number, first name, last name

Facebook will then identify the data if the individual has a Facebook profile and match the provided data with user profiles. Facebook will also feed in other data that Facebook has available from other sources to increase the efficiency of the company’s targeted ads and direct marketing in accordance with the audiences you as a marketer have chosen.

You cannot target direct marketing to a specific individual, the personal data is only used to target direct marketing at specific audiences.

Engage does not save any hashed data. According to information from Facebook, matched and unmatched hashed information is deleted after the creation of your matched custom audience, please see Facebook information here.

As a data controller, you need to make sure that you have a valid legal base for the processing and that you provide your users with sufficient information on the processing and the individual's rights.

 

Which personal data is processed when using the Google Customer Match synchronization?

When synchronizing an audience or segmentation to Google Customer Match, Engage will transmit the following hashed personal data (hashing using sha 265 algorithm) which will be matched with Google’s information:

  • Email, phone number, first name, last name

The following personal data is also transmitted but not hashed:

  • Zip code, city, and country code

The customers’ files will then be used to match your users to their Google accounts. Google keeps track of the email address and phone numbers for Google accounts and the corresponding hashed strings for those email addresses.

After you've uploaded your customer list of email addresses, Google Ads will compare each hashed string on your customer list with the hashed string for email addresses of Google accounts. If there's a match, Google adds the corresponding Google account to your Customer Match segments (Customer list).

Voyado does not save any personal data after the transmission.

As a data controller, you need to make sure you have a valid legal base for the processing and that you provide your users with sufficient information on the processing and the individual's rights.

 

What legal basis do I need for processing?

Ultimately, it is always up to the data controller to decide on the legal base, but we recommend always using consent since the purpose is direct marketing and you will be sharing personal data with Google and Facebook.

Further, Google as a service provider requires that you collect consent for:

  • Processing of personal data, the use of cookies, or other local storage where legally required
  • The collection, sharing, and use of personal data for personalization of ads

For more information on consent please see the links below:

For Google, please see information here and here.

For Facebook, please see information here.

 

Are there any requirements for the consents?

Yes, the consent must fulfill the GDPR requirements. This means that consent must be i) specific, ii) informed, iii) clear and iv) given freely. Thus, a consent to the collection, sharing and use of personal data for personalization of ads may not be included as a part of the privacy policy and simply clicking the “I consent to the processing in the privacy policy” is not sufficient.

Instead, we recommend that you include a specific checkbox for Facebook and Google, for example as follows:

I agree that my email address may be transferred to and processed by [Facebook (Meta) and Google] for the personalization of ads. I understand that I may revoke my consent at any time. For complete information on the processing of personal data please see our privacy policy [insert link here].

 

Is there anything else I need to think about regarding consent?

When seeking consent, you also need to:

  • Retain records of consent given by user
  • Provide end-user with clear instructions for revocation of consent
  • Provide all necessary information under the GDPR (see below for information to include in the privacy policy)

Which information do I need to provide in the privacy policy?

The privacy policy must include the following information:

  • Who the data controller is (Owner of site/customer club)
  • What personal data is being collected and how that personal data is being collected
  • What the legal basis for the collection is (e.g. consent, necessary for your service, legal obligation etc.
  • For which specific purposes the data is collected. Is it Analytics? Email Marketing?
  • Which third parties will have access to the information. And if any third party collects data through pixels, widgets (e.g., social buttons), and/or integrations (e.g., Facebook connect)?
  • Where applicable, details relating to the transfer of personal data outside of the EU/EEA and which measures are put into place to facilitate this in a safe and compliant way (most companies use Standard Contractual Clauses as the legal base for the processing and information on the safety measures is usually included in an appendix to the data processing agreement – check with your service provider for information).
  • The rights of the users.
  • Description of the process for notifying users and visitors of changes or updates to the privacy policy
  • Effective date of the privacy policy
  • Contact details to the data controller and supervising authority

The information shall be provided in a clear and efficient manner. If the privacy notice is very long, the recommendation is that you use “collapsible fields” for the different headings.

Are there any kind of segments I should avoid synchronizing with Online ads?

You may not use Engage to process sensitive personal data (unless explicitly approved in writing) and you may not use Online Ads to create or target sensitive interest categories related to your customers.

“Sensitive data” may mean different things depending on the context. Usually, sensitive refers to the definition in article 9 in the GDPR and includes data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning sex life or sexual orientation.

In addition to the legal definition above, service providers may have additional requirements on what is considered sensitive.

You may further not use data from anyone under the age of 13 or target advertising to children under the age of 13. The age may vary depending on which country you collect and target data in, in some countries the age is 16.

For Googles policy on sensitive data please read more here.

For Facebooks (Meta) policy on sensitive data please read more here.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.