Recent activity by a number of European data protection authorities on the use of the personal data of children has shone a light on the topic of profiling and targeting social media users. The European Data Protection Board (“EDPB”) published draft Guidelines 08/2020 on the targeting of social media users (the “Guidelines”) last year and specifically referenced children in noting that the "potential adverse impact of targeting may be considerably greater where vulnerable categories of individuals are concerned, such as children". The Guidelines are still in draft form as we await the results of the public consultation that ended in October. We recently published a briefing on the DPC's Fundamentals for Processing Children's Data  and one of the key issues identified was profiling and advertising directed at children. With the increased regulatory focus on targeting, it is timely to reflect on the Guidelines and their possible implications. 

The main aim of the Guidelines is to clarify the roles and responsibilities of social media providers and the natural or legal persons who communicate specific messages to users (“targeters”). They also set out a number of scenarios detailing the types of targeting and most relevant lawful basis for that type of data processing. This will allow stakeholders to identify the scenario that most closely matches their own situation.

The Guidelines state that social media users can be targeted on the basis of the following types of data:

  • data provided by the user to the social media provider or the targeter;
  • observed data (data obtained via observation by virtue of social plug-ins or other tracking technologies); and
  • inferred data (data created by comparing the previous data set with existing models in order to predict or anticipate missing data).

The Guidelines also state that generally the two lawful bases that would be available for targeting are consent and legitimate interests. However, whether these are applicable will depend on each individual situation. For example, if a controller uses cookies, pixels or social-plugins, the ePrivacy Directive will apply and such processing activities will always require consent. The Guidelines also state that it would not be possible to rely on contractual necessity as a lawful basis for targeting activities.

The Guidelines note that the relationship between a social media platform and a targeter will often be that of joint controllers. This means that they would need to implement a joint controller agreement that addresses their respective obligations and responsibilities. Each joint controller is responsible for ensuring that the essence of this arrangement is made available to users. This can be done by referring to the arrangement in the privacy policy and making it directly accessible by a link on the website or platform. Prior to initiating any targeting operations, controllers must establish whether any of the processing operations will be "high risk" to individuals and determine whether the targeting requires a data protection impact assessment to be carried out.

 As social media targeting becomes ever more popular, it is important that targeters and social media providers clearly understand their obligations under the GDPR. These Guidelines provide a good insight into how the EDPB views the role and responsibilities of social media providers and targeters and we await the final version from the EDPB later in the year.

Thanks to Grainne Bennett for assisting with this update.