Recent activity by a number of European data protection authorities on the use of the personal data of children has shone a light on the topic of profiling and targeting social media users. The European Data Protection Board (“EDPB”) published draft Guidelines 08/2020 on the targeting of social media users (the “Guidelines”) last year and specifically referenced children in noting that the "potential adverse impact of targeting may be considerably greater where vulnerable categories of individuals are concerned, such as children". The Guidelines are still in draft form as we await the results of the public consultation that ended in October. We recently published a briefing on the DPC's Fundamentals for Processing Children's Data and one of the key issues identified was profiling and advertising directed at children. With the increased regulatory focus on targeting, it is timely to reflect on the Guidelines and their possible implications.
The main aim of the Guidelines is to clarify the roles and responsibilities of social media providers and the natural or legal persons who communicate specific messages to users (“targeters”). They also set out a number of scenarios detailing the types of targeting and most relevant lawful basis for that type of data processing. This will allow stakeholders to identify the scenario that most closely matches their own situation.
The Guidelines state that social media users can be targeted on the basis of the following types of data:
- data provided by the user to the social media provider or the targeter;
- observed data (data obtained via observation by virtue of social plug-ins or other tracking technologies); and
- inferred data (data created by comparing the previous data set with existing models in order to predict or anticipate missing data).
As social media targeting becomes ever more popular, it is important that targeters and social media providers clearly understand their obligations under the GDPR. These Guidelines provide a good insight into how the EDPB views the role and responsibilities of social media providers and targeters and we await the final version from the EDPB later in the year.
Thanks to Grainne Bennett for assisting with this update.