compliance with GDPR and ePrivacy Directive

Marketing 2024: correct use of social media and adtech networks

Marketing refers to any actions a company enacts to attract an audience to the company’s product or services through high-quality message delivery conducted in different ways. Marketing aims to deliver standalone value for prospects and consumers through content, with the long-term goal of demonstrating product value, strengthening brand loyalty, and ultimately increasing sales.

Segmentation of marketing as direct or indirect is based on the method of audience targeting and the nature of the message.

Marketing is direct if communication (in meaning of advertising or marketing material) is directed to separate individuals depending on priorly established criteria. The Article 29 Working Party (WP29) has provided guidance on the scope of the term ‘direct marketing’ and emphasized that this term includes any form of sales promotion, even including direct marketing activities of charities and political organisations (e.g., for fundraising purposes). Still, the direct marketing message should not need to offer something for sale; it could be a promotion of a free offer or of the sender’s organisation in some way.

Marketing is indirect if marketing is not directed to separate individuals (like untargeted website banners etc.).

Concurrently, depending on the medium or channel through which a marketing message reaches an audience marketing can be classified as digital and non-digital. The difference between these marketing types is pretty simple, when digital marketing is using digital channels such as websites and social media as tools for marketing communication, the non-digital marketing involves traditional channels, like billboards and printed media.

Collection and further exploitation of data for conducting marketing activities are mostly regulated by General Data Protection Regulation (GDPR) and in several occasions is regulated by Directive 2002/58/EC (ePrivacy Directive).

The GDPR applies to all direct marketing communications, whether communicated by post, phone, fax, electronic mail, or otherwise. It also applies to online advertising targeted at individuals based on their internet browsing history.

The ePrivacy Directive applies to “digital” marketing communications – that is, direct marketing communicated over electronic communications networks, such as by phone, fax, email, and Short Message Service (SMS)/Multimedia Messaging Service (MMS); but it does not apply to postal marketing. The ePrivacy Directive also specifies rules that have impact on the use of online behavioral advertising.

    Targeting data protection issues

    Targeting. Targeting is the process through which an advertiser (or “targeter”) identifies its target audience by presenting certain parameters and then pushes advertisements to them through many communication channels.

    Process of delivering of specific messages to end user may involve a great variety of different subjects, like social media users, social media providers, targeters and other relevant actors (adtech) like marketing service providers, ad networks, ad exchanges, demand-side and supply-side platforms, data management providers (DMPs), data analytics companies and data brokers. 

    Thereby, it is worth finding out more about central participants of targeting operations.

    First inseparable part of the advertising ecosystem is a user. The term “user” typically refers to individuals who are registered with the service (i.e. those who have an “account” or “profile”). Simultaneously, many social media services can also be accessed by individuals without prior registration (i.e. without creating an account or profile), but such individuals have no access to all of the same features or services offered to individuals who have registered with the social media provider. Both individuals that are and that are not registered with the social media providers may be recognized as “data subjects” within the meaning of Article 4(1) GDPR insofar as the individual is directly or indirectly identified or identifiable. 

    Another participant of the advertising ecosystem necessary for message delivering is defined as a social media provider (or “SMP”), since it offers an online service that enables the development of networks and communities of users, among which information and content is shared. Those services are typically offered through web browsers or dedicated apps, often after having requested the user to provide a set of personal data to constitute the user’s “account” or “profile”.

    But it isn’t the only way in which SMPs collect personal data, SMPs extract a large amount of users’ and non-registered individuals’ data from their web platform behavior and interactions. Such processing operations enable SMPs to obtain considerable insights into the users’ socio-demographic characteristics, interests and preferences. Also SMPs collect data from activities undertaken ‘off-platform’, combining data from multiple sources, online and offline, in order to generate further insights. 

    compliance with GDPR and ePrivacy Directive

    Last fundamental participants of the advertising ecosystem are targeters, who are  natural or legal persons that use social media services in order to deliver specific messages to a set of social media users on the basis of specific parameters or criteria.  Targeters frequently can be confused with users, but targeters, in comparison with other users of social media, select their messages and/or their intended audience according to the perceived characteristics, interests or preferences of the individuals concerned. Mostly, businesses engage targeters to advance commercial, political, or other interests (for example brand Adidas use followers list and photos published by users to push advertising of their new sports footwear).

    It is important to highlight the ways by which advertisements may be delivered to social media users.

    Concurrently, targeting might occur not only through displaying personalized advertisement (e.g. through a “banner” shown on the top or side of a webpage), but – as far as it is happening within the social media platform – also through display in a user’s “feed”, ”timeline“ or “story”, where the advertising content appears alongside user-generated content. Targeting may also involve the creation of content hosted by the social media provider (e.g. via a dedicated “page” or other social media presence) or elsewhere (i.e. on third-party websites).

    Targeters may have their own websites and apps, where they can integrate specific social media business tools or features such as social plugins or logins or by using the application programming interfaces (APIs) or software development kits (SDKs) offered by social media providers. 

    In practice social media users may be targeted on the basis of provided, observed or inferred data, as well as on the basis of combination of each of mentioned data types.

    Targeting individuals on the basis of provided data

    “Provided data” refers to information actively provided by the data subject to the social media provider and/or the targeter.

    For example: 

    • When a social media user indicates his or her age in the description of his or her profile, the social media provider might enable targeting on the basis of this criterion. 
    • A targeters might use information provided by the data subject in order to target that individual specifically, for example by means of customer data (such as an e-mail address list), by matching such information with data already held on the social media platform, leading to all those users who match being targeted with advertising. 

    Targeting on the basis of observed data

    Targeting of social media users can also take place on the basis of observed data. Observed data is data provided by the data subject by virtue of using a service or device. For example, a particular social media user might be targeted on the basis of: 

    • his or her activity on the social media platform itself (for instance, the content that the user has shared, consulted or liked); 
    • the use of devices on which the social media’s application is executed (for instance, device location, mobile telephone number); 
    • data obtained by a third-party application developer by using the application programming interfaces (APIs) or software development kits (SDKs) offered by social media providers; 
    • data collected through third-party websites that have incorporated social plugins or pixels; 
    • data collected through other third parties, who participates in online behavioral advertising (e.g. parties with whom the data subject has interacted, purchased a product, subscribed to loyalty cards); or 
    • data collected through services offered by companies owned or operated by the social media provider. 

    Targeting on the basis of inferred data

    “Inferred data” or “derived data” are created by the data controller on the basis of the data provided by the data subject or as observed by the controller. For example, a social media provider or a targeter might infer that an individual is likely to be interested in a certain activity or product pushed to him on the basis of his or her web browsing behaviour and/or network connections. 

    When the individual later revisits the website or, alternatively, visits another website that has partnered with the ad network, the ad network examines the cookie it previously set on the individual’s computer to determine its unique identifier. It then looks up the profile it recorded against that identifier to determine the individual’s likely interests and delivers website advertising based on those interests.

    compliance with GDPR and ePrivacy Directive

    AdTech companies

    Marketing service providers, ad networks, ad exchanges, demand-side and supply-side platforms, data management providers (or “DMPs”) and data analytics companies, or so-called adtech companies can be enlisted by targeters to provide services connected with collecting and processing of data relating to individuals, for example, tracking their activities across websites and apps.

    Thereby, the essence of different adtech companies is as follows :

    • Ad exchanges are platforms for comparing the price and quality of impressions, the ‘location’ where the bidding aspect occurs. Mostly, they serve as mediators and connectors between advertisers and publishers and operate on both the demand and supply sides;
    • Data Management Providers are platforms that analyse, categorise and collate incoming data from multiple sources (including desktop, mobile web, mobile app, analytics, social media, and offline data), including bid requests, to support the personalised targeting of adverts;
    • Demand Side Platforms as adtech companies are engaged in buying inventory (space on websites) based on behavioural, and often personal data. If the impression matches the advertiser’s target audience then a bid is placed via the DSP;
    • Supply Side Platforms help publishers manage and sell their advertising inventories.

    For general understanding Data brokers and DMPs differentiate themselves from other adtech companies to the extent that they not only process data collected by means of tracking technologies, but also by means of data collected from other sources, that can include both online and offline sources. In other words, data brokers and DMPs aggregate data collected from a wide variety of sources, which they then might sell to other stakeholders involved in the targeting process. 

    Therefore, Adtech companies enable brands to track their customers’ online behaviors, delivering insights into the interests and preferred online formats of their audiences. Teams can then shape their advertising content around a customer profile while leveraging software and platforms to quickly produce and spread content across multiple channels.   

    But it is worth mentioning that AdTech companies should always comply with GDPR requirements. Most issues arise when AdTech companies try to comply with transparency and lawfulness requirements. For instance, Data broker collects personal data from public records and personal information disclosed by data subject in Instagram profile without any legal ground for such processing and without providing data subject with information about source from which personal data originates.

    Online Behavioral Advertising

    Online behavioural advertising (OBA) is website or platform advertising that is targeted on individuals at a metric of their behaviour over time spent on website or platform. OBA can be conducted by the website publisher itself (first-party advertising) or third party on behalf of the website publisher (third-party advertising). The most privacy issues, particularly unlawful tracking individuals’ behaviour across multiple, unaffiliated websites for pushing them with targeted advertising, arises from the relationship between the website publisher and third party.

    The algorithm of message delivering during OBA conducted by third-party advertising networks is as follows:

    1. Advertisers, who want to reach specific audiences, select and further instruct a third-party advertising network to serve advertising on their behalf. The ad network has established relationships with a number of partnering website publishers that allow it to serve advertising on their sites.
    2. When an individual visits a website that has partnered with the ad network, the ad network places a ‘cookie’ on the individual’s computer. The cookie is assigned a unique identifier, like a serial number, that is specific to that cookie.
    3. The ad network makes a record of the identifier assigned to that cookie in its database. It may also record other information about the individual, such as their IP address and type of browser used, etc.
    4. As the individual browses the website, the ad network may make a record of information about the content «the website, like information about the content viewed, listed web pages, searches entered, adverts clicked on, and products and services purchased by the individual. Mentioned information may be recorded against unique identifiers assigned to the cookies and can form a profile to that identifier

    Use of Cookies

    AdTech uses marketing cookies in most occasions to perform online behavior advertising, so provisions of ePrivacy Directive apply to OBA. 

    In essence, this means the publisher must obtain valid consent for the use of cookies, which should meet the following  requirement:

    • the user must be able to give consent to the use of cookies and to withdraw consent (the ‘freely given’ criterion).
    • information about the intended use and purposes of the cookie must be given to the user (the ‘specific’ and ‘informed’ criterial) 
    • the user, having been provided with this information, must consent before the cookie is placed on their computer or the information stored in their computer is retrieved in a ‘clear affirmative action’.
    • the method of consent collection should be designed in a way that adheres to GDPR and Guidelines issued by EDPB.

    Joint Controllership

    Identification of roles applicable to entities involved in marketing operations is important under GDOR. In that way, CJEU and supervisory authorities has established court and fine practice according to which  OBA participants is recognized as joint controllers and pursuant to Article 26(1) GDPR, are required to put in place an arrangement which, in a transparent manner, determines their respective responsibilities for compliance with the GDPR, in particular with regard to the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14 GDPR

    Up to now exists 2 decisions of CJEU in which CJEU has recognised joint controllership relationships  in marketing operations.

    In first case Wirtschaftsakademie (C-210/16) CJEU defined a administrator of webpage (targeter) a joint controller with Facebook (SMP) because administrator of web page  participates in determining the purposes of the processing of personal data by way of definition of parameters of targeting audience.

    In Fashion ID (C-40/17), the CJEU decided that a website operator can be considered a controller when it embeds a Facebook social plugin on its website that causes the browser of a visitor to transmit personal data of the visitor to Facebook. The qualification of the website operator as controller is, however, limited to the operation or set of operations in respect of which it actually determines the purposes and means. In this particular case, the CJEU considered that the website operator is only capable of determining, jointly with Facebook, the purposes and means of the collection and disclosure by transmission of the personal data of visitors to its website. 

    compliance with GDPR and ePrivacy Directive

    At the same time, supervisory authority of leading EU states also have created a stable position regarding the joint controllership of Adtech Companies.

    In case, where french supervisory authorities (“CNIL”) fined Criteo in amount of 40,000,000 EUR, CNIL recognized CRITEO, a company which implements so-called “advertising retargeting”, as a joint controller with its advertising partners (advertisers, publishers and online auction platforms), as well as CNIL recognized arrangements concluded between those partners noncompliant since it did not specify some of the respective obligations of the data controllers with regard to the requirements contained in the GDPR, such as the exercise by the data subjects of their rights, the obligation to notify a data breach to the supervisory authority and to the data subjects or, where applicable, carrying out an impact assessment under Article 35 of the GDPR.

    Another case is the one, where Belgium’s data protection authority issued a decision regarding IAB. In this case Belgium data protection authority established that ecosystem within which the consent, objections and preferences of users are collected and exchanged not for its own purposes or self-preservation, but to facilitate further processing by third parties (i.e. publishers and adtech vendors) should be considered as joint controllers for the collection and subsequent dissemination of users’ consent, objections and preferences.

    compliance with GDPR and ePrivacy Directive

    In conclusion

    Taking into account the large number of adtech participants who process a significant amount of both statistical data and behavioral data which are defined as online identifiers, Companies, who participate in the process of delivering advertising messages to targeted users, must adhere to the provisions of GDPR when launching their advertising companies, as well as establish appropriate mechanisms for checking ad tech providers for GDPR compliance – and among all this, must not forget about the rights of data subjects and the correct selection of the legal basis.

      Your question to IT lawyers