Facebook Custom Audience – Possibilities of use and notice for the privacy policy

One possibility to use Facebook as a company is the Custom Audience function. A distinction must be made between two possible implementations of Facebook Custom Audience:

  • the “list variant”, in which you transfer lists of e-mail addresses of customers or prospects to Facebook.
  • the “pixel variant”, in which you install a custom audience pixel on your website XY (cookie principle: if the user is logged into the Facebook account and the function is not switched off, a cookie is set. If the corresponding website is accessed, Facebook is informed of this and the advertising of website XY is displayed on Facebook. A click on the advertisement takes the user to the XY website so that the purchase can be tracked if necessary).

What is the current legal assessment of these variants?

  1. As far as the “pixel variant” is concerned, the Bavarian data protection authority took the view in its activity report in March 2017 that both forms of custom audiences were problematic if there was no express consent of the website visitors concerned. In the meantime, however, it has revised this opinion in a further publication. According to this, it is permissible to use the pixel variant even without consent, provided that sufficient reference is made to this in the data protection declaration. In two recent publications of the Conference of German Data Protection Authorities, this view was again changed. In a paper dated April 2018 in particular, it was stated that any use of tracking mechanisms, including custom audiences pixels, requires effective consent. However, this view of the participating authorities has been severely attacked in the relevant literature, it is also not legally binding and also from our point of view not applicable. In some parts of the data protection literature, the view is therefore still held that the use of Facebook Custom Audiences in the “pixel variant” is still permissible without the express consent of the website visitors concerned, because one can rely on legitimate interests (Art. 6 para. 1 lit. f) GDPR). For this purpose, however, the website’s privacy policy must clearly point out the use of custom audiences and offer an opt-out. Provided these conditions are met, the use of Facebook Custom Audiences in the “pixel version” is still justifiable, i.e. until a decision by the highest court has been reached. However, there remains a certain residual risk.
  2. As far as the “list variant” is concerned, the Administrative Court of Munich recently issued a decision in the second instance. In its decision of 26 September 2018, the Administrative Court takes the view that the use of Facebook Custom Audiences in the “list variant” is inadmissible as long as no consent has been obtained from the address holders concerned. The Administrative Court thus confirmed the first-instance decision of the Administrative Court of Bayreuth of May that had already been made. However, both decisions refer to the old legal situation under the Federal Data Protection Act. There are voices in the data protection literature which do not consider the decisions of the Administrative Court of Bayreuth and the Administrative Court of Munich to be correct, especially since the GDPR came into force. Nevertheless, we must of course take note of them.

What does that mean in practice?
1) The use of Facebook Custom Audiences in the “pixel variant” appears to us (just now) to be justifiable without the consent of the website visitors concerned having to be obtained. If a notice is included in the website’s privacy policy and an opt-out option is offered, this type of use of Facebook Custom Audiences can be represented on the basis of legitimate interests. The remaining legal residual risk would only be excluded if the consent of the website visitors concerned were actually obtained. In this case, you could obtain such consent via an “opt-in banner” on your website. There are a number of tools for this. So if you want to reduce the (low) legal risk described above, we recommend that you use such an opt-in banner.
2) The use of Facebook Custom Audiences in the “list variant” requires your consent in any case. Against the background of the decisions now available – even if they concern the old legal situation – it will have to be assumed that the supervisory authorities will take the view that the use of Facebook Custom Audiences in the “list variant” without consent is not permissible. There are still many companies that still use the “list variant” without consent. But at the latest now – at any rate we recommend this – they should switch to a consent solution or temporarily refrain from using this tool. 

Note for the privacy policy:

Use of the Facebook visitor action pixel with your consent, the “visitor action pixel” of Facebook Inc., 1601 South California Avenue, Palo Alto, CA 94304, USA (“Facebook”) is used within our Internet presence. The “visitor action pixel” can be used to track users’ actions when they click on a Facebook ad to redirect them to a provider’s website. This allows us to measure the effectiveness of Facebook ads for statistical and market research purposes and to optimize our marketing efforts. The data collected is anonymous to us, and we cannot view or deduce any personally identifiable information about individual users. For dynamic remarketing, for example, anonymised product data (e.g. ID, category, name), anonymised shopping cart data (e.g. which items were added or removed) and anonymised transaction data (e.g. order number, order values) are also transferred. Facebook stores and processes this data. Facebook can therefore assign this data to your Facebook account. You can enable Facebook and its partners to place ads on and off Facebook. A cookie may also be stored on your computer for these purposes. For more information about Facebook’s collection and use of the data and about your rights and ways to protect your privacy, please refer to Facebook’s Privacy Policy: www.facebook.com/about/privacy/ Consent to the use of the Facebook visitor action pixel may only be given by users older than 13 years of age. You may revoke your consent. You may opt out of Facebook pixel collection and use of your information to display Facebook ads. To set what types of ads are displayed to you within Facebook, you can go to the page set up by Facebook and follow the instructions on the settings for usage-based ads there: www.facebook.com/settings. The settings are platform-independent, i.e. they are applied to all devices, such as desktop computers or mobile devices. You may also object to the use of cookies to measure reach and for advertising purposes, via the Network Advertising Initiative’s opt-out page (http://optout.networkadvertising.org/) and additionally via the U.S. website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/).