What is a “custom audience”?
Custom audience products involve you providing personal data of your customers to a third party, usually a social media platform (an “SMP”), which, via a matching process, determines which of your customers are also users of the SMP. This enables the SMP to serve your ads directly to those users. Data can be provided directly (e.g. by uploading lists of email addresses) or by the SMP embedding a pixel on your website to collect data on your users.
A similar tool, “lookalike audiences”, involves the SMP using the outcome of the initial matching process to generate a target list of users who are not your customers, but who share similar interests and characteristics as your customers.
Top tips when utilising custom audiences:
Be aware of the legal frameworks that apply
Even where the customer data you provide to the SMP is “hashed”, the GDPR almost certainly still applies. Although the hashed data is “pseudonymised”, it could still be identifiable when unlocked or combined with other data. Similarly, where you are using cookie or pixel driven custom audience tools, the e-Privacy consent requirements will also apply.
Clarify your role
Identify each party’s role as a controller, processor, or joint-controller. These roles may vary, depending on: the particular data set; the service offered by the SMP; whether you are providing “offline” customer lists or utilising cookie/pixel driven custom audiences; and the exact purposes for which the data is used at each phase of the process/service. However, the prevailing view of regulators is that the targeting company and the SMP will, in most cases, be joint controllers for this type of processing.
Allocate compliance responsibilities
As joint controllers, the parties are obliged to allocate compliance responsibilities between them. In practice, you will likely be responsible for providing notice to your customers and having a lawful basis for sharing the data with the SMP. In addition, you will need to consider other obligations, for example, a need to minimise the data fields shared (or made available) to those strictly necessary for the third party to uniquely identify your customer (e.g. email address only).
Assess consent vs. legitimate interests
Consider what lawful basis you are relying on – consent or legitimate interests. However, bear in mind that if you (or the SMP) are utilising cookies, or similar technologies, to create custom audiences then consent is strictly required under the e-Privacy rules.
For “offline” audience creation (e.g. where email addresses are provided), it may be possible to rely on legitimate interests, although be aware that some regulators have expressed scepticism on this approach. In any event, a full legitimate interests assessment will need to be conducted to demonstrate the balancing exercise that has taken place and the detailed thinking behind it. Consider what practical factors may mitigate risks and assist in demonstrating your responsible assessment (e.g. respecting users’ marketing opt-outs and providing clear notice of your intentions).
Consider how best to provide a right for a user to opt-out of their data being used for custom audiences. When and how will this option be presented to the user? What will the effect of their selection be? For example, if an individual unsubscribes from marketing emails, or opts-out of marketing generally (e.g. via account settings), can you exclude them from customer lists previously provided to the SMP?
Don’t forget your cookie and privacy notices
Put in place an agreement
Assuming that you are joint controllers with the SMP, in order to comply with Article 26 of the GDPR, you will need to enter into a joint controller agreement to clearly set out each party’s respective responsibilities for GDPR compliance. In practice, in most cases it will be the SMP that imposes its standard terms on you, but you should check that these cover the custom audience purposes.