On April 13, 2021, the European Data Protection Board (EPDB) adopted the final version (v. 2.0) of the 8/2020 Guidelines on targeting of social media users following the conclusion of the public consultation phase. Subsequently, on July 7, 2021, the same EDPB released a new version 2.1 of the same document, containing the change to the references to the EDPB 07/2020 Guidelines on the terms of controller and processor in the GDPR.
Guidelines 8/2020 address the data protection roles and responsibilities of the targeter and the social media service provider with respect to targeted advertising campaigns conducted using personal data of users of social platforms.
Actors
Advertising campaigns that, directly or indirectly, affect social media platforms can involve a multitude of actors operating in the different stages of the digital ecosystem( which is sometimes known as “adtech”): marketing service providers, ad networks, ad exchanges, demand-side and supply-side platforms, data management providers (DMPs) and data analytics companies.
However, the focus of targeted advertising operations via social media comes between three main actors:
- the targeter
- the social media provider
- the social media user who is the target of the advertising.
1- Targeter
The targeter is the natural or legal persons that use social media services in order to direct specific messages at a set of social media users on the basis of specific parameters or criteria (or, better, choosing from those provided by the social provider).
In this way, personalized advertising messages are offered while using the platform or even alongside user-generated content. Targeters may have their own websites and apps, “where they can integrate specific social media business tools or features such as social plugins or logins or by using the application programming interfaces (APIs) or software development kits (SDKs) offered by social media providers.”
These activities mostly involve the sharing of users’ personal data between the targeter and the social media provider, over which both exercise decision-making power regarding purpose and means.
2- Social Media Provider
The Social media provider offer an online service that enables users – mostly registered with their own account but sometimes and to some extent also non-registered- to publish and share information and content especially within networks or communities of users. The social media provider determines the functionalities of the service, which data are processed, for which purpose, under which terms, as well as how personal data shall be processed.
The collection of large-scale user information enables the social media provider to obtain considerable insights into the users’ socio-demographic characteristics, interests and preferences to make these categorizations available to targeters for targeted advertising campaigns. Consequently, together with the processing of personal data of users of the platform of which the provider is the autonomous controller are added further processing for which the social provider shares with the targeter purposes and means, assuming the role of joint controller with the latter. As in the case of the use of personal data of users belonging to those categorizations that have been chosen by the promoter on the basis of parameters and criteria of its own choice.
3- Users
From the point of view of personal data protection, the social user is both the so-called “account”, i.e. the user who has previously identified and registered with the platform, and the non-registered individual. In fact, some social media platforms are free access in that they allow anyone to use them, even without prior registration, although often those who do not register are unable to fully use the features or services offered. Social media providers may also allow for the targeting of individuals who do not have an account, as they are able to classify them based on interests, sociographic data, behaviors, or other identifiers.
A non-registered user, despite not being directly identified, is still considered a “data subject” within the meaning of Article 4(1) of the GDPR, as the classification elements still make them indirectly identifiable.