Let’s talk Meta, Cookies, Pixels and the GDPR

website cookies and data protection

How Data Protection Relates to Meta, Custom Audiences, Advanced Matching and Pixels

Recently, we’ve seen agencies stating that because data is ‘hashed’ before it is sent to Meta (the social metaverse parent company that oversees Facebook, Instagram, and Whatsapp to name a few), it complies with all privacy laws. This is an oversimplification and isn’t correct.

Data and Meta: the key legal points:

  • You can’t set a Meta pixel or cookie on a user’s device without consent.
  • The collection of the user’s data takes place before the hashing. You, as the website or app owner, need consent to collect user data.
  • The hashing just means that Meta can’t see the actual data. You still need the user’s consent to hash their data and share it with Meta.
  • In Meta’s legal terms, you warrant that you are using the correct legal basis (consent) to collect the data and share it with Meta.

Everything you need to know about Meta and the GDPR

  1. What is ‘hashed’ data?

In data protection terms, hashed data refers to data that has been transformed from its original state into a code (called a ‘hash’). Regardless of the amount of data converted to a hash, the string of code will usually always be the same length when generated. 

 

As you may have guessed, this can serve the purpose of making the hashed data more secure, as it can’t be ‘read’ before retrieval.

 

  1. What is a cookie?

Cookies are a form of technology usually consisting of small pieces of text that can be used to store or access a user’s computer, mobile device, or other electronic devices. Cookies may be used for a number of purposes, such as remembering the choices or preferences of a user on a website, supporting user login, or analysing traffic to a website. Other technologies, including data stored on web browsers or devices, identifiers associated with a device, and other software, may also be used for similar purposes. All of these technologies are referred to as cookies.

 

3. What is a Meta pixel?

The Meta pixel is a snippet of JavaScript code that allows you to track visitor activity on your website. It works by loading a small library of functions which you can use whenever a site visitor takes an action (called an event) that you want to track (called a conversion). Tracked conversions appear in the Ads Manager where they can be used to measure the effectiveness of your ads, to define custom audiences for ad targeting and to analyse the effectiveness of your website’s conversion funnels.

Pixels rely on Facebook cookies, which enable Meta to match your website visitors to their respective Facebook User accounts.

Find out more about Meta pixels on Facebook’s Developer website.

 

  1. What is Meta’s Advanced Matching?

Advanced Matching will tell your Meta pixel to look for recognisable form fields and other sources on your website that contain information such as first name, surname and email address. The Meta pixel receives that information along with the event, or action, that took place.

This is the data that a Meta pixel will collect:

  • Email
  • First name
  • Last name
  • Phone
  • Any external ID, such as a loyalty card number
  • Gender
  • Date of birth
  • City
  • State, province or county
  • Post code
  • Country

https://developers.facebook.com/docs/meta-pixel/advanced/advanced-matching

Is data collected by the Meta pixel hashed?

Yes, this information is ‘hashed’ before being sent to Meta. However, the collection takes place before the hashing and this is where you need consent to collect this data in the first place. 

 

 

5.     What are Meta’s Custom Audiences?

A Custom Audience is an ad targeting option that lets you find your existing audiences among people who are on Facebook.

If you are tracking conversions, you can segment your website visitors into groups based on the actions they have taken on your website. These groups are the custom audiences. Once you have defined a custom audience, you can optimize your ad sets to target other Facebook users who match that audience’s criteria.

A Custom Audience made from a customer list is a type of audience you can create to connect with people who have already shown an interest in your business or product. It’s made of information – called “identifiers” – you’ve collected about your customers (such as email, phone number and address) and provided to Facebook. Prior to use, Facebook hashes this information.

Then, Facebook uses a process called matching to match the hashed information with Facebook profiles so that you can advertise to your customers on Facebook and Instagram.

https://www.facebook.com/business/help/341425252616329?id=2469097953376494

 

Yes, this information is ‘hashed’ before being sent to Meta. However, the collection takes place before the hashing and this is where you need consent to collect this data in the first place. 

 

 


  1. Finally, how does the GDPR impact on using Advanced Matching and Custom Audiences?

You need consent from a website visitor to set a cookie or pixel on their device.

 

Requirements:

  • You must obtain user consent before setting/reading cookies or other trackers for any purposes that are not strictly-necessary or otherwise exempt;
  • You must provide the user with clear and comprehensive information about the use of cookies. 

 

For cookie consent to be valid, it must be:

  • Freely given — The user has a genuine choice.
  • Specific and informed — You must explain who is using the cookies, the purposes for which cookies are being used, and that the individual has the right to easily withdraw consent at any time.
  • Unambiguous and affirmative — The consent moment involves a clear and positive action, such as physically clicking on an opt-in box to indicate consent. 

You should consider carefully how you secure consent from a user to ensure that you meet the necessary requirements under the law and to avoid the risk of consent being deemed invalid.

 

How to obtain cookie consent

Cookie banner with an “I agree” button:

  • You need to decide what affirmative action a user must take to consent, such as clicking I agree in a banner or splash screen that includes specific information as described below. 

Consent should be requested prior to setting/using cookies that are not strictly necessary.

  • You must communicate to users that by taking the relevant action, they are consenting.

 

Information to include in your cookie notice:

Websites and apps should display a clear, concise, and comprehensive statement upfront, with a link to their privacy or cookie notices for more detail. The link should be easily readable text and undisrupted by other features on the page.

In your notice, you’ll need to decide how to include more information, such as:

  • Accurate and specific information about the purposes for which you use cookies and similar technology, and their duration, in plain user-friendly language
  • Any additional information about the specific third-party technologies you use (if any), including Facebook, and the purpose of these technologies
  • Information that explains how the user may reject non-necessary cookies, or to understand more information about the use of cookies
  • Any granular controls for non-essential cookies you or third-parties provide.

https://developers.facebook.com/docs/privacy

 


  1. Meta’s Terms and Conditions

The following is in Meta’s legal terms and you must agree to it before using a Meta product. You, the website or app operator, state that you have a legal basis (consent) to gather the data and send it to Facebook.

 You represent and warrant, without limiting anything in these terms, that you have all necessary rights and permissions and a lawful basis to disclose and use the Hashed Data in compliance with all applicable laws, regulations, and industry guidelines. If you are using a Facebook identifier to create an Audience, you must have obtained the identifier directly from the data subject in compliance with these terms.

 

https://www.facebook.com/legal/terms/customaudience

 

The key takeaways:

  • You can’t set a Meta pixel or cookie on a user’s device without consent.
  • The collection of the user’s data takes place before the hashing. You, as the website or app owner, need consent to collect user data.
  • The hashing just means that Meta can’t see the actual data. You still need the user’s consent to hash their data and share it with Meta.
  • In Meta’s legal terms, you warrant that you are using the correct legal basis (consent) to collect the data and share it with Meta.

Get in touch for expert advice on your data protection needs

For up-to-date and reliable data protection advice, the outsourced data protection experts at Sapphire Consulting are here to help.

 

Our consultancy is straightforward and actionable, giving you easy-to-understand advice on implementing robust data protection measures that adhere to the GDPR. Explore our support services to see some of what we offer, or get in touch with us today to find out more.

 

How to Manage a Data Breach
  • Facebook
  • Twitter
  • LinkedIn

How to Manage a Data Breach

Data breaches can happen to anyone, at any time. So, it’s important to know what to do in the event one happens within your organisation.   While not all breaches are created equal, there is a blueprint to follow when executing your management strategy. In this blog,...

Share This

Share this post with your friends!

Share This

Share this post with your friends!