How Data Protection Relates to Meta, Custom Audiences, Advanced Matching and Pixels
Recently, we’ve seen agencies stating that because data is ‘hashed’ before it is sent to Meta (the social metaverse parent company that oversees Facebook, Instagram, and Whatsapp to name a few), it complies with all privacy laws. This is an oversimplification and isn’t correct.
Data and Meta: the key legal points:
- You can’t set a Meta pixel or cookie on a user’s device without consent.
- The collection of the user’s data takes place before the hashing. You, as the website or app owner, need consent to collect user data.
- The hashing just means that Meta can’t see the actual data. You still need the user’s consent to hash their data and share it with Meta.
- In Meta’s legal terms, you warrant that you are using the correct legal basis (consent) to collect the data and share it with Meta.
Everything you need to know about Meta and the GDPR
-
What is ‘hashed’ data?
In data protection terms, hashed data refers to data that has been transformed from its original state into a code (called a ‘hash’). Regardless of the amount of data converted to a hash, the string of code will usually always be the same length when generated.
As you may have guessed, this can serve the purpose of making the hashed data more secure, as it can’t be ‘read’ before retrieval.
-
What is a cookie?
Cookies are a form of technology usually consisting of small pieces of text that can be used to store or access a user’s computer, mobile device, or other electronic devices. Cookies may be used for a number of purposes, such as remembering the choices or preferences of a user on a website, supporting user login, or analysing traffic to a website. Other technologies, including data stored on web browsers or devices, identifiers associated with a device, and other software, may also be used for similar purposes. All of these technologies are referred to as cookies.
3. What is a Meta pixel?
The Meta pixel is a snippet of JavaScript code that allows you to track visitor activity on your website. It works by loading a small library of functions which you can use whenever a site visitor takes an action (called an event) that you want to track (called a conversion). Tracked conversions appear in the Ads Manager where they can be used to measure the effectiveness of your ads, to define custom audiences for ad targeting and to analyse the effectiveness of your website’s conversion funnels.
Pixels rely on Facebook cookies, which enable Meta to match your website visitors to their respective Facebook User accounts.
Find out more about Meta pixels on Facebook’s Developer website.
-
What is Meta’s Advanced Matching?
Advanced Matching will tell your Meta pixel to look for recognisable form fields and other sources on your website that contain information such as first name, surname and email address. The Meta pixel receives that information along with the event, or action, that took place.
This is the data that a Meta pixel will collect:
- First name
- Last name
- Phone
- Any external ID, such as a loyalty card number
- Gender
- Date of birth
- City
- State, province or county
- Post code
- Country
https://developers.facebook.com/docs/meta-pixel/advanced/advanced-matching
Is data collected by the Meta pixel hashed?
Yes, this information is ‘hashed’ before being sent to Meta. However, the collection takes place before the hashing and this is where you need consent to collect this data in the first place.
5. What are Meta’s Custom Audiences?
A Custom Audience is an ad targeting option that lets you find your existing audiences among people who are on Facebook.
If you are tracking conversions, you can segment your website visitors into groups based on the actions they have taken on your website. These groups are the custom audiences. Once you have defined a custom audience, you can optimize your ad sets to target other Facebook users who match that audience’s criteria.
A Custom Audience made from a customer list is a type of audience you can create to connect with people who have already shown an interest in your business or product. It’s made of information – called “identifiers” – you’ve collected about your customers (such as email, phone number and address) and provided to Facebook. Prior to use, Facebook hashes this information.
Then, Facebook uses a process called matching to match the hashed information with Facebook profiles so that you can advertise to your customers on Facebook and Instagram.
https://www.facebook.com/business/help/341425252616329?id=2469097953376494
Yes, this information is ‘hashed’ before being sent to Meta. However, the collection takes place before the hashing and this is where you need consent to collect this data in the first place.
-
Finally, how does the GDPR impact on using Advanced Matching and Custom Audiences?
You need consent from a website visitor to set a cookie or pixel on their device.
Requirements:
- You must obtain user consent before setting/reading cookies or other trackers for any purposes that are not strictly-necessary or otherwise exempt;
- You must provide the user with clear and comprehensive information about the use of cookies.
For cookie consent to be valid, it must be:
- Freely given — The user has a genuine choice.
- Specific and informed — You must explain who is using the cookies, the purposes for which cookies are being used, and that the individual has the right to easily withdraw consent at any time.
- Unambiguous and affirmative — The consent moment involves a clear and positive action, such as physically clicking on an opt-in box to indicate consent.
You should consider carefully how you secure consent from a user to ensure that you meet the necessary requirements under the law and to avoid the risk of consent being deemed invalid.
How to obtain cookie consent
Cookie banner with an “I agree” button:
- You need to decide what affirmative action a user must take to consent, such as clicking I agree in a banner or splash screen that includes specific information as described below.
Consent should be requested prior to setting/using cookies that are not strictly necessary.
- You must communicate to users that by taking the relevant action, they are consenting.
Information to include in your cookie notice:
Websites and apps should display a clear, concise, and comprehensive statement upfront, with a link to their privacy or cookie notices for more detail. The link should be easily readable text and undisrupted by other features on the page.
In your notice, you’ll need to decide how to include more information, such as:
- Accurate and specific information about the purposes for which you use cookies and similar technology, and their duration, in plain user-friendly language
- Any additional information about the specific third-party technologies you use (if any), including Facebook, and the purpose of these technologies
- Information that explains how the user may reject non-necessary cookies, or to understand more information about the use of cookies
- Any granular controls for non-essential cookies you or third-parties provide.
https://developers.facebook.com/docs/privacy
-
Meta’s Terms and Conditions
The following is in Meta’s legal terms and you must agree to it before using a Meta product. You, the website or app operator, state that you have a legal basis (consent) to gather the data and send it to Facebook.
You represent and warrant, without limiting anything in these terms, that you have all necessary rights and permissions and a lawful basis to disclose and use the Hashed Data in compliance with all applicable laws, regulations, and industry guidelines. If you are using a Facebook identifier to create an Audience, you must have obtained the identifier directly from the data subject in compliance with these terms.
https://www.facebook.com/legal/terms/customaudience
The key takeaways:
- You can’t set a Meta pixel or cookie on a user’s device without consent.
- The collection of the user’s data takes place before the hashing. You, as the website or app owner, need consent to collect user data.
- The hashing just means that Meta can’t see the actual data. You still need the user’s consent to hash their data and share it with Meta.
- In Meta’s legal terms, you warrant that you are using the correct legal basis (consent) to collect the data and share it with Meta.
Get in touch for expert advice on your data protection needs
For up-to-date and reliable data protection advice, the outsourced data protection experts at Sapphire Consulting are here to help.
Our consultancy is straightforward and actionable, giving you easy-to-understand advice on implementing robust data protection measures that adhere to the GDPR. Explore our support services to see some of what we offer, or get in touch with us today to find out more.
How to Manage a Data Breach
Data breaches can happen to anyone, at any time. So, it’s important to know what to do in the event one happens within your organisation. While not all breaches are created equal, there is a blueprint to follow when executing your management strategy. In this blog,...
Privacy notices – the good, the bad and the ugly
With the ever-increasing importance of data protection, privacy notices are everywhere. Go on any website and you’ll find a privacy notice (or you should do!) Some are good, some are bad and some are just plain ugly. The good ones are to-the-point and easy to...
Can I access my child’s school records?
Under data protection law, there are two ways for parents to access information that a school or academy holds about their child: either via the Education (Pupil Information) (England) Regulations 2005 and/or the UK GDPR and the Data Protection Act 2018. The...
SARs as ‘weapons’ in employment disputes
It's becoming more and more common to find a subject access request (SAR) going hand-in-hand with an employment dispute. We've even heard of these SARs being described as 'weaponised', meaning that the employee has made a SAR and will withdraw it only if they get the...
Can the DVLA disclose your data to private car parking companies?
You’ve received a letter from a private car parking company with a £100 fine. The company got your details as the keeper from the DVLA. Can the DVLA share your data with the car parking company? The simple answer is ‘yes’: even...
Don’t let your Ring doorbell get you into trouble!
Video doorbell security - where might it go wrong? In October 2021, the County Court handed down judgment in Fairhurst v Woodward. This case was a dispute between neighbours over the use of CCTV cameras and a Ring doorbell camera. The facts The claimant, Mary...
Be careful with those marketing messages!
Recently, we saw the repercussions that marketers can face for sending marketing messages to subscribers who had previously opted out of them. This qualifies as a substantial breach with the ICO, and Virgin Media paid the price for one such breach in 2021. Why should...
Sapphire the seal pup is improving!
PUP-DATE ! GOOD NEWS! Our sponsored seal pup, Sapphire, is continuing to improve. He was rescued on the 4th of December, injured and malnourished, and is at the Cornish Seal Sanctuary. Sapphire is now out of the hospital and has been moved to the rehab pool. This is...
First ‘pup-date’ on Sapphire the seal pup
Sapphire is doing really well. He still makes a bit of a mess at meal times but is learning to eat and is improving. He likes to keep a close eye on the team when they are getting ready to clean and feed in his hospital pen. See the video! Sapphire is quite the...
Say hello to … Sapphire the seal pup!
Sapphire was rescued from Newquay Harbour by the British Divers Marine Life Rescue on the 4th of December and is at the Cornish Seal Sanctuary. He was in poor shape when he was rescued -- multiple wounds to his flippers and hip, poor breathing and malnourished. He is...