How Data Protection Relates to Meta, Custom Audiences, Advanced Matching and Pixels
Recently, we’ve seen agencies stating that because data is ‘hashed’ before it is sent to Meta (the social metaverse parent company that oversees Facebook, Instagram, and Whatsapp to name a few), it complies with all privacy laws. This is an oversimplification and isn’t correct.
Data and Meta: the key legal points:
- You can’t set a Meta pixel or cookie on a user’s device without consent.
- The collection of the user’s data takes place before the hashing. You, as the website or app owner, need consent to collect user data.
- The hashing just means that Meta can’t see the actual data. You still need the user’s consent to hash their data and share it with Meta.
- In Meta’s legal terms, you warrant that you are using the correct legal basis (consent) to collect the data and share it with Meta.
Everything you need to know about Meta and the GDPR
-
What is ‘hashed’ data?
In data protection terms, hashed data refers to data that has been transformed from its original state into a code (called a ‘hash’). Regardless of the amount of data converted to a hash, the string of code will usually always be the same length when generated.
As you may have guessed, this can serve the purpose of making the hashed data more secure, as it can’t be ‘read’ before retrieval.
-
What is a cookie?
Cookies are a form of technology usually consisting of small pieces of text that can be used to store or access a user’s computer, mobile device, or other electronic devices. Cookies may be used for a number of purposes, such as remembering the choices or preferences of a user on a website, supporting user login, or analysing traffic to a website. Other technologies, including data stored on web browsers or devices, identifiers associated with a device, and other software, may also be used for similar purposes. All of these technologies are referred to as cookies.
3. What is a Meta pixel?
The Meta pixel is a snippet of JavaScript code that allows you to track visitor activity on your website. It works by loading a small library of functions which you can use whenever a site visitor takes an action (called an event) that you want to track (called a conversion). Tracked conversions appear in the Ads Manager where they can be used to measure the effectiveness of your ads, to define custom audiences for ad targeting and to analyse the effectiveness of your website’s conversion funnels.
Pixels rely on Facebook cookies, which enable Meta to match your website visitors to their respective Facebook User accounts.
Find out more about Meta pixels on Facebook’s Developer website.
-
What is Meta’s Advanced Matching?
Advanced Matching will tell your Meta pixel to look for recognisable form fields and other sources on your website that contain information such as first name, surname and email address. The Meta pixel receives that information along with the event, or action, that took place.
This is the data that a Meta pixel will collect:
- First name
- Last name
- Phone
- Any external ID, such as a loyalty card number
- Gender
- Date of birth
- City
- State, province or county
- Post code
- Country
https://developers.facebook.com/docs/meta-pixel/advanced/advanced-matching
Is data collected by the Meta pixel hashed?
Yes, this information is ‘hashed’ before being sent to Meta. However, the collection takes place before the hashing and this is where you need consent to collect this data in the first place.
5. What are Meta’s Custom Audiences?
A Custom Audience is an ad targeting option that lets you find your existing audiences among people who are on Facebook.
If you are tracking conversions, you can segment your website visitors into groups based on the actions they have taken on your website. These groups are the custom audiences. Once you have defined a custom audience, you can optimize your ad sets to target other Facebook users who match that audience’s criteria.
A Custom Audience made from a customer list is a type of audience you can create to connect with people who have already shown an interest in your business or product. It’s made of information – called “identifiers” – you’ve collected about your customers (such as email, phone number and address) and provided to Facebook. Prior to use, Facebook hashes this information.
Then, Facebook uses a process called matching to match the hashed information with Facebook profiles so that you can advertise to your customers on Facebook and Instagram.
https://www.facebook.com/business/help/341425252616329?id=2469097953376494
Yes, this information is ‘hashed’ before being sent to Meta. However, the collection takes place before the hashing and this is where you need consent to collect this data in the first place.
-
Finally, how does the GDPR impact on using Advanced Matching and Custom Audiences?
You need consent from a website visitor to set a cookie or pixel on their device.
Requirements:
- You must obtain user consent before setting/reading cookies or other trackers for any purposes that are not strictly-necessary or otherwise exempt;
- You must provide the user with clear and comprehensive information about the use of cookies.
For cookie consent to be valid, it must be:
- Freely given — The user has a genuine choice.
- Specific and informed — You must explain who is using the cookies, the purposes for which cookies are being used, and that the individual has the right to easily withdraw consent at any time.
- Unambiguous and affirmative — The consent moment involves a clear and positive action, such as physically clicking on an opt-in box to indicate consent.
You should consider carefully how you secure consent from a user to ensure that you meet the necessary requirements under the law and to avoid the risk of consent being deemed invalid.
How to obtain cookie consent
Cookie banner with an “I agree” button:
- You need to decide what affirmative action a user must take to consent, such as clicking I agree in a banner or splash screen that includes specific information as described below.
Consent should be requested prior to setting/using cookies that are not strictly necessary.
- You must communicate to users that by taking the relevant action, they are consenting.
Information to include in your cookie notice:
Websites and apps should display a clear, concise, and comprehensive statement upfront, with a link to their privacy or cookie notices for more detail. The link should be easily readable text and undisrupted by other features on the page.
In your notice, you’ll need to decide how to include more information, such as:
- Accurate and specific information about the purposes for which you use cookies and similar technology, and their duration, in plain user-friendly language
- Any additional information about the specific third-party technologies you use (if any), including Facebook, and the purpose of these technologies
- Information that explains how the user may reject non-necessary cookies, or to understand more information about the use of cookies
- Any granular controls for non-essential cookies you or third-parties provide.
https://developers.facebook.com/docs/privacy
-
Meta’s Terms and Conditions
The following is in Meta’s legal terms and you must agree to it before using a Meta product. You, the website or app operator, state that you have a legal basis (consent) to gather the data and send it to Facebook.
You represent and warrant, without limiting anything in these terms, that you have all necessary rights and permissions and a lawful basis to disclose and use the Hashed Data in compliance with all applicable laws, regulations, and industry guidelines. If you are using a Facebook identifier to create an Audience, you must have obtained the identifier directly from the data subject in compliance with these terms.
https://www.facebook.com/legal/terms/customaudience
The key takeaways:
- You can’t set a Meta pixel or cookie on a user’s device without consent.
- The collection of the user’s data takes place before the hashing. You, as the website or app owner, need consent to collect user data.
- The hashing just means that Meta can’t see the actual data. You still need the user’s consent to hash their data and share it with Meta.
- In Meta’s legal terms, you warrant that you are using the correct legal basis (consent) to collect the data and share it with Meta.
Get in touch for expert advice on your data protection needs
For up-to-date and reliable data protection advice, the outsourced data protection experts at Sapphire Consulting are here to help.
Our consultancy is straightforward and actionable, giving you easy-to-understand advice on implementing robust data protection measures that adhere to the GDPR. Explore our support services to see some of what we offer, or get in touch with us today to find out more.
Oral disclosure – is it a data breach?
No, said the High Court in David Scott v LGBT Foundation Ltd [2020] EWHC 483 (QB) (3 March 2020). The court ruled that oral disclosures do not qualify as ‘data’ and do not fall within the scope of data protection laws. The facts of the oral disclosure case: The LGBT...
How to deal with subject access requests
A subject access request has landed on your desk. Don't be tempted to push it to the corner and think 'nothing to see here...' Subject access requests need to be dealt with, promptly. Here is a bit of information to help you out: What is a subject access...
What is the Role of a Data Protection Officer?
You've likely heard a lot about 'DPOs' since the GDPR came into force in May 2018. So what is a DPO and what does one do? This blog takes you through FAQs about DPOs. What does DPO mean? DPO stands for 'Data Protection Officer'. This person is...
Cookies — tasty treat or nefarious data gatherers?
What are website cookies and how are they used? Cookies — either a tasty little treat or .... data generated by a website and saved by your web browser to make the website work properly and/or remember information about you. I’m fond of the first but dislike many of...
Do I need to train employees on data protection?
Business resilience is all the rage and has clearly become more important for companies in all sectors. Business resilience is a term that combines crisis-management and business continuity – it represents the ability of organisations to rapidly adapt and respond to...
Do I need a UK Representative for GDPR?
Brexit introduced many changes and one of them was the 'UK GDPR.' The UK GDPR is what the GDPR is now called in the UK. The EU still has the EU GDPR. So, yes, there are now two of them! The UK GDPR is, for now, basically a mirror of the EU GDPR. However, it has...
Do I need an EU Representative for GDPR?
It’s been almost a full month since the UK left the EU and Brexit has introduced a variety of different issues. One of the issues that organisations must consider is ‘do I need an EU GDPR Representative?” This blog will help you to understand what an EU...
What is data protection and why is it important?
It doesn’t matter what size your business is - everyone needs to understand what data protection is and how it impacts them. If the thought of data protection brings you out in a cold sweat, you’re not alone. We don’t believe that data protection should feel daunting....
Data Protection 2021 and beyond
The data protection landscape will change in 2021. Here, in a nutshell, are the main changes: 1. The GDPR will become the UK GDPR. So, we will have the UK GDPR and the Data Protection Act. The GDPR as it is now will be known as the EU GDPR. 2. Remaining compliant...
Is a car registration plate my personal data?
The answer to that question is: yes, a car registration plate is personal data if the car is owned by an individual or sole trader. The registration plates of commercial vehicles are not personal data of an individual as the vehicle is owned by an organisation. The...