2018 has been a rough year for Facebook. On the heels of its Russia scandal and amid mounting revelations about Cambridge Analytica’s mining of user information on the platform, consumers have become ever more wary of Facebook’s sharing of user information with third parties.
To further complicate matters, Facebook, like every global internet platform, has had to overhaul its privacy practices to comply with the E.U. General Data Protection Regulation, which became effective on May 25.
One of the most seismic shifts for marketers who leverage Facebook is its overhaul of the outside data it uses for targeting. This year, Facebook decided to discontinue its use of data from third-party brokers, and very recently imposed more robust restrictions on data provided by marketers themselves. This article reviews what public relations and marketing firms need to know about these new restrictions before they agree to handle their clients’ data on Facebook.
How Facebook leverages outside data
Facebook’s appeal to marketers is obvious. According to Facebook, 2 billion people use Facebook every month. Facebook users furnish troves of data to Facebook as a regular part of using the platform. This includes profile information, such as the user’s age, gender, and location. This also includes data that Facebook collects regarding the user’s interaction with content on the platform. Marketers love Facebook, because this data offers an unparalleled insight into user behavior and a granular way to target users. In recent years, marketers have also leveraged increasing amounts of outside data to create even more robust targeting on Facebook.
In 2013, Facebook introduced the partner categories program, which made available data from third-party vendors such as Acxiom, Oracle Data Cloud (Datalogix), and Experian. These data sets allowed marketers to create specific segments based on users’ offline behavior, such as vehicle ownership, household income, or spending patterns. In March, citing concerns for user privacy, Facebook announced that it would be ending the partner categories program, effectively ending the use of third-party data on Facebook.
Facebook’s new first-party data policies
With partner categories no longer on the table, marketers are instead limited to using "first-party" data, or data that they collect themselves and provide to Facebook. Facebook’s custom audiences program allows advertisers to leverage data that they collect from their customers – in particular, their phone numbers and email addresses. Facebook matches that data with its own user data through a process known as "hashing." This enables marketers to target specifically their own customers or prospective customers on Facebook.
On May 25, Facebook updated the terms applicable to the custom audiences program. Facebook now requires all marketers and their agencies to affirmatively agree to a four important provisions relating to their collection and use of data.
Marketers and their agencies must represent that they have "all necessary rights and permissions" to provide the data;
Marketers and their agencies must also represent and agree that the data is offered "in compliance with all applicable laws, regulations, and industry guidelines;"
Marketers are forbidden from uploading data about any individual who has opted out of having their data used for targeted advertising or marketing;
Any party providing data on behalf of marketers must "represent and warrant that it has the authority as agent to the advertiser [or marketer] to disclose and use such data on their behalf and will bind the advertiser to these terms."
Many of these requirements existed in some form in prior iterations of Facebook’s terms. However, Facebook is now placing them up-front and requiring marketers and agencies to affirmatively agree to them. Facebook is also expected to introduce even more robust requirements in the future. These changes demonstrate that Facebook expects agencies and marketers to be obtaining the necessary rights to any data that they use to target users on the platform.
The bottom line for PR firms
Facebook’s updated terms have broad implications for agencies that manage "advertiser" accounts on Facebook. Social-media agencies seldom collect information such as email addresses or phone numbers, instead relying on their clients to supply that information from their own customer records. This can put agencies between the proverbial rock and a hard place. On the one hand, these agencies are the ones interacting with Facebook and being required to agree to these terms. Yet, on the other hand, these agencies have no real way to know whether the data they are providing is in compliance.
For this reason, agencies should ensure that they have the right to enter into user agreements of this type on behalf of their clients, rather than on the agency’s own behalf. Facebook specifically requires that agencies entering into the custom audience terms agree on behalf of their clients. This is beneficial for agencies since it puts much of the legal responsibility on the client, rather than agencies. However, PR firms need specific permission from their clients to do so. This permission may be obtained in a provision in the agency client agreement or in a standalone agreement. A PR firm that fails to get such permission runs the risk of shouldering 100% of the legal risk without any way to verify whether it is in compliance in the first place.
On a broader level, PR firms should also do what they can to ensure that their clients’ data practices do not expose them to liability. At a minimum, the party providing the data, most often the client, should be representing that the data was collected in compliance with applicable laws, and that it has obtained all necessary consents in order to share the data as contemplated. The client should also be indemnifying the PR firm for any claims arising out of the agency’s use of that data.
Here again, appropriate modifications to the indemnification provisions in standard form of agency client agreement may be in order. Finally, there is simply no question that there is an increasingly complex legal and regulatory environment regarding user data. Therefore, PR firms and marketers would be well advised to consult experienced legal counsel before leveraging user data on the internet.
Michael Lasky is senior partner at the law firm of Davis & Gilbert, where he heads the PR practice and co-chairs the litigation department. He can be reached at firstname.lastname@example.org.