Dear Facebook: here are 4 issues with how advertisers operate on your site
Our letter to Facebook with 4 simple steps to improve both transparency for its users and make the exercise of their rights easier
Dear Facebook,
We are writing to you today following Privacy International’s investigation into brands advertising on Facebook conducted over the past few months.
Privacy International (“PI”) is a UK-registered charity that promotes the right to privacy at an international level. It is solely responsible for the research and investigation underpinning its publications.
In an attempt to exercise our rights under GDPR (specifically the right to data access) as Facebook users and better understand how our data is being used, we examined the information Facebook provides on the companies that use its platform for advertising. Our attention was particularly directed at “Advertisers Who Uploaded a Contact List With Your Information”, which appears to have now been renamed “Businesses who uploaded and used a list”, with the addition of separate section “Whose website, app or shop you’ve interacted with”. Indeed, companies engaging in such activity must have a legal basis to process personal data and must able to provide details about this data (collection, who has been shared with, etc.).
During our investigation we observed a number of issues which prevented users from exercising their rights and from gaining a fair and meaningful understanding of how targeted advertising operates on Facebook.
Our findings are available here: https://privacyinternational.org/long-read/3857/2020-facebook-users-odyssey
Below are four key issues we identified. We believe Facebook can take simple steps to improve both transparency for its users and make the exercise of their rights easier. These steps are by no means exhaustive but go a small way to addressing some of these issues and improve compliance with data protection laws such as the EU General Data Protection Regulation (“GDPR”).
We do hope Facebook will take the necessary steps to address our concerns.
Issue 1: Facebook’s “Download Your Information” and “Businesses who uploaded and used a list” feature is currently not exhaustive, despite the description of the feature, for advertising-related information. As demonstrated in our research, information related to “advertisers who have uploaded a contact list with your information” (now “Businesses who uploaded and used a list”) is incomplete and only covers an undefined period of time while this features supposedly provides data associated with the account since its creation (as indicated by the dates on the archive download page). This archive also provides no information regarding when the list was uploaded.
Recommended action:
- Make “download your information” and “Businesses who uploaded and used a list” comprehensive, accurate and list all advertisers who uploaded a list with users’ data since account creation.
- Include the first and last date on which the list was uploaded. This will be a step towards transparency and give users an opportunity to begin to assess which company or companies might unlawfully process their personal data.
Issue 2: Information provided about advertisers is insufficient for users to exercise their rights. Providing the Facebook page of an advertising company or even an artist as the only means of contact it is not enough to allow users to send Data Subject Access Requests or requests to exercise other data rights such as the right to Object or to Erasure. The lack of upfront information, forces users to fall back on alternative methods to find out contact details, potentially leaving them unable to get in touch with an advertiser and exercise their rights.
Recommended action:
- Ensure the provision of contact information for each advertiser (preferably the email address of the Data Protection Officer) in the relevant places (i.e. Download your info, off-Facebook and in ad preferences – advertisers/ businesses that have uploaded a list - which is the focus of the research). We note that Facebook recently added a pop-up ‘view controls’ in its advertising section with a space dedicated to contact information. The inclusion of a website in some cases is a welcome addition but providing an email address which is monitored regularly should be mandatory for advertisers to allow users to exercise their rights. Indeed, this is important given the obligation in Article 12(2) of GDPR to facilitate the exercise of data subject rights and under Articles 13(1(a & b)) and 14(1)(a& b) to provide the contact details of the data controller and the data protection officer, where applicable.
Issue 3: There is a lack of transparency regarding what information advertisers uploaded and the source of it. Users are unable to determine if their phone number, email address or Facebook ID was used as the unique identifier and therefore cannot determine if the advertiser is lawfully processing this data. Advertisers themselves demonstrated difficulties in answering data subject access requests and understanding how targeting was happening given the little information from Facebook that users are able provide. Similarly, the relation between the list uploaded and the advertisers using the list is currently unclear
Recommended action:
- Provide the user with information about the data uploaded by the advertiser used to target or exclude them from ads. This will allow users to identify if there are legitimate reasons for this advertiser to process this data. From the user perspective, this information should be easily accessible and explicit through language such as “This advertiser uploaded a customer list with your email address”.
- Additionally, we suggest adding four mandatory columns to the customer list upload system for advertisers to provide legal basis, data collection means, data source and data collection date. This information could be provided to the user in a simple and understandable sentence, e.g. “this advertiser used your email address to identify you. They obtained this information in [2018], from [newsletter signup], and rely on [consent] to target you”. Not only would this improve transparency for the user as to how their data is processed, supporting compliance with Articles 5(1)(a), 12, 13, 14 and 15 of GDPR but it would also help to ensure that both Facebook and advertisers are complying with the accountability principle of GDPR (Article 5(2)).
- Clarify Facebook’s position regarding the use of third parties as a number of advertisers seems to be using data uploaded by other parties to exclude or target users on Facebook. It is currently unclear if this is a feature offered by Facebook (to allow sharing of customer lists) or advertisers practices. It should be clear what third parties are involved and their role in relation to any data.
Issue 4: A related issue, is the lack of information provided by Off-Facebook activity feature. While this feature is not directly related to the customer list upload, its role in offering more transparency to users in regards to how they are tracked for targeting purposes is relevant. In its current form, this feature does not provide sufficient information to users about what technology was used to track them. It is unclear whether there is a link between this feature and Facebook Custom Audiences, i.e. whether the Off-Facebook interactions are also uploaded by advertisers within the Facebook Custom Audiences tool. It is also unclear as to what the activity is and how it was traced back to the user. Users have no information regarding specifically what allowed a given app or site to identify them and link it to their Facebook profile.
Recommended action:
- Provide extensive information on Off-Facebook activities to allow users to understand how they were tracked. This includes exposing the technology used to identify the user off site (cookie, Facebook pixel, advertising ID on mobile) and the precise identifiers used.
- Provide more information about/ facilitate the exercise of data subject rights through this feature, including for example, objecting to this activity being shared with Facebook.
We appreciate some of these actions require more effort than others, but in most cases they rely on Facebook providing information it already processes on its users.
We appreciate that Facebook has taken incremental steps to increase transparency such as providing information about advertisers and off-Facebook activity. However, given the vast role Facebook plays in online advertising and taking into account the obligations under GDPR (in particular the principles of transparency, fairness and lawfulness as well as accountability and the obligations under Articles 12, 13, 14 and 15), Facebook still has a long way to go. These steps are therefore much needed.
We would also appreciate a clear timeline of the various steps that Facebook has taken to increase transparency for users and facilitate the exercise of their data subject rights over the last two years.
We understand these are challenging times but would appreciate and look forward to, a response by 1st of July 2020.
We will assume that any response provided to us may be published unless otherwise notified.
Sincerely yours,
PI