NJORD Estonia: Google Analytics, Facebook Custom Audience, and GDPR – is it possible to harmonise them?

Loe eestikeelset versiooni SIIT

Nowadays, most companies rely on Google Analytics and Facebook Custom Audiences when taking out an ad. These online marketing tools allow them to target the audience of digital advertisements more accurately in order to increase impact and reduce costs. However, the use of data-driven marketing tools also requires companies to measure up their privacy and data protection standards in respect of the European Union’s General Data Protection Regulation (GDPR).

Since the GDPR became applicable on 25th May 2018, courts have already assessed the data protection compliant use of Google Analytics and Facebook Custom Audiences. German courts confirmed the companies’ liability for data breaches in case it uses Google Analytics and Facebook Custom Audience without choosing the GDPR compliant settings.

Google is not the only culprit in case of data breaches through Google products. Google Analytics is a comprehensive analytics tool that provides useful data and valuable insights on a website’s performance and as such is very popular among companies. Once the company turns on Google Analytics for its website, the visitors’ IP addresses are transmitted to Google and evaluated for analytics purposes. Google Analytics returns the evaluated data in an encrypted and aggregated form. Yet, depending on the website settings, Google may receive those data either anonymized or not. Now a German court held a company liable for the transmission of unencrypted IP addresses after it failed to activate IP anonymization for its website. It also clarified that the lawful transmission of IP addresses without anonymization would require specific consent as the users’ consent of the general terms and conditions does not suffice.

Similarly, companies must be careful with their use of personal data when applying Facebook Custom Audiences (FCA). Facebook’s powerful marketing tool FCA allows companies to upload customer data such as email addresses or phone numbers to the company’s Facebook account. Facebook will match the provided data with users’ profiles and feed in any data it may retrieve from other sources in order to increase the efficiency of the company’s targeted ads. Once again, a court in Germany ruled that the data subjects must specifically consent to the use of their data for FCA; the individuals’ data protection rights prevail over the company’s legitimate interest of targeted advertisement. Furthermore, the judges deemed the company as the sole controller of the data processing for FCA purposes whereas Facebook is considered a third party, not a processor.

In conclusion, any company using Google Analytics or Facebook Custom Audiences in their marketing strategy must make sure to collect and process their customers’ data in accordance with the GDPR. That also entails checking the settings of Google Analytics and Facebook Custom Audience one by one. In case they are not GDPR compliant or the required consents have not been obtained, the controller may face significant penalties and reputation loss.

Authors: NJORD Law Firm attorney Siiri Kuusik and trainee Stephanie Arnold

Latest news

NJORD Estonia: Four options to employ additional labour for the holidays

The holiday season is often accompanied by a shortage of own personnel. Due to an increase in shopping activity, additional labour must be hired, e.g. by shops and manufacturing companies. Based on the rules of working and rest time, the existing employees cannot perform the extra work related to the temporary increase in workload. There are four options to solve the situation.

NJORD Latvia: Money laundering cases and practice

According to the information provided by the Financial Intelligence Service (FID), 102 criminal cases involving money laundering were initiated in the first half of this year. Of these, 55% referred to autonomous money laundering offenses. As a consequence, the FID issued 159 freezing orders of €104.8 million of alleged proceeds. This sum already exceeds that of all of 2018, when assets totaling €101.5 million were frozen. By the end of this year, the FID has plans to freeze a further €200 million.

NJORD Estonia: The use of AI in dermatology and skincare

AI is believed to have great potential in the field of dermatology and skincare. Currently, different solutions are being developed in order to personalise skincare for people. For example, algorithms can be developed, which make use of computer vision and machine learning in order to help people find the right skincare treatments for them. There are two ways how AI is used for this. First, it is possible to develop computer and mobile applications, which analyse the skin of a person based on the person’s selfie. The application analyses, what the person’s skin type is and what kind of products or treatments the person should use.

Get the latest legal news

We gladly share our knowledge with you. Subscribe to our newsletters.

Subscribe here