29.07.2019

News

NJORD Estonia: Google Analytics, Facebook Custom Audience, and GDPR – is it possible to harmonise them?

Loe eestikeelset versiooni SIIT

Nowadays, most companies rely on Google Analytics and Facebook Custom Audiences when taking out an ad. These online marketing tools allow them to target the audience of digital advertisements more accurately in order to increase impact and reduce costs. However, the use of data-driven marketing tools also requires companies to measure up their privacy and data protection standards in respect of the European Union’s General Data Protection Regulation (GDPR).

Since the GDPR became applicable on 25th May 2018, courts have already assessed the data protection compliant use of Google Analytics and Facebook Custom Audiences. German courts confirmed the companies’ liability for data breaches in case it uses Google Analytics and Facebook Custom Audience without choosing the GDPR compliant settings.

Google is not the only culprit in case of data breaches through Google products. Google Analytics is a comprehensive analytics tool that provides useful data and valuable insights on a website’s performance and as such is very popular among companies. Once the company turns on Google Analytics for its website, the visitors’ IP addresses are transmitted to Google and evaluated for analytics purposes. Google Analytics returns the evaluated data in an encrypted and aggregated form. Yet, depending on the website settings, Google may receive those data either anonymized or not. Now a German court held a company liable for the transmission of unencrypted IP addresses after it failed to activate IP anonymization for its website. It also clarified that the lawful transmission of IP addresses without anonymization would require specific consent as the users’ consent of the general terms and conditions does not suffice.

Similarly, companies must be careful with their use of personal data when applying Facebook Custom Audiences (FCA). Facebook’s powerful marketing tool FCA allows companies to upload customer data such as email addresses or phone numbers to the company’s Facebook account. Facebook will match the provided data with users’ profiles and feed in any data it may retrieve from other sources in order to increase the efficiency of the company’s targeted ads. Once again, a court in Germany ruled that the data subjects must specifically consent to the use of their data for FCA; the individuals’ data protection rights prevail over the company’s legitimate interest of targeted advertisement. Furthermore, the judges deemed the company as the sole controller of the data processing for FCA purposes whereas Facebook is considered a third party, not a processor.

In conclusion, any company using Google Analytics or Facebook Custom Audiences in their marketing strategy must make sure to collect and process their customers’ data in accordance with the GDPR. That also entails checking the settings of Google Analytics and Facebook Custom Audience one by one. In case they are not GDPR compliant or the required consents have not been obtained, the controller may face significant penalties and reputation loss.

Authors: NJORD Law Firm attorney Siiri Kuusik and trainee Stephanie Arnold

Latest news

NJORD strengthens the partnership

We are pleased and proud to welcome NJORD’s new partner, Anders Wernblad, who is an expert on IT law and e-commerce. On 1 August, Anders joined NJORD as a new partner at our offices in Copenhagen.

NJORD Latvia: Companies, which failed to disclose their beneficiaries, will be excluded from Latvian Register of Enterprises

On 29 June 2019, new amendments to the law “On the Prevention of Money Laundering and Terrorism Financing” (the Law) became effective. In accordance with these amendments, the Register of Enterprises of the Republic of Latvia (the Register) was granted the right to liquidate a commercial company, if it failed to submit to the Register information on its beneficial owners (beneficiaries).

Get the latest legal news

We gladly share our knowledge with you. Subscribe to our newsletters.

Subscribe here