NJORD Estonia: Google Analytics, Facebook Custom Audience, and GDPR – is it possible to harmonise them?
Nowadays, most companies rely on Google Analytics and Facebook Custom Audiences when taking out an ad. These online marketing tools allow them to target the audience of digital advertisements more accurately in order to increase impact and reduce costs. However, the use of data-driven marketing tools also requires companies to measure up their privacy and data protection standards in respect of the European Union’s General Data Protection Regulation (GDPR).
Since the GDPR became applicable on 25<sup>th</sup> May 2018, courts have already assessed the data protection compliant use of Google Analytics and Facebook Custom Audiences. German courts confirmed the companies’ liability for data breaches in case it uses Google Analytics and Facebook Custom Audience without choosing the GDPR compliant settings.
Google is not the only culprit in case of data breaches through Google products. Google Analytics is a comprehensive analytics tool that provides useful data and valuable insights on a website’s performance and as such is very popular among companies. Once the company turns on Google Analytics for its website, the visitors’ IP addresses are transmitted to Google and evaluated for analytics purposes. Google Analytics returns the evaluated data in an encrypted and aggregated form. Yet, depending on the website settings, Google may receive those data either anonymized or not. Now a German court held a company liable for the transmission of unencrypted IP addresses after it failed to activate IP anonymization for its website. It also clarified that the lawful transmission of IP addresses without anonymization would require specific consent as the users’ consent of the general terms and conditions does not suffice.
Similarly, companies must be careful with their use of personal data when applying Facebook Custom Audiences (FCA). Facebook’s powerful marketing tool FCA allows companies to upload customer data such as email addresses or phone numbers to the company’s Facebook account. Facebook will match the provided data with users’ profiles and feed in any data it may retrieve from other sources in order to increase the efficiency of the company’s targeted ads. Once again, a court in Germany ruled that the data subjects must specifically consent to the use of their data for FCA; the individuals’ data protection rights prevail over the company’s legitimate interest of targeted advertisement. Furthermore, the judges deemed the company as the sole controller of the data processing for FCA purposes whereas Facebook is considered a third party, not a processor.
In conclusion, any company using Google Analytics or Facebook Custom Audiences in their marketing strategy must make sure to collect and process their customers’ data in accordance with the GDPR. That also entails checking the settings of Google Analytics and Facebook Custom Audience one by one. In case they are not GDPR compliant or the required consents have not been obtained, the controller may face significant penalties and reputation loss.
<em>Authors: NJORD Law Firm attorney Siiri Kuusik and trainee Stephanie Arnold</em>