1. Sales & Marketing
  2. Finances
  3. Your Team
  4. Technology
  5. Social Media
  6. Security
We are here for your business - COVID-19 resources >
Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.
Grow Your Business Social Media

How Facebook's GDPR Policy Shift Does (And Doesn't) Impacts Advertisers

image for Ink Drop/Shutterstock
Ink Drop/Shutterstock

In the European Union, the imminent arrival of the General Data Protection Requirements (GDPR) in May 2018 has companies scrambling to develop comprehensive policies to bring them in compliance with the law. The intent of GDPR is to grant users greater transparency into how their data is collected and used as well as increase their ability to consent (or not) to that usage. [Learn more about what GDPR means for businesses.]

Naturally, large tech companies that have founded their business models on collecting, processing and even selling data are some of the primary organizations affected by the GDPR's implementation. Chief among them is Facebook, which recently suffered a scandal due to its handling of user data when political data firm Cambridge Analytica obtained the profiles of millions of users and targeted them with political ads. Like many companies, Facebook recently altered its policies in preparation for GDPR granting greater insights and control to (some of) its users.

"Facebook will be continuously updating and giving tools to EU users that may not be available to those of us in the U.S.," said Robert LaMagna-Reiter, senior director of IT security at First National Technology Solutions (FNTS). "They'll be granularly allowing people to request how their data is being used and to expunge that data."

In short, GDPR is a comprehensive law governing the handling and protection of user data set forth by the European Union. The law is intended to insulate users from data breaches while giving them greater insight into and latitude over how their data is collected and used.

In practice, this means regularly updating users when their data will be used for any purposes other than those which they originally consented to. It also means preserving users' "right to be forgotten," in the event they wish to cancel service and take their data with them.

For companies like Facebook, which derive the lion's share of their revenue from user data, this represents a massive shift in legal responsibility. As a result, they are changing their policies to comply with their best interpretation of GDPR.

Facebook has already announced policy changes in response to GDPR's impending implementation. Currently, it appears these changes will only affect users in the EU, while Facebook's policies remain status quo elsewhere.

"As soon as GDPR was finalized, we realized it was an opportunity to invest even more heavily in privacy," wrote Erin Egan, vice president and chief privacy officer of policy, and Ashlie Beringer, vice president and deputy general counsel. "We not only want to comply with the law, but also go beyond our obligations to build new and improved privacy experiences for everyone on Facebook."

In essence, Facebook's new policies will ask users to review ads based on data from partner sites, review the information in their profiles, decide whether they want to utilize facial recognition technology, and agree to its new terms of service.

In addition, Facebook will deploy new tools, which empower EU users to access their own data, download desired information, and even delete unwanted data that's been collected. These tools are explicitly in response to GDPR's policies that require users to have more control over how their data is stored and utilized.

In short, GDPR means advertising using Facebook data could become a little trickier. All in all, it's possible that advertising will be the same, but each party involved will need to ensure compliance. Consumer behavior also has a lot to do with how useful the data will be. It's possible that if many consumers opt-out or exercise their "right to be forgotten," some of the data becomes less effective.

"Much depends on what information Facebook makes available for the advertisers," LaMagna-Reiter said. "The advertisers would have to ensure they're also GDPR compliant if they're accessing data on EU-citizens to target them for marketing and sales."

Overall, though, small businesses and advertisers should expect little external change. While it will be essential to revamp policies and procedures of their own in accordance with GDPR, using data as a marketing tool will remain an effective tactic for marketers in any industry.

"Marketers will need to start working closely with their security and legal departments to make sure they are aligning with the company's security requirements," he added. "As long as marketers are following the regulations and taking the security of the customer data they have seriously, there should be little to no impact."

The short answer is, in the short term, no. Companies that have founded their business model on the collection and analysis of user data are unlikely to voluntarily extend these protections to geographical locations that are not governed by a law like the GDPR. Doing so would undoubtedly cut into their revenue stream at least a little bit, and they're unlikely to risk that without a clear threat of regulatory pushback.

"Facebook is really going in with a fine-toothed comb and saying to citizens, 'Only in [the] EU will [GDPR] apply, but everyone outside [of the EU] will be subject to standard international law," LaMagna-Reiter said. "I don't think it would be too difficult for Facebook to make the GDPR requirement changes available worldwide, but for them, it comes down to a business decision that they want to have the most access to data as possible, because that directly impacts their business model."

However, it might not be long before the U.S. implements a GDPR of its own, according to LaMagna-Reiter. If that becomes an apparent reality, Americans could find themselves seeing the same types of tools and notifications rolling out on Facebook as well as Google.

"I think the GDPR will ultimately, in some fashion, make its way to the U.S.," LaMagna-Reiter said. "I don't know how soon that will happen, but if organizations feel GDPR doesn't apply to them, this is still an opportunity to begin working on plans of action in spirit, so when the time comes that there is some privacy overhaul in the U.S., they'll be ready."

"I don't think a good outlook is to ignore GDPR," he added. "Keep an eye on it and stay abreast as to how it might evolve to impact you personally or your organization."

Adam Uzialko

Freelance editor at business.com. Responsible for managing freelance budget, editing freelance and contributor content, and drafting original articles. Also creates product and service reviews to assist business.com readers in buying decisions for their businesses. VP and co-founder of CannaContent, a digital marketing company dedicated to the cannabis, hemp, and CBD industries. Focused specifically on the content marketing arm of the company, creating blogs, press releases, and website copy for clients spanning the entire supply chain. Avid fan and indispensable ally of the feline species. Music lover, middling guitarist, and unprompted vocalist. Miniature painter who loves sci-fi and fantasy. Armchair political philosopher with a tendency to read old books written by men with unusually large beards. Ask me about all things writing!