[threeseed]

This is a core feature of every ad platform I've seen and is absolutely not a violation of the GPDR since users are giving consent when they signup.

You've signed up for a web service and never seen ads on other sites for it ? Very strange.

[matheusmoreira]

> users are giving consent when they signup

Questionable. I guarantee the vast majority of users don't even read the massive legalese text walls companies show them before they sign up. Usability studies have shown that people don't even read small error messages, they just want to get rid of the annoying message as quickly as possible. The few of them that actually do read these things probably won't have the foggiest idea what any of it means or the risks associated with the breach of their privacy. So how could this be real informed consent?

Of course, we also have sites where this document is not shown at any time and can only be reached through a link buried in the page's footer. Sites that just write whatever terms they want into this hidden page and then say everyone is agreeing with it by virtue of using the site.

[Nextgrid]

A legalese wall or a banner saying "by using this site you agree to ..." is not GDPR-compliant anyway: https://ico.org.uk/for-organisations/guide-to-data-protectio...

Under the GDPR, any non-essential data processing (analytics, ads, marketing, etc falls into that) should be opt-in and dark patterns like pre-ticked checkboxes are not allowed.

[Silhouette]

Under the GDPR, any non-essential data processing (analytics, ads, marketing, etc falls into that) should be opt-in

This isn't strictly true. Consent is only one lawful basis for processing under GDPR, and it comes with a lot of strings attached that other bases don't necessarily have, which is why so many lawyers and consultants were recommending against relying it unless it was the only way during the mad rush to GDPR compliance a few years back.

In particular, even some of the regulators have themselves indicated that marketing might be a legitimate interest of a business. Obviously the details matter here, and handing personal data over to third parties like Facebook without their knowledge or consent seems materially different to, for example, the original business sending a relevant email about a new product that is related to something that the recipient already bought from them. Time will tell how the regulators decide to handle this.

[GoblinSlayer]

That's the problem, that spam is business interest, not the customer interest.

[tgsovlerkhgsel]

> This is a core feature of every ad platform I've seen and is absolutely not a violation of the GPDR since users are giving consent when they signup.

That's not how it works. Hiding the "consent" in the fine print doesn't count, and at least in Germany, it's clear that you need valid consent and can't weasel out of it by claiming "legitimate interest" etc.

I already had a DPA explain this to one of the companies that decided to give my data to Facebook, and the DPA indicated that they were acting on multiple complaints in that regard.

There's a good chance they'll let you get away with a warning the first time if you haven't gotten in trouble before, but especially if you keep doing it (or if they decide that by now, you certainly should have known), expect quickly escalating fines.

[Nextgrid]

I agree that this is a core feature. However, the GDPR mandates that consent should be opt-in, granular (you can provide consent for your data to be used for one purpose but not another) and you can't refuse service because a user is refusing to consent to non-essential data processing (ads would fall into that).

So yes, technically you can ask the user for consent, but it has to be explicit ("we'd like to share your e-mail/phone number with our advertising partners such as Facebook, accept/decline?") and I can't imagine anyone in their right mind consenting to that.

> You've signed up for a web service and never seen ads on other sites for it ? Very strange.

I sign up for stuff only when I have no other choice for exactly this reason, and often provide fake details. Reminds me of an ex-client where they had an issue with their potential customers not providing the right contact details because they're afraid we're going to spam them. "But do we actually spam them? -Yes."

[kwanbix]

But you are not sharing your email with fb. The user already shared it with fb. I am only telling fb, if you have this user with this email, show him an ad. I really don't see the problem. Much better a targeted ad than ads about porn, casinos, viagra or poker.

[Nextgrid]

Regardless of whether Facebook has my e-mail, services providing them with a hashed version of it for advertising purposes still allow Facebook to tell "this hash is associated with these services" even if they never had the original un-hashed email. They can combine it with all the other information they have (stolen from people's contacts which may have the unhashed e-mail along with my name and potentially phone number) and create a pretty good profile on me even if I never signed up for a Facebook account and agreed to their ToS/privacy policy.

[Silhouette]

Things get murky in this area (or perhaps not, the lawyers will figure it out in time).

If Facebook is only using something like a hash of an email address in order to target ads at specific Facebook users at the request of one of their advertisers, they are probably only acting as a data processor for a very specific purpose that might be acceptable for both Facebook themselves and the advertiser under the GDPR rules.

If Facebook does anything else at all with that data, their role probably changes from a GDPR perspective. The hash is personal data, since by definition it's being used to identify a specific person. If Facebook is using the data they have associated with that hash -- for example, anything they know about the business that provided it -- to build up more of a profile on their users, they are probably now a data controller, possibly as well as a data processor in connection with the original targeted ad process. Then you get into questions about whether Facebook's users have given their suitably informed consent to Facebook or there is some other lawful basis for whatever processing is happening.

Obviously if businesses were providing actual email addresses to Facebook or if Facebook were using that data to do things like building shadow profiles on non-Facebook users, that would be another level entirely. And AFAIK, the custom audience tools on marketing platforms like Facebook typically do accept directly uploads of literal email addresses, phone numbers or other identifying details for the audience to be targeted, so maybe the discussion about hashing above is all moot anyway.

[gingerlime]

Always enjoy reading your insightful comments Silhouette!

I think Facebook hashes any plain text you give it client side to (try) to buffer their defenses... but I’m not sure. It’s a theater.

I wrote a blog post about this data sharing with Facebook https://blog.gingerlime.com/2020/whos-sharing-my-data-and-wh... that digs a little in this direction.

[Silhouette]

Thank you, that's nice of you to say, but I claim no special insight here. I just happen to live in the UK where these issues are relevant and to have some professional experience dealing with them.

[tgsovlerkhgsel]

The German DPAs have a FAQ on this topic, and they're very clear about the fact that hashing isn't anonymization and doesn't change the fact that you're sharing PII. (The FAQ also mentions that you need consent and can't claim "legitimate interest").

[gingerlime]

Thanks for that. Would you be able to link/quote the relevant section? I'm personally interested in it, but my German language skills are extremely limited.

[tgsovlerkhgsel]

https://netzpolitik.org/2019/facebook-custom-audience-illega... would be an article in English about it from a digital rights organization.

https://www.lda.bayern.de/media/pm2017_07.pdf is the official press release of the Bavarian DPA (in German), with their guidelines attached (starting on page 4).

There is two kinds of "custom audiences" - one list-based and one based on tracking pixels. I'll only quote the parts relevant to the method where customer lists are uploaded.

a.Rechtmäßiger Einsatz - Der Einsatz ist nur aufgrund einer informierten Einwilligung der Kunden zulässig. Das Hochladen der Kundenliste kann weder auf eine Rechtsgrundlage des BDSG noch des TMG gestützt werden. Diese Rechtsauffassung beruht auf einer europarechtskonformen Auslegung der geltenden deutschen Datenschutzbestimmungen und berücksichtigt die jüngsten Entscheidungen des EuGH zum Datenschutz. Im Übrigen wird das Übermitteln dieser Liste an Facebook auch auf der Basis des ab Mai 2018 geltenden Rechts, d.h. nach der Datenschutz-Grundverordnung (DS-GVO), nicht ohne Einwilligung zulässig sein.

b.Widerruf der Einwilligung - Widerruft der Betroffene seine Einwilligung, so muss er von der Kundenliste entfernt werden. Da der Webseiten-Betreiber keine Kenntnis davon hat, welche Kunden auch Nutzer auf Facebook sind und beworben werden, ist die vollständige Custom Audience-Liste unverzüglich zu aktualisieren.

(Translation - Google translate with misleading issues corrected manually:

Lawful use - Use is only permitted with the informed consent of the customer. The uploading of the customer list can neither be based on a legal basis of the BDSG nor the TMG. This legal opinion is based on an interpretation of the applicable German data protection regulations in accordance with European law and takes into account the most recent decisions of the ECJ on data protection. Beyond that, transmitting this list to Facebook will also not be permitted without consent according to the law applicable from May 2018, i.e. according to the General Data Protection Regulation (GDPR).

Withdrawal of consent - If the person concerned withdraws his or her consent, he or she must be removed from the customer list. Since the website operator has no knowledge of which customers are also users on Facebook and are being advertised, the complete Custom Audience list must be updated immediately.)

[rlpb]

> I am only telling fb, if you have this user with this email, show him an ad.

You're also telling Facebook "by the way, I have a relationship with someone with this email address". That's personally identifiable information that you're sending to Facebook. Under the GDPR you can only do that if you have the explicit and freely given opt-in permission to do that from each respective person. "By using this site you agree to..." or "by signing up you agree to..." does not qualify as consent under the GDPR.

If the person does not live in Europe and you are not in Europe then the GDPR doesn't apply, of course.

[mdoms]

GDPR absolutely applies whether the vendor is in Europe or not.

[gnicholas]

I think you mis-read the sentence, which describes neither party as being in Europe.

[kelnage]

That presumes that the email address is already associated with a FB account.

[Vespasian]

But you sharing the data with Facebook.

If I'm not on Facebook (which I'm not) you are telling them that there most likely exist a user with this email address and an interest in your service. If many companies do this FB might even be able to build a profile of me without me doing anything

This is (or at least should be) not Bueno under GDPR / data minimalization.

[eertami]

>You've signed up for a web service and never seen ads on other sites for it ? Very strange.

Is it? I've never seen such ads. Or any ads for that matter, since every device and browser has adblock these days.

[esperent]

No way. If I sign up to, say, a mailing list, or make an account using my email address, I am NOT giving my consent for that site to use my email for targeted marketing (other than the specific mailing list I signed up for).

[nefariousoctopi]

> This is a core feature of every ad platform I've seen and is absolutely not a violation of the GPDR.

I agree with you on this part. It is not a violation of GDPR on the ad platform side since you, as the data controller, are responsible to obtain a permission from the end-user. The ad platform is a data processor defined under GDPR. I am sure that the agreement between you and the ad platform is stating that you have a permission to use the email addresses for targeted advertising purposes and bear the full legal responsibility if not.

> since users are giving consent when they signup.

See Nextgrids comment. Yes, the GDPR admittedly lacks on the enforcement side and yes, I agree that this is a common practice, but that does not make it legal. Not for a data subject residing in the EU.

[Silhouette]

This is a core feature of every ad platform I've seen and is absolutely not a violation of the GPDR since users are giving consent when they signup.

I think we'll see regulators take a different view when they get around to challenging this practice, and the businesses who get made into examples might find it an expensive lesson. Handing over personal details to big data hoarders for remarketing purposes is the epitome of behaviour the GDPR was intended to curtail. You can't just mutter the word "consent" and claim some small print on a Ts & Cs page no-one reads protects you, and regulators have shown very little sympathy so far for data controllers who have tried to weasel their way out of GDPR obligations with this kind of strategy.

Those regulators are still under-resourced and it will presumably take some time for them to get around to dealing with this issue. Right now they're still going after serious leaks and the like. But they're already handing out 9-figure fines to big name businesses for those breaches, and by default those fines go back into central government coffers. Given the current economic climate, how long do you think it will be before their governments realise that this is potentially a very lucrative revenue stream that the public is unlikely to mind, and so start pushing the funding for those regulators up? The ICO (the UK's regulator) has already significantly increased its budget and headcount since the GDPR came into effect, and is reportedly looking at ways to ringfence some of the fines to cover the litigation costs when it inevitably has to defend the big penalties it will hand down from time to time.

When the Cambridge Analytica scandal happened here in the UK, the ICO fined Facebook £500,000. That was the largest fine they could legally impose at the time. As they observed themselves, in what might charitably be considered a thinly veiled threat, under the GDPR that could have been well over £1B instead. Even an organisation the size of Facebook is going to feel that, particularly since there is nothing that says it can't be repeatedly fined on that scale if it misbehaves in multiple different ways.

A couple of potentially important issues have, as far as I know, not yet been resolved in this area.

Firstly, what happens if processing in violation of the GDPR is widespread, the businesses you give your address to are the data controllers, but you still have the likes of Facebook hoovering up huge amounts of personal data inappropriately but possibly only in a capacity of data processor? No doubt there will be some interesting legal arguments about where liability is going to be placed if Facebook was actively soliciting that sort of activity as part of its business model.

Secondly, what happens after the UK has fully separated from the EU at the end of this year, if as the government has stated we retain the GDPR in our national law? Until Brexit was relevant, the GDPR was an EU-wide measure, and typically one member state's regulator would take the lead role in any given case. Anyone breaking the GDPR's rules could be duly investigated and penalised, but only once, not in the same way by every regulator in every member state where there was offending behaviour. If the UK is no longer to be a part of that scheme, will regulators still co-ordinate in this way, or will the businesses sharing data with Facebook face a kind of double jeopardy where both the UK and a lead regulator from an EU member state can potentially fine them for the same behaviour, effectively doubling the maximum penalty they could receive?

If both of those issues were resolved in ways unfavourable to the marketing platforms like Facebook, they could be looking at huge fines for promoting this sort of scheme on the scale that they do, potentially enough to make whole strategies based on selective targeting unviable.