Creating a fan page on Facebook is a quick and easy way to start social engagement with your customers. It could also be a quick way to find yourself in court if a recent German ruling goes unchallenged. Instead of being a third-party user of anonymised targeting and tracking services provided by the social network, you could be held accountable as a first-party data controller. The case has the possibility to disrupt a critical aspect of the digital marketing eco-system.
It all started when the Schleswig-Holstein data protection authority (DPA) investigated a Facebook fan page run by an education and training services provider. It tracked visitors via anonymised cookie data using Facebook Insights and set rules for ad targeting to those visitors. No personal information is shared with the company by Facebook during this process.
But on close examination, the DPA decided that the company should have warned visitors that this was happening and ordered the firm to shut its page. The company appealled on the basis that it is not a data controller so not subject to DPA orders. Germany’s courts agreed, but asked the Court of Justice of the European Union for a preliminary ruling on whether the DPA could make such an order.
Which is where things get interesting because Advocate General Bot (that’s a human, not an AI bot, by the way) reached a conclusion that could have spectacular consequences. In his view, this was a pluralistic, multi-controller situation that meant not only were the German company and Facebook Ireland (which booked the deal) lliable, but also parent company Facebook Inc.
All are deemed to be data controllers for a number of reasons: Facebook Inc because it created the economic model which is based on compiling personal data for targeting and analysis, and also because it transfers data to the US from the EU for processing; Facebook Ireland because it has been designated as the responsible data processor in the EU; and the company with the fan page because it signed up for services knowing that personal data would be used to deliver them, but didn’t tell visitors about this.
You can see the risk to digital marketing if this preliminary opinion gets upheld by the CJEU - and potentially sets a precedent for enforcement under GDPR when the one-stop-shop principle means cases can be brought in any EU jurisdication. An important aspect of AG Bot’s ruling is that you can’t set aside being a data controller even if you have a contract saying you are not one when you are a beneficiary of personal data being used.
There is a long way to go in the legal process before this case becomes a genuine precedent. But the line of thinking it reveals is worrying because it lays open to pursuit any digital marketing service that relies on personal data which is then anonymised as far as users of that service are concerned. One simple step might help if you are a user of this kind of service - putting in place a privacy notice explaining to visitors what is going on. That could help, but it is clear European regulators are serious about making digital marketing fair and transparent to consumers.