Wondering if you are GDPR compliant when booking your Facebook ads?

  • February 24, 2020

We added some key points for our clients also to be considered when running Branded Content. You might achieve great perormance using Custom Audiences or Look-a-Like targeting in your but make sure you dont break the rules.


When you are booking Branded Content campaigns with Prettysocial Media it is always ‘You’ as an advertiser that carries the responsibility for having the correct and updated user consent of targeting your audiences. And not the publisher or Prettysocial Media.

  1. If you have user consent for marketing on Facebook AND consent for sharing their data with third party (a publisher) we can offer you to target your custom audience through the publishers Facebook page.
  2. You can also create an audience based on users engagement around your Facebook fan page or audience behavior on a previous/existing campaign. – no consent (other than FB’s) is needed to this.
  3. We recommend option 2 if you have any doubt of the legality of your data.
  4. Look-a-like audiences can be made based on both option 1 and 2. Same rules for consent. The look-a-like audience can be shared by you with ad accounts using the ‘Share audience settings in the Facebook Ad Manager’.
  5. Facebook Ad Policies apply www.facebook.com/policies/ads
  6. You will need to share the audience with the ad accounts during the campaign period. Hereafter the sharing should stop, and audience will not be stored by publisher.
  7. You will need to keep the custom audience updated when using option 1
  8. It is always you as an advertiser who choose if you will share your Facebook Audience and with whom you share it. The publishers can on individual basis choose not to use the audience as part of the campaign.

Guidelines are considering for all platforms including Facebook, Instagram, Audience Network and Messenger and all ad formats such as video ads, link ads, carousel etc.

Sample ads: Branded Content format showing the PUBLISHER with the ADVERTISER.


GDPR and Facebook custom audiences

Client lists

Uploading email list or contact information into a Facebook custom audience makes you a data controller. GDPR stipulates that as a data controller, you must ensure that your subscribers give their consent before you can market to them.

If you have email lists, email addresses from business cards, purchased or scraped email lists and shared pixel information from other parties without users consent, you need to delete the information from your Facebook ad account. You cannot market to them according to the GDPR law. You are only allowed to market to users who have given you their consent.

Facebook engagement

GDPR does not affect Facebook audiences generated based on their engagement on Facebook.

This means you can create an audience of the users who has engaged with your page and ads and share this with other advertisers through the Facebook ad manager. This way you are not sharing personal information of each visitor but bulk information where no one can be singled out. All you, and the advertisers you share this audience with, can see is a total number of people in the audience, no personal information.

GDPR and Facebook Lookalike Audiences

GDPR has nothing on Facebook lookalike audiences. It does not affect it if the audience it is based on has the correct consent.

The reason is that lookalike audience uses a “seed” audience of one of your custom audiences to search for new people to add to the Lookalike audience. You don’t need their permission to show your ads to them. However, to be more careful about GDPR and Facebook lookalike audiences, you should update your privacy policy.

Why are you seeing this ad?

Any user can always see the targeting which has been applied by clicking the 3 dot-menu in the corner to the right on the ad.