Is Facebook’s Ad Platform Incompatible with EU Law?

Facebook has announced the launch of a new online advertising platform that looks set to take consumer tracking to a whole new level, and is likely to open up a new front in the battle for online privacy. It may also be in breach of EU marketing and privacy rules.

The company has of course long had the ability to track its account holders across the web, though ‘Like’ buttons and similar widgets plugged into millions of websites.  It has for a long time combined that information with all the data its users generate inside Facebook to deliver targeted adverts to people within the confines of its own site.

However its new platform Atlas, purchased from Microsoft then re-engineered, gives it a whole new reach, and could enable it to threaten Google’s pre-eminent position in online advertising. The key advantage for Facebook is of course that it knows exactly who you are at all times, including an unprecedented ability to track across devices. 

It is also making great claims to reducing reliance on cookies, deliberately circumventing user attempts at better privacy control through cookie blocking and deleting controls in their browsers. Plus, the only method users have of expressing a preference for privacy, the Do Not Track browser function, is ignored by Facebook as it is most other advertising businesses.

The online ad industry has long maintained that advertisers don’t really know who you are.  They build up behavioural histories that enable them to deliver targeted ads, but this is all done through ‘anonymous’ but unique identifiers, mostly stored in cookies.

The true level of anonymity provided by these identifiers has long been disputed, but it enables advertisers to say they don’t hold personally identifiable information (PII) like names and email addresses. 

Facebook of course does hold that information, and its ‘real names’ policy means it has even verified the accuracy of this in most cases. The terms of Atlas’ privacy policy also makes it very clear that this information will be available for use.

“We and our affiliates use shared information to help provide, understand, and improve our services and their own services.”

Affiliates explicitly includes Facebook as the parent company. All of which gives Facebook the ability to track you personally, on whatever device you use, and target an advert directly at you.  More than this however it gives them unprecedented ability to measure the impact of that ad – even if you don’t make an immediate purchase. Again this is due to both their reach and ability to identify users.

I wouldn’t be surprised to see Facebook start sending emails directly related to ads it has shown to users.

Which brings me round to the first key issue of compliance, which is that I think this new platform turns Facebook into a direct marketing company.  Why this is important is that there are standards and rules for direct marketing that online advertising has not been held to until now – due to that anonymity get out.

Under the UK’s Data Protection Act direct marketing is defined as:

“the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”

Given Facebook’s ability to identify named people, it seems clear their ads will be direct marketing – they will know exactly who has received each advert.

The UK regulator the ICO issued new guidance on direct marketing in October 2013.  In this it explains that engaging in direct marketing requires both consumer consent, and the ability to opt-out.

Facebook might argue that such consent is given by agreeing to its terms and conditions, however the ICO says that generic acceptance of terms is not sufficient, it needs to be specific consent to the marketing activity. This is why there are tick boxes on websites to sign up to email newsletters.  Although consent does not have to be opt-in, this is also strongly encouraged.  In fact a recent case involving retailer John Lewis strengthened the argument for active opt-in to marketing.

Users must also have a mechanism to opt-out at any time, and if they do so to send them any more direct marketing messages will be a breach of the Privacy and Electronic Communications Regulations (PECR).

Atlas says it abides by the ad industry self-regulation programme for behavioural advertising, which does provide an opt-out mechanism for receiving ads.  However, this mechanism relies on the presence of an opt-out cookie, saved in the browser.  Change your device or your browser, or clear your browser cookies, and that opt-out is lost, and you start getting ads again.

However the rules for direct marketing don’t really allow advertisers to rely on such temporary storage of an opt-out..  Once you opt-out, you stay opted-out until you explicitly opt back in again.  This is why in the email world there is a need to maintain suppression lists. There is no equivalent of the suppression list in online advertising.

However this is just part of the reason this new advertising platform is a whole new level of privacy intrusion.  It seems likely that you won’t be able to stop the tracking that leads to the adverts, except by deleting your Facebook account, and all the data in it.   You might be able to stop the adverts by opting out on every single device you use, but to do so means you have to accept total loss of control over tracking through your browser, because it removes your ability to increase privacy by changing your cookie settings – as this will likely result in the deletion of your opt-out cookie. 

The additional complication of this is that control of cookies through browser settings, is a key element of the EU cookie laws. These allow websites to assume (and encourage) to some extent, that if users change browser settings to control cookies, they have less responsibility to provide direct opt-outs.

If by deleting cookies users are force to opt-in to a form of direct marketing, this presents them with an unfair and unacceptable catch-22.  With current browsers, this renders such controls useless to consumers and websites owners will be forced to introduce direct cookie control mechanisms, which is something the majority have resisted so far, particularly in the UK.

If Facebook brings its Atlas platform to the UK or any other EU country, expect Data Protection Authorities to look very closely at the legality of the service, and the wider implications for cookie laws.  It may create all sorts of new headaches for everybody.