Most businesses these days have a Facebook business page where they post content, advertise their products, and engage with their audience. And it’s no surprise as it’s an amazing marketing platform and a great way of reaching new customers worldwide.
Having a Facebook page however is not that different from having a website and thus, some of the same legal requirements apply.
PRO TIP: Save time & money with this complete compliance bundle trusted by 100K+ businesses and create essential legal policies personalized to your needs in minutes.
However, in order to get that data, companies often place cookies on their website to track user activity or have a contact form where customers input their email addresses in exchange for a free eBook, newsletter, or some other incentive.
But personal information does not only refer to email addresses. It could also include information such as names, addresses, phone numbers, ID card numbers, social security numbers, or web data (such as IP addresses). In other words, any kind of information that could be used to identify a person.
The strictest privacy law in the world would probably be the General Data Protection Regulation (GDPR) which came into effect in May 2018. Its goal is to give users more control over their personal information, streamline privacy laws through the European Union, and punish companies that don’t comply with the requirements.
Articles 12 to 14 of the GDPR suggests that any business that operates in Europe or that processes the data of European users must have a concise, transparent, intelligible, and easily accessible privacy notice in place and request express consent from its users before collecting any personal information (if collecting their information on that basis).
Indeed, the fines that can be imposed under the GDPR are costly. The higher of €20 million or 4% of the global revenue of the organization for serious violations and/or a minimum fine of 2% of the company’s global turnover or €10 million (whichever is higher) for smaller offenses.
Here is how this requirement is set out in Facebook’s Pages, Groups, and Events Policies:
You will note from the above that there is an addendum specifically aimed at businesses that have customers located in the European Economic Area (EEA) which includes the following countries:
This addendum sets out the respective obligations and responsibilities of both Facebook and the Page Admin. Anyone managing a Facebook Page from any of these countries or that processes data from people located in these countries is subject to this addendum, which forms an integral part of the Pages, Groups, and Events Policy.
That’s because Page Insights, which provides Page Admins with general information about the people that visit or like their page, are generated by cookies placed by Facebook.
Here is an extract of Facebook’s Cookies Policy:
While you, as Page Admin, do not have access to the detailed data gathered by Facebook, you do benefit from aggregated Page Insights, which could potentially allow you to identify an individual based on their actions and their “likes” (depending on what they have made public on their profile), especially if you have a small audience.
Through Page Insights, the page owner can notably see the demographics (gender and age), location (countries and cities), and languages used by their fan base.
For that reason, the people that like your Page need to know how their data is collected and used.
Is Facebook Responsible for Maintaining Personal Data?
In June 2018, soon after the GDPR entered into force, the Court of Justice of the European Union (CJEU) issued a long-awaited decision in the Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH case, which provided some clarity in regards to the responsibilities of data processors when it comes to respecting individual privacy rights.
Facebook’s Page Insights Controller Addendum (mentioned in the previous section) was drafted in response to this decision and a statement made by the German Data Protection Authorities (German DPAs) on September 5, 2018, that declared that operating a fan page as offered by Facebook at that time was illegal.
The court, in the decision mentioned above, stated that Facebook Pages Admins and Facebook are considered joint controllers under article 26 of the GDPR and are both responsible for ensuring that the collection and processing of data from page visitors comply with the GDPR. The two parties must decide between themselves how they will share that responsibility and be transparent with their users.
Here is how this shared responsibility is mentioned in Facebook’s Page Insights Controller Addendum:
Facebook does assume most of the responsibility when it comes to Page Insights and compliance with the GDPR:
But you, as a Page Admin, also have a role to play:
This means that to comply with the GDPR, you will need to identify in the About section of your Page the data controller (your company) and provide its contact details along with those of your Data Protection Officer, if applicable.
You should also state on which legal basis you are processing Insights Data.
There are only 6 lawful reasons for processing data under article 6 of the GDPR:
- The data subject has consented to the processing of their personal data for a specific purpose
- It is contractually necessary
- It is necessary in order to comply with a legal obligation
- It is necessary to protect the vital interests of the data subject or another person
- It is necessary for the performance of a task carried out in the public interest or under official authority
- It is necessary for the purposes of legitimate interests pursued by the data controller or by a third party
When it comes to tracking actions that your users are performing on your Page using cookies, the legal basis upon which you are collecting data could potentially be consent (which is currently the subject of debate as there is currently no option to add an opt-in on a Facebook page) or legitimate interests (which you would have to elaborate on).
- Business name and contact details
- Contact details of your data protection officer (if applicable)
- Type of information that will be collected from website users
- Legal basis for processing data (as mentioned above)
- If you are using cookies – how to opt-out and what effect this might have on the user’s experience
- How the information will be collected and by whom
- How the information will be used and if it will be shared with third parties
- How you are protecting the information collected from misuse or unauthorized access, how long it will be stored, and if the data will be transferred internationally
- The rights of your users in regards to their data
What Are the Rights of Those Who Liked Your Page?
The people that like your Facebook Page have the right to have control over their personal information and, under the GDPR, can ask Facebook to access, rectify, port, delete and object to and restrict processing of their data.
Facebook has taken on the major responsibility of making this data available upon request; your users should simply follow the links above to request access to their personal information.
Should you, as Page Admin, receive a data request from an individual or supervising authority in regards to the processing of Insights data, you must forward it to Facebook and cooperate with them in order to fulfill your obligations as joint controllers under article 26(3) of the GDPR, as the data subject can exercise their rights against the controller of their choice, regardless of the arrangement that was made between both parties.
Note that you do need to have processes in place to manage the data that you collect other than through Page Insights, as this addendum and joint responsibility exclusively refer to the latter.
1. Log in to your Facebook Business Account and navigate to your Business Page.
2. Click on “Edit Page Info” in the left-hand side menu and you will be taken to a new screen.