What is a "custom audience"?

Custom audience products involve you providing personal data of your customers to a third party, usually a social media platform (an "SMP"), which, via a matching process, determines which of your customers are also users of the SMP. This enables the SMP to serve your ads directly to those users. Data can be provided directly (e.g. by uploading lists of email addresses) or by the SMP embedding a pixel on your website to collect data on your users.

A similar tool, "lookalike audiences", involves the SMP using the outcome of the initial matching process to generate a target list of users who are not your customers, but who share similar interests and characteristics as your customers.

Top tips when utilising custom audiences:

Be aware of the legal frameworks that apply

Even where the customer data you provide to the SMP is "hashed", the GDPR almost certainly still applies. Although the hashed data is "pseudonymised", it could still be identifiable when unlocked or combined with other data. Similarly, where you are using cookie or pixel driven custom audience tools, the e-Privacy consent requirements will also apply.

Clarify your role

Identify each party's role as a controller, processor, or joint-controller. These roles may vary, depending on: the particular data set; the service offered by the SMP; whether you are providing "offline" customer lists or utilising cookie/pixel driven custom audiences; and the exact purposes for which the data is used at each phase of the process/service. However, the prevailing view of regulators is that the targeting company and the SMP will, in most cases, be joint controllers for this type of processing.

Allocate compliance responsibilities

As joint controllers, the parties are obliged to allocate compliance responsibilities between them. In practice, you will likely be responsible for providing notice to your customers and having a lawful basis for sharing the data with the SMP. In addition, you will need to consider other obligations, for example, a need to minimise the data fields shared (or made available) to those strictly necessary for the third party to uniquely identify your customer (e.g. email address only).

Assess consent vs. legitimate interests

Consider what lawful basis you are relying on – consent or legitimate interests. However, bear in mind that if you (or the SMP) are utilising cookies, or similar technologies, to create custom audiences then consent is strictly required under the e-Privacy rules.

For "offline" audience creation (e.g. where email addresses are provided), it may be possible to rely on legitimate interests, although be aware that some regulators have expressed scepticism on this approach. In any event, a full legitimate interests assessment will need to be conducted to demonstrate the balancing exercise that has taken place and the detailed thinking behind it. Consider what practical factors may mitigate risks and assist in demonstrating your responsible assessment (e.g. respecting users' marketing opt-outs and providing clear notice of your intentions).

Consider how best to provide a right for a user to opt-out of their data being used for custom audiences. When and how will this option be presented to the user? What will the effect of their selection be? For example, if an individual unsubscribes from marketing emails, or opts-out of marketing generally (e.g. via account settings), can you exclude them from customer lists previously provided to the SMP?

Don't forget your cookie and privacy notices

When using cookie/pixel created custom audiences, you will likely also need to review and update your cookie policy. Your policy should specifically reference the use of custom audiences and the placement of cookies or similar technologies for this purpose. Consider whether you will need to update your cookie consent/banner language or consent management platform to account for this type of third party cookie placement. You will also need to refer in your privacy policy to your use of personal data for custom audience purposes and the fact that data will be shared with certain third parties for this purpose.

Put in place an agreement

Assuming that you are joint controllers with the SMP, in order to comply with Article 26 of the GDPR, you will need to enter into a joint controller agreement to clearly set out each party's respective responsibilities for GDPR compliance. In practice, in most cases it will be the SMP that imposes its standard terms on you, but you should check that these cover the custom audience purposes.

Originally published 24.11.2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.