Facebook’s Custom Audience - is Facebook a Processor


Facebook’s Custom Audience - is Facebook a Processor

This Article will analyze the relationship between Facebook and a targeter - third party who is targeting their customers through Facebook’s Custom Audience feature.

The European Data Protection Board (EDPB) has published its Guidelines 8/2020 on the targeting of social media users (Guidelines 8/2020) and Guidelines on the concept of controller and processor in the GDPR (Guidelines 7/2020), both not final versions yet, as they were open for public consultation until October 19, 2020. Even though these are subject to change, this article relies on them for the analysis.

How does Facebook’s Custom Audience feature functions

Facebook is one of the social media platforms which targets their users with advertisements. These advertisements are usually displayed in the “News Feed” or Facebook’s Messenger and they usually promote third-party (targeter’s) products and services.

Facebook’s Custom Audience feature enables targeters to create an audience using individuals’ data such as email addresses and phone numbers. Personal data of individuals is hashed before it is uploaded and passed to Facebook, so these individuals could form an audience to be served with advertisements of the targeter’s choice. These individuals who usually have a direct relationship with targeters e.g. current or prospective customers, must be Facebook users at the same time in order to see advertisements.

When a Facebook user clicks on the more option settings, they can choose to hide ad (which should show less of such content), report ad, find more information on why they are seeing that ad and a couple of other options which are not relevant for the purpose of this article. If the user clicks on “Why am I seeing this ad?”, they can find out whether the targeter is trying to reach audience with certain characteristics (specific location, age, language and similar), whether that user’s information has been uploaded by the targeter in order to see their advertisement on Facebook and they can choose to opt-out of the such advertisement by selecting “Hide all ads from this advertiser”.

Targeter’s roles in Custom Audience feature relationship

Article 4 of The Regulation (EU) 2016/679 (GDPR) defines controller as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law” and processor as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

It goes without saying that a targeter is a controller – it collects personal data of individuals for its own purposes, decides to share with Facebook (hashed data is still personal data as Facebook uses it to match with hashes of the social media platform users), determines the type of advertisements to be displayed to individuals, decides when to remove individuals from audience lists and so on and so forth.

Facebook’s role in Custom Audience feature relationship

Customer List Custom Audiences Terms (Customer Audience Terms) provisions stipulate that a targeter is a controller and Facebook a processor, both defined by Facebook. Facebook defines a controller as “the natural or legal person, public authority, agency or other body which determines the purposes and means of the processing of Personal Information.” and processor as “a natural or legal person, public authority, agency or other body which processes Personal Information on behalf of the Controller”. You can notice that the definition of the controller omits “alone or jointly with others” which is contained in the GDPR – omitting any potential reference to a joint controllership concept. Coincidence?

Customer Audience Terms contain the following provision “You represent and warrant, without limiting anything in these terms, that you have all necessary rights and permissions and a lawful basis to disclose and use the Hashed Data in compliance with all applicable laws, regulations, and industry guidelines. If you are using a Facebook identifier to create an Audience, you must have obtained the identifier directly from the data subject in compliance with these terms.”

Facebook as a processor imposes obligations on a controller to possess appropriate legal basis for processing of personal data and to comply with all applicable laws, regulations and industry guidelines. Usually, a processor should not be concerned about the legal basis of a controller.

In addition, Facebook imposes more obligations on targeters: “You acknowledge that Facebook offers tools to provide transparency to people about how Facebook advertising works, to explain why people are shown specific ads, and to allow people to control their ads experience. You also acknowledge that Facebook does not disclose to you which individual users comprise your Audience created based on your Hashed Data”.

This means that Facebook users may choose to opt-out of seeing a targeter’s advertisement, however, the targeter is not notified of such objection. The objection remains within Facebook domain. Furthermore, the targeter is not notified by Facebook whether individuals’ data who are uploaded as a part of the Customer Audience list are Facebook's user or not – this means the targeter is not aware whether the advertisement is served to the user or not. A controller is deprived of means to comply with the accountability principle under the GDPR as it is not aware whether individuals have exercised their Right to object, and whether they were actually served with the advertisements.

In addition, Facebook has a direct relationship with its users. It determines the purpose and means of  processing of their personal data in the context of  membership to the social media platform. A targeter cannot instruct Facebook to delete users’ profiles, stop displaying other third party advertisements to them and so on and so forth. Therefore, Facebook is controller in its own right when processing personal data in the context of the platform membership.

Facebook determines what is the minimum of personal data required to be able to match hashed data provided by targeters with users’ profiles. Facebook does not disclose to targeters whether the members of the audience are actually its users and it controls opt-out mechanism through its platform.

Article 21 of the GDPR requires following: “Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.” If a user opts-out of advertisements through Facebook, targeters can still keep sharing user’s personal data with Facebook without realizing that the user has opted out, therefore, making such processing unlawful. If Facebook does its job properly, a user will not see the advertisement, but their personal data will still be processed as the user will be part of the audience. This would mean that user’s objection to such processing would not be honoured completely, unless the user requests the same from the targeter.

Targeter will never know for sure if an individual has been targeted on Facebook. If the targeter is investigated for its marketing practices, it will not be able to demonstrate which individuals have been actually served with advertisements on Facebook. The targeter will only know a number of individuals who formed an audience.

To allow individuals to exercise their right to opt-out as well as comply with GDPR, both targeter and Facebook must maintain separate opt-out lists. There would be a caveat that targeter’s list supersedes Facebook’s one, because if an individual is on the targeter’s list, his/her data would not be shared with Facebook.

Are targeter and Facebook joint-controllers?

The EDPB view in its Guidelines 7/2020 is that joint participation in the determination of purposes and means implies that more than one entity has a decisive influence over whether and how the processing takes place.

Furthermore, joint controllership exists when entities involved in the same processing operation process such data for jointly defined purposes. This will be the case if the entities involved process the data for the same or common purposes and means. In this case both targeter and Facebook determine that individuals’ personal data will be processed for the purpose of showing advertisements.

The Guidelines 7/2020 mention ”Different joint controllers may therefore define the means of the processing to a different extent, depending on who is effectively in a position to do so”. In the present case, targeter determines whose personal data will be processed for advertising purposes on Facebook’s platform i.e. determines purpose and means. Facebook prescribes what data must be contained at a minimum, how the matching process works, and which individuals will see the advertisement in the end i.e. only those who are Facebook members. Facebook determines purpose and means as well.

It appears that both entities determine purpose and means of processing, and in this case jointly. Individuals’ data previously collected by a targeter and Facebook for purposes other than marketing, e.g. targeter-client relationship and to become a Facebook member, is now processed for the purpose of displaying advertisements to those individuals as decided by both entities.

This view is adopted by the EDPB in its Guidelines 8/2020. The EDPB has stated: “… the social media provider and the targeter jointly determine the purposes and means, in this case, uploading unique identifiers related to the intended audience, matching, selection of targeting criteria and subsequent display of the advertisement, as well as any reporting relating to the targeting campaign”. This view is based on the fact that a targeter collects and transfers personal data of individuals to the social media provider for advertising purposes. The social media provider makes a decision to use personal data of its members (who are customers of the targeter as well) to enable the targeter to display advertisements to the members.


This is the author’s interpretation of Facebook's Custom Audience feature in the light of the recent EDPB’s guidelines, both draft versions. It is not intended to be legal advice and considering the EDPB’s direction on the matter, this is something to bear in mind. Once the Guidelines are final, assuming the position of EDPB remains the same, changes in the area of Facebook Custom Audience and similar features of other social media providers might occur.

If Facebook assumes the role of a controller for the processing of personal data in the context of Custom Audience, it will have to honour individuals’ opt-out requests and stop displaying targeted advertisements to them. At least this should be the case where countries have enacted GDPR style laws and laws similar the Member States electronic marketing laws, such as the UK Privacy and Electronic Communications Regulations. Facebook will have to switch to a model where advertisement would not be directed to an individual if the individual opts-out e.g. non-contextual advertising model. Non-contextual advertisements, displayed to all social media users not involving processing of their personal data, would unlikely be considered a direct marketing.

Written by
Stevan Stanojevic

Photo by  iMattSmart on Unsplash.

Ideas expressed in this article are personal views of the author and do not constitute legal advice.