March 2018 was an important month for data security, with General Data Protection Regulation (GDPR) rules introduced in the European Union and Facebook admitting that 87 million profiles may have been affected by the Cambridge Analytica scandal. We’ve broken down the primary impact for our clients and will be working with you over the coming months to make sure we stay ahead of any targeting shifts.
Facebook Data Issue
Cambridge Analytica breached Facebook’s terms and conditions by accessing data collected through a personality quiz by research company GSR. This information included: names, locations, birthdays, genders and Facebook likes of users and their friends. Cambridge Analytica built a database of user profiles and then utilized this data through the Facebook custom audience feature to micro-target messaging for a variety of political campaigns.
- Not a hack – This “data issue” was created by GSR exploiting the Facebook app data collection permissions. Facebook has closed this loophole and limited data collection for all apps. It wasn’t an actual “data breach.” Facebook data wasn’t hacked necessarily; instead, loopholes in some of their data collection terms and conditions were exploited by app developers.
- Your customer data was always secure – Our clients’ data and their customers’ data are and always have been securely handled by VJ. All customer lists are hashed locally on your browser and then sent to Facebook. Facebook then matches the hashed data to their users’ hashed IDs. Hashing converts the data (email, names, phone numbers, zips) into digital fingerprints that can’t be reversed. This type of data was not impacted by any of the Cambridge Analytica issues.
- Targeting impact – A major shift in targeting capabilities has been the announcement that they will sunset their relationships with third-party data providers and partner categories by September 30, 2018. This will limit our ability to target Facebook users by their recent credit card purchase behaviors. We have been proactively building engagement audiences to capture users in these purchase behavior groups who interact with our campaigns in remarketing audiences that can be utilized beyond September 30.
- Increased security – Facebook has closed a lot of the permissions loopholes with groups, apps and pages, and temporarily disabled the search by unique ID feature to implement security updates. None of these security enhancements impact the work we do on your behalf; any increase in security like this actually benefits us as advocates for data integrity.
Enactment: May 25, 2018
This GDPR data protection act is primarily to increase privacy protection for consumers in the EU when data is collected. It focuses on a couple of main areas: the right for consumers to be forgotten; 72-hour breach reporting if there is a data breach; and data sharing opt-ins/consent.
It should not have a major impact directly on U.S. businesses as long as they are not actively targeting users in the EU with their marketing. Generic marketing doesn’t count. For example, a Dutch user who searches and finds an English-language web page written for U.S. consumers would not be covered under the GDPR rules.
Finally, the IAB has been working with Ad Tech partners to draft a consent framework to address the transparency and user choice issues that GDPR will focus on.