GDPR requires that companies consistently prioritize the protection of EU consumer personal data in their operations and procedures. In this article, you can learn everything about the GDPR impact on social media.
Since social media is a key form of direct communication between businesses and consumers, marketers should work to understand the implications of GDPR regarding this strategic arm.
What is Social Media?
Social media - for anyone that’s been hiding under a rock in North Korea for the last 15 years - refers to online platforms where people share ideas and information.
Some of the biggest players here include Facebook, YouTube, WhatsApp, and TikTok.
There are 3.6 billion active social media users globally, meaning they represent almost half of the world population. This number is projected to increase to 4.4 billion by 2025 (Statista).
The wealth of personal data provided by these users makes these platforms one of the most effective marketing tools for companies.
In 2020, spending on social media ads reached $132 billion and the total is expected to surpass the $200 billion mark in the next two years (Statista).
What are the GDPR Implications for Social Media Marketers?
The General Data Protection Regulations (GDPR) is a European Union law that came into force in 2018. It is built around protecting the personal data of EU citizens and residents.
The law has no bearing on individuals using social media purely for personal reasons. Instead, it applies to the use of social media in a professional capacity and prevents the processing, storing, or sharing of personal data without the owner’s consent.
The regulations apply to any company in the world that holds personal data on EU citizens and residents, regardless of whether they’re based in the Union.
Respecting the Data Rights of EU Citizens and Residents
The EU law protects eight fundamental rights of online users regarding their online personal data:
- The Right to Information
- The Right of Access
- The Right to Rectification
- The Right to Erasure
- The Right to Restriction of Processing
- The Right to Data Portability
- The Right to Object
- The Right to Avoid Automated Decision-Making
A company’s responsibilities to respect these eight fundamental rights extends to their social media user data.
This includes anything that can identify a user – such as names, dates of birth, web browser cookies, and tracking pixels.
There is also an additional “special category” of data that requires a higher level of protection, such as information on race, ethnicity, and religion.
Consent is Key
Crucially, EU consumers need to explicitly consent to how this data is collected, stored and used, as well as to its transfer of anything to third parties.
Social media marketers have long required such consent from users before collecting and using their data, but this requirement is now stricter under GDPR.
Fortunately, consent and data usage have long been effectively covered by the terms and conditions, and privacy notices of social media platforms.
With consent already in place, GDPR has had a less direct effect on social media marketing than in other parts of the sector.
This means that organic social media marketing is largely unaffected by GDPR regulations, because posting content and engaging users does not require the collection of personal data.
There is also no issue with fully anonymized data – so simply tracking things like follower numbers or engagement rate isn’t a problem.
The issue when it comes to social media and GDPR is when you are extracting personal data from the platform and storing it elsewhere within your business, or when you are using it for generating and collecting data in exchange for access to a download, for instance.
Key Areas of GDPR Significance for Social Media Marketers
Here are the three main ways that GDPR affects social media marketing:
1. Curbs on remarketing advertisements and tracking pixels
Remarketing (or retargeting) enables companies to create ads that follow their website visitors to the social media platforms they use, thanks to a pixel which identifies them as previous visitors to your website (or a specific page within it).
This information makes remarketing an effective marketing tool, but GDPR legislation now requires that consumers explicitly consent to the use of their data for such activities. This includes consent for the use of retargeting cookies.
If you’re targeting EU consumers, you must get explicit opt-in consent when you’re using personal data – including user tracking – and you must disclose GDPR compliance at every stage of your marketing funnel.
This will naturally add extra steps to marketing campaigns and mean that some of the generated leads will inevitably disappear. It will also make it more difficult to market to the social media users who have visited your website in the past.
2. Compels social media users to accept your privacy notice
When advertising to generate leads on social media, you will need to ensure that any form for capturing data has a suitable disclaimer and link to the privacy notice, with no pre-ticked opt-in boxes for obtaining consent.
And, under GDPR, visitors to a social media landing page will have to opt-in twice – firstly to accept your privacy notice and secondly to follow your call-to-action.
3. Limits user behavior tracking
Social media analytics is vital for marketing, but GDPR now restricts the monitoring of social media user behavior.
If you’ve noticed differences in traffic volumes to your website, including drop-offs and data lagging, you will need to test your cookie opt-ins to ensure that your social media traffic is accepting the terms.
What are the GDPR Penalties for Non-Compliance?
The GDPR imposes strict fines on companies seen to be inadequately protecting EU citizen personal data, with a two-tier fining system: Tier 1: up to €10 million, or 2% of annual global revenue from the previous year, whichever is higher Tier 2: up to €20 million, or 4% of annual global revenue from the previous year, whichever is higher
- Tier 1: up to €10 million, or 2% of annual global revenue from the previous year, whichever is higher
- Tier 2: up to €20 million, or 4% of annual global revenue from the previous year, whichever is higher
What You Need to do to Stay GDPR Compliant
Conduct an Internal Audit
Assess your operational procedures and processes regarding all social media platforms used.
Map the flow of personal data along these channels, so that you can see where it came from and who it is being shared with.
Identify what data you have on existing EU residents and review third-party service agreements to ensure their GDPR compliance - including photos of employees on your website and social media channels.
Ensure ‘Privacy by Design’
This is a key theme running through GDPR, and means you must plan and decide how personal data can pass through your company in as safe and secure a manner as possible.
In practice, this means that the strictest privacy settings now apply to any company product or service. Personal information should only be collected when necessary and be kept only for the required amount of time.
Have a Clear and Concise Privacy Notice
Create a readily accessible privacy notice, including your social media policy, with all marketing activities. This way, users understand what happens to their data.
Seek Permission Every Step of the Way
Obtain explicit consent for processing personal data through readily available opt-in forms that are written in clear, uncomplicated language.
These forms must be more detailed than in the past, with information about what information is being collected and why it is being shared. These opt-ins must also be mobile friendly.
Remember - inactivity does not mean consent; users must take action for themselves.
Ensure Your Legal Basis for Processing Data
Companies must be able to justify their legal basis for processing personal data.
They must also have systems in place for customers to request changes or removal of their personal data – including its transfer to another company.
Limit Availability of Social Media Data to Employees
Establish a company policy that informs people about social media management and the rules surrounding GDPR.
This should include designating specific employees to manage social media pages to prevent unauthorized access to personal data, with logins not shared with your entire staff, as well as rules preventing the use of personal social media accounts for company activities.
The social media policy should include the following points:
- Risk of defamation
- Reputation and brand management
- Handling negative comments
- Monitoring employees
- Protecting information about employees
Explain and Justify Your Intent with Data
Companies can only collect and process data if they have a legal basis for doing so.
Consequently, explain to users why your company needs their personal data, and what it will be used for.
Inform them about any processes that have been introduced after they initially granted consent. You may also need to update your cookie notice.
Compliance is an ongoing task
GDPR compliance can be a time and resource-intense process, but the extra care taken to protect personal data is appreciated by users.
Adapting your social media marketing strategy is a further opportunity to build trust with customers and attract better leads.
The best advice is to learn about the new GDPR requirements, review your company’s procedures for processing data, and to assign someone to continue maintaining compliant data records.