Facebook lookalike audiences allow advertisers to target new potential customers who are similar to their existing customers. This can be a powerful marketing tool, but there are concerns around whether it complies with data privacy regulations like the EU’s General Data Protection Regulation (GDPR).
What are Facebook lookalike audiences?
Facebook lookalike audiences use data modeling to find new potential customers who share similar qualities to a business’s existing customers. To create a lookalike audience, a business uploads a list of existing customers like email addresses or phone numbers. Facebook’s algorithm then analyzes that list to identify common qualities among those customers such as location, age range, interests, and behaviors on and off Facebook. It then finds new people on Facebook who match a percentage of those common qualities. Those new people become the lookalike audience that the business can target with ads.
For example, an online shoe store could upload a list of email addresses of its current customers. Facebook might determine that 85% of those customers are women between the ages of 25-35 who live in urban areas and are interested in fashion and fitness. Facebook would then find new Facebook users who match those qualities at say a 60% level, and target ads for that shoe store to the lookalike audience.
What data does Facebook use to build lookalike audiences?
Facebook uses a wide range of data points about people to identify lookalike audiences. This includes information people provide directly to Facebook such as:
- Age
- Gender
- Location
- Relationship status
- Education and work
- Interests and hobbies
It also includes behavioral data that Facebook collects by tracking people’s activities on and off Facebook such as:
- Pages and posts they engage with
- Ads they click on or purchase from
- Sites and apps they use
- Purchase history and shopping patterns
Does this meet GDPR requirements?
For the use of lookalike audiences to comply with GDPR, Facebook would need to meet several requirements:
Consent
Facebook would need the informed consent of users to process their personal data for lookalike audience targeting. The consent would need to be freely given, specific, and unambiguous. A general consent to personalized ads would not be enough. Users would need to know that their data is being used for lookalike audience targeting and consent specifically to that.
Transparency
Facebook’s data collection and use practices would need to be fully transparent. This includes explaining what data is collected, how lookalike audiences are built, and how a user’s data impacts what ads they see.
Data minimization
Facebook should collect and use the minimum amount of data needed to create effective lookalike audiences. This means not collecting extraneous data unrelated to lookalike audience purposes. It also means deleting lookalike audience data when no longer needed for that purpose.
Accuracy
Facebook would need measures to ensure the accuracy of the data used for lookalike audiences. Inaccurate or outdated data could result in users being included in inappropriate lookalike audiences.
Security
Facebook would need to implement strong security protections for the data used for lookalike audiences such as encryption and access controls. This guards against unauthorized access or misuse of the data.
User rights
Facebook would need to enable user rights such as allowing users to access the data held about them, correct inaccuracies, delete data, or opt-out of lookalike audience targeting.
Accountability
Facebook would need strong accountability mechanisms to demonstrate GDPR compliance for lookalike audiences. This includes audits, documentation of practices, and potential impact assessments.
Does Facebook meet these requirements?
Facebook claims that its use of lookalike audiences is GDPR compliant. However, some privacy advocates and regulators dispute this. Concerns that have been raised include:
- Users may not be sufficiently informed about how their data is used for lookalike audiences during consent flows.
- Facebook collects expansive data for profiling that goes beyond what’s necessary for lookalike audiences.
- Facebook’s security controls may be inadequate given data breaches in the past.
- Facebook makes it difficult for users to access, edit, or delete lookalike audience data.
- Facebook targeting has been found to exclude certain groups, raising accuracy concerns.
In 2019, Facebook was fined $2.7 million Euros by France’s data protection authority CNIL for lookalike audience targeting that did not meet GDPR consent and transparency requirements.
However, Facebook asserts it has made improvements since then to its consent flows, data minimization practices, and user controls. The company says these updates enable lookalike audiences to be GDPR compliant. It maintains that lookalike audiences are an important tool for businesses and that its practices align with EU regulations.
Ongoing legal uncertainty
Because of continued debate around Facebook’s lookalike audience practices, there is ongoing legal uncertainty about their GDPR compliance. Some of the areas most likely to see further regulatory or judicial scrutiny include:
Consent
Does Facebook obtain meaningful consent that specifically covers use of data for lookalike audiences? Are consent flows transparent enough about how data will be used for modeling and matching?
Necessity and data minimization
Does Facebook collect and retain more data than needed to effectively build lookalike audiences? Is FB incentivized to gather more data than necessary?
Profiling transparency
Are data subjects sufficiently informed about the logic behind the profiling techniques used to create lookalike audiences?
Rights of access and opposition
Does Facebook make it easy enough for users to access lookalike audience data or opt-out of being included in lookalike audience targeting?
| Area | Facebook’s Position | Critic’s Arguments |
|---|---|---|
| Consent | Consent flows explain lookalike use and require consent | Consent not specific or informed enough |
| Data Collection | Only data needed for effective targeting collected | Expansive unnecessary data gathered |
| Transparency | Lookalike creation process explained | Profiling techniques not clear enough |
| User Rights | Controls available to access data or opt-out | Data not easily accessible or deletable |
This table summarizes Facebook’s position on these issues versus the arguments of critics who believe lookalike audiences may still not meet GDPR standards.
Potential future developments
Here are some possible ways the debate around Facebook lookalike audiences and GDPR could evolve:
- Additional regulatory judgments or fines requiring Facebook to modify lookalike audience practices.
- Legal challenges questioning Facebook’s interpretation of GDPR standards.
- Facebook tweaking its data collection, consent flows, profiling disclosures, or user controls.
- Users, advocacy groups, or third parties filing complaints related to lookalike audience targeting.
- Courts issuing influential rulings interpreting GDPR provisions on issues like consent, profiling, and user rights.
- Regulators issuing updated guidance on applying GDPR to practices like lookalike audiences.
Ongoing legal developments could force Facebook to alter its approach or defend its current practices. But the company may also proactively make changes to strengthen compliance and avoid scrutiny. While Facebook maintains its lookalike targeting aligns with GDPR today, the area remains legally uncertain.
Conclusion
Facebook lookalike audiences raise open questions around GDPR consent, data minimization, transparency, and user rights. Facebook claims its current practices are compliant but faces skepticism from critics and regulators. Key areas of debate include consent flows, data collection scope, profiling disclosure, and opt-out controls. Ongoing legal developments could require Facebook to modify its approach, or the company may proactively enhance compliance. But for now, whether Facebook lookalike audiences fully meet GDPR standards remains legally ambiguous according to various interpretations of the regulation.