GDPR: Is Your Organisation at Risk of Non-compliance Because of Facebook?

Alex McCormick
Alex McCormick
04 / 05 / 2018 | Prodo Insights

 

Facebook has been the hot topic on everyone's lips recently in light of the Cambridge analytica scandal, and with the impending GDPR which arrives on the 25th May, I'm sure there's a lot more Zuckerberg will have to do to ensure his social network service operates data compliance.

With this being said, adherence to data compliance could instead be the responsibility of organisations who use Facebook social login integration for the purpose of signing up to an account or membership.

You see, when you use Facebook - or Google for that matter - to Log In or Sign Up you willingly disclose personal data. Moreover, these businesses have the right to process this data to provide their services when someone asks them to. However, the application of the GDPR will prevent them from using this personal data for any further purpose unless the user permits. The GDPR applies the principle of “purpose limitation”, under which personal data must only be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”.

Google and Facebook cannot confront their users with broad, non-specific, consent requests that cover the entire breadth of their activities. Data protection regulators across the EU have underlined their exceptions:

“A purpose that is vague or general, such as for instance ‘Improving users’ experience’, ‘marketing purposes’, or ‘future research’ will – without further detail – usually not meet the criteria of being ‘specific’”.

A business cannot, for instance, collect more data for a purpose than it needs and then retroactively ask to use this data for additional purposes.

The extensiveness of the profiling is significant because users will be aware of the uses of their data when consent is sought.

Slightly more appealing, from Google and Facebook’s perspective, is to inform a user about what they want to do with the personal data, and give the user a chance to “opt-out”. This opt-out approach has the benefit – from the company’s perspective – that some users’ inaction may allow their data to be used.

However, the GDPR permits the opt-out approach when the purposes that the companies want to use the data for are “compatible” with the original purpose for which personal data were shared by users. In addition to the opt-out notice, users also have to be told of their right to object at any time to the use of their data for direct marketing.

How to Prepare

Now's the time to act towards better preparing your business, whether it’s online, self-employed or a company, it’s crucial you are more aware of the compliance itself.

For more information on how to make your organisation GDPR compliant you can have a look here, or even arrange a meeting with one of us at Prodo, we'll be happy to chat compliance over a coffee.

Examples:

So when you login via Facebook - or Google for that matter, is it right that you're automatically giving consent for the third party to use your data i.e, search preferences for targeted ads and your email for email marketing, without providing explicit consent in the form of an unticked checkbox?

For example, when I login to the portal of a football organiser, Leisure Leagues, I login via, for the purpose of this blog - a fake Facebook account, however at no point do I give permission for Facebook to provide my data to Leisure Leagues in a GDPR compliant way. In fact, new regulation requires that all forms should include a clear unticked checkbox to ensure that all users have willingly opted in to their data being handled.

Take a little look here:

 

null

 

As you can see from the example of email marketing below, Leisure Leagues have clearly collected my data through the Facebook social login.

null

Take a look at UKTV as another example:

null

 UKTV Play - Google ChromeUKTV Play - Google Chrome.jpg1

UK TV Play have actually got their general signup form right - operating GDPR compliance with the following aspects:

  • - A “what’s this for?” Information pop-up icon, clearly detailing the reasons for the data
  • - T&Cs and a privacy policy which is written in clear and understandable terms
  • - An unambiguous, unticked checkbox, confirming that you explicitly understand what you’re opting in to
  • - Further information as to the benefits of signing up in the form of a “click here” link

However, in terms of their Facebook social login, they are again at risk.

This means it will be up to businesses to reevaluate their Facebook integration come May 25th if Facebook do not change its social login form template.

So if you're using Facebook as a login system to gather contacts, under the GDPR they could be considered as third party data processors; they are processing the data controller’s data on their behalf. So in this case, if you own an organisation which integrates Facebook social login for signups, you're going to have to keep your fingers crossed that Facebook incorporate a GDPR compliant opt-in field, otherwise you'll run the risk of committing non-compliance, and you know what that means - hefty fines and a plethora of legal disputes.