The beauty and power of social media marketing as a business tool is in the name, it’s social. It is based on the connections and relationships that exist between people and communities, and these connections are based on individuals. The ability to identify and target advertising on social media with such precision based on, say, their characteristics, their connections, or their activity, is what makes this method of advertising extremely powerful. In fact, major platforms such as Google, Facebook, Twitter and LinkedIn are continually investing in their ability to target consumers and businesses with increasing efficiency.
It also means that inherent within it is the fact that data collected for the purposes of social media marketing is very often personal data in that it relates to identifiable living individuals. As such you have to ensure that you comply with GDPR in relation to any personal data collected and used by you for the purposes of such marketing.
Often social media marketing is used for what is referred to as lead generation, i.e. it is used to capture the identity and contact details of potential leads for a business. This is an established and effective form of direct response marketing but, again, inherent within it is the fact that in doing so the personal data of idenfitifable individuals is being collected; and this brings the activity within the scope of the GDPR.
Another feature of social media marketing is the use of what is known as lookalike audiences, whereby details of existing contacts of a business can be uploaded to social media in order to allow that platform to identify other audiences that look like that existing list. In this case, it is important to be clear that the data being uploaded for that purposes is very likely the personal data of the individuals concerned. If those individuals are located in the EU it would be essential to ensure that any use made of that data is compliant with GDPR.
Your obligations if you are marketing to EU citizens
If your business is based in Canada or anywhere outside of the EU and you are collecting data on individuals in the EU as part of your social media marketing, you need to ensure that any transfer of that data outside of the EU to your business is GDPR compliant. The GDPR prohits transfers of data outside of the EU unless appropriate safeguards are in place to protect that data and ensures that it will continue to be subject to the GDPR or equivalent levels of data protection safeguards after the transfer. In particular, if your business is located outside of the EU without a physical establishment in the EU and you are processing data on people in the EU, then you will need to ensure that you have appointed a representative in the EU pursuant to Article 27 of the GDPR before any data on anyone in the EU is collected and transferred by you.
Click here to return to the GDPR Compliance Hub.