Facebook response on advertising: A failure to acknowledge responsibility

Following our investigation into advertisers on Facebook and the exposure of the platform shortcomings, Facebook's response is a failure to acknowledge its responsibility in ensuring transparency and enabling people to exercise their rights. Here is our point by point analysis of their answer

Key points
  • Facebook said they are working to improve the accuracy of the Download Your Information tool
  • But the company fails to acknowledge its responsibility as a platform to ensure transparency and enable users to exercise their data rights
  • Facebook did not announce intent to improve transparency regarding advertisers uploading users' information as requested by Privacy International
  • Despite some recent changes, the platform is far from offering enough transparency for its users to plainly understand how advertisers uploading their information are targeting them
News & Analysis

Back in June, we published our investigation into Facebook brands, highlighting how Facebook failed to provide its users with a fair and meaningful understanding of how targeted advertising operated on its platform, and a number of issues preventing users from exercising their rights to the fullest possible extent. In face of the serious gaps encountered, we published an open letter to Facebook drawing attention to four main issues as well as our recommended actions to tackle them. This letter resulted in an extensive conversation with company representatives and Facebook eventually provided us with a written response, which you can find as a pdf at the bottom of this page.

Although we thank Facebook for their engagement, we are disappointed by the limited action taken so far. Here, we outline how our recommendations compare with Facebook's action.

Issue 1: Facebook’s “Download Your Information” and “Businesses who uploaded and used a list” feature is currently not exhaustive.

PI staff monitored these Facebook tools over an extended period of time. What we found is that the list of advertisers who had uploaded our personal data changed from one month to the other, with some of them simply disappearing. In other words, users are not receiving the full picture about which companies have targeted them on the platform. We also raised the lack of information about what actions these advertisers had taken regarding the user, whether they have uploaded their data onto Facebook and/or target them with particular ads.

PI's Recommended actions:

  1. Make “download your information” and “Businesses who uploaded and used a list” comprehensive, accurate and list all advertisers who uploaded a list with users’ data since account creation.
  2. Include the first and last date on which the list was uploaded. This will be a step towards transparency and give users an opportunity to begin to assess which company or companies might unlawfully process their personal data.
Facebook's action
  • ✅ Commitment to improve accuracy of DYI (Download Your Information)
  • ❌ No action taken on making the DYI list exhaustive/complete
  • ❌ No action taken on including the dates on which the list was uploaded
FB response on issue 1

"Our Ad Preferences and Download Your Information (DYI) tools play an essential role in ads transparency. Aligned with your recommendation, we have started working to update Download Your Information to reflect information in a manner similar to Ad Preferences, in which people can see the advertisers that have uploaded customer lists and have used them for advertising. Such an update requires the involvement of various teams and requires complex engineering work. Our objective is to help ensure that information is consistent and accurate throughout the platform and that the same information can be accessed via the different tools we have."

Why we think it's not enough:

Making information available about advertisers and keeping them accurate, consistent and up-to-date over the entire platform is in our view the minimum users should expect. Yet, it is far from providing the necessary breadth of information and clarity users need. Facebook should also provide users with further information about the upload dates and use of customers lists. Otherwise, users are still in the dark about which companies may have acted unlawfully by targeting them with adverts using their personal data.

Issue 2: Information provided about advertisers is insufficient for users to exercise their rights (such as the right to access their data or have them erased)

Exercising one's data protection rights should not be difficult, least of all on a platform as powerful as Facebook. In practice, however, contacting advertisers and businesses who had uploaded our data onto Facebook to access our information proved to be a real odyssey. The only thing Facebook provided us with was the name of the advertiser or business and a link to their Facebook page. Needless to say, trawling through each company's privacy policy and finding the email addresses of their data protection officers or departments was an unnecessarily time-consuming exercise.

PI's Recommended action:

  1. Ensure the provision of contact information for each advertiser (preferably the email/postal address of the business or its Data Protection Officer, if there is one) in the relevant places (i.e. Download your info, off-Facebook and in ad preferences – advertisers/ businesses that have uploaded a list - which is the focus of the research). We note that Facebook recently added a ‘view controls’ pop-up in its advertising section with a space dedicated to contact information. The inclusion of a website in some cases is a welcome addition but providing an email address which is monitored regularly should be mandatory for advertisers to allow users to exercise their rights. Indeed, this is important given the relevant obligations contained in Article 12(2) of GDPR to facilitate the exercise of data subject rights and under Articles 13(1(a & b)) and 14(1)(a& b) to provide the contact details of the data controller and the data protection officer, where applicable.
Facebook action
  • ❌ No action taken
Facebook response on issue 2

Interestingly, Facebook seems to acknowledge that transparency is a key component of exercising one's data rights.

"We feel that the proactive and simple transparency we surface actually improves the overall transparency for people in respect of how their data is processed, and by which companies. Of course, this transparency also allows them to, if they wish, submit a request to those companies, as data controller, for additional information."

However, in practice, Facebook remains reluctant to take full responsibility for the ways in which advertisers' information is displayed on its platform.

"Advertisers deciding to use their own customer lists on Facebook are acting as data controllers. As such, they must have provided the relevant information to their own customers regarding their processing purposes and obtained the necessary permissions, where legally required, to target their ads to their customers via Facebook. The advertiser is the one responsible for establishing and maintaining the proper legal basis to advertise to their own customers on Facebook based on the advertiser’s customer lists and to provide the right information to the data subject. Facebook is acting here as a means for advertisers to reach out to their customers; it is the advertiser’s obligation, as controller, to provide the relevant information to their own customers, as described in Articles 13 or 14 of the General Data Protection Regulation. "

"We believe that these controls facilitate the exercise of data subjects rights with advertisers that are acting as a data controller. We also understand that Facebook may play a role to facilitate that controllers uploading customer lists on Facebook are reminded of their own obligations to address data subjects’ rights requests. This is why we have on our help center a page focused on creating customer lists which specifies that advertisers need to “review our terms to ensure [they] have a legal basis to use the information [they] plan to upload. Under the General Data Protection Regulation (GDPR), advertisers act as the data controller for any lists uploaded to create a Custom Audience. (This includes people residing in the European Union).” Moreover, our GDPR microsite provides information to businesses that advertise with the Facebook companies, including information regarding when Facebook acts as a controller or as a processor."

FB is taking the convenient position here that it's not their job to provide more information about the company doing advertising on its OWN platform. You would think that a 6 month research project showing how hard, if not impossible, it is to exercise one's rights on Facebook would make them consider that maybe as a middleman they have a responsibility for providing transparency. Providing its customers with information and guidance isn't sufficient and won't yield more transparency for the user if the platform isn't offering effective transparency mechanisms and tools.

In their answer, FB is conflating ensuring that there is a lawful basis for processing by advertisers with facilitating the exercise of data rights. These are two distinct issues. The right for data subjects to access their information exists regardless of whether or not there was a lawful basis for the processing of their data. FB's reminder to advertisers of their obligations as data controllers does nothing to further the exercise of users' data rights. Users are currently left with no option but to trust that advertisers are honouring their data protection obligations. FB takes their word for it, and the difficulties involved in actually contacting the relevant companies prevent the user from effectively scrutinising compliance with data protection laws.

Facebook has developed ever more granular and sophisiticated tools to ensure effective ad targeting of its users. When compared to its ad targeting capabilities, taking the simple step of requiring businesses to provide contact information for data protection officers or equivalent staff is almost comically easy.

Issue 3: There is a lack of transparency regarding what personal data advertisers uploaded and the source of it.

PI's Recommended action:

  1. Provide the user with information about the data uploaded by the advertiser used to target or exclude them from ads. This will allow users to identify if there are legitimate reasons for this advertiser to process this data. From the user perspective, this information should be easily accessible and explicit through language such as “This advertiser uploaded a customer list with your email address”.
  2. Additionally, we suggest adding four mandatory columns to the customer list upload system for advertisers to provide legal basis, data collection means, data source and data collection date. This information could be provided to the user in a simple and understandable sentence, e.g. “this advertiser used your email address to identify you. They obtained this information in [2018], from [newsletter signup], and rely on [consent] to target you”. Not only would this improve transparency for the user as to how their data is processed, supporting compliance with Articles 5(1)(a), 12, 13, 14 and 15 of GDPR but it would also help to ensure that both Facebook and advertisers are complying with the accountability principle of GDPR (Article 5(2)).
  3. Clarify Facebook’s position regarding the use of third parties as a number of advertisers seem to be using data uploaded by other parties to exclude or target users on Facebook. It is currently unclear if this is a feature offered by Facebook (to allow sharing of customer lists) or part of advertisers' practices. It should be clear what third parties are involved and their role in relation to any data.
Facebook action
  • ✅ "Why am I seeing this ad" states (when relevant) if the ad was targeted using a customer list with your email or phone number.
  • ❌ "Why am I seeing this ad" excludes any other identifier like tracking pixels (despite their use) so most ads won't have this information
  • ❌ This information is not available in other places on the platform such as the Ads section in the users' profile
  • ❌ No action taken on the addition onn new columns to the list of customers uploaded by advertisers
  • ❌ No action taken on providing more information about why uploaded list are shared between advertisers
Facebook response on issue 3

" Facebook is not in a position to verify the data collection processes that generated the lists of advertisers’ customers that they use to send ads on Facebook, nor is Facebook reasonably in a position to verify whether advertisers have maintained the appropriate permissions throughout their use of the data. However, we can help people on Facebook better understand which advertiser, acting as a controller, has uploaded a customer list against which they matched, and how that list was used. To that end, we have developed on our platform a number of tools to provide transparency and controls. We provide education to people on Facebook via Ad Preferences on how advertisers upload and use customer lists on Facebook; this includes hashing data for matching purposes."

"We surface information about when a customer list was first uploaded to Facebook and when it was used to deliver an ad. This information is available via our tool "Why am I seeing this ad?" (WAIST) which is accessible on every ad displayed on a user’s News Feed."

"WAIST also enables people on Facebook to see whether the match key used for the customer list is an email address or phone number used on Facebook; these keys represent the majority of match keys used for Customer List Custom Audiences. ""

While Facebook might not be in a position to verify the lawfulness of advertisers' data practices, it is entirely within its technical ability to inform users on the data that was used to uniquely identify them. This would be a real case of helping people understand how such targeting was possible and assess if the company has legitimate reason to process this information. Similarly, asking advertisers to come clean about their practices will, while not binding on FB, hopefully incentivise them to be more transparent.

Facebook also remains completely silent on the use of lists by third parties. This is problematic as a number of advertisers seem to be using data uploaded by other parties.

Issue 4: A related issue is the lack of information provided by the Off-Facebook activity feature

In theory, Facebook's Off-Facebook tool enables users to see the data that is shared with Facebook by apps and websites based on interactions having taking place between themselves and the users off Facebook. But the reality is that the Off-Facebook feature offers little insight into how users are tracked and finally targeted on Facebook. Facebook sometimes only tells you that there was a "CUSTOM" interaction with a given app or website, leaving users in the dark as to how, when and where this interaction happened, and how consent was obtained.

PI's Recommended action:

  1. Provide extensive information on Off-Facebook activities to allow users to understand how they were tracked. This includes exposing the technology used to identify the user off site (cookie, Facebook pixel, advertising ID on mobile) and the precise identifiers used.
  2. Provide more information about/ facilitate the exercise of data subject rights through this feature, including for example, objecting to this activity being shared with Facebook.
Facebook action
  • ❌ no action taken
Facebook response on issue 4

Facebook ignored this point and have not mentioned any action related to the Off-Facebook Activity feature and its lack of information.

Other points

In their letter, Facebook also note:

"One of the key objectives we have is, with the inherent limitations of a data processor role, to make sure that the information that is provided to people on the platform is meaningful and that they are not overwhelmed with information that would not materially improve their understanding of how their data is collected and used. We feel that the proactive and simple transparency we surface actually improves the overall transparency for people in respect of how their data is processed, and by which companies. Of course, this transparency also allows them to, if they wish, submit a request to those companies, as data controller, for additional information. "

The fact that we encountered so many difficulties, which often left us unable to fully exercise our data protection rights proves that the platform's practices are still far from achieving the necessary transparency. As our investigation highlights, we spent 6 months trying to answer a simple question: Why is Facebook telling me that this company has uploaded my data to target me with ads and how did they get my data in the first place. Facebook is underplaying their role in fixing a system they created.

A simple look at the green tick/red tick ratio in this piece tells you all you need to know. Facebook is not taking its responsibilities seriously as a platform and does not seem committed to offer more transparency to its users nor help them exercise their data protection rights. But this doesn't end here. We are continuing the discussion with Facebook to defend users' interest and challenge the company's understanding of its role in advertising transparency.