Privacy Policy for Facebook Pages

If you manage a Facebook Page from the European Economic Area (EEA), you need to draft a Facebook-compliant Privacy Policy.

The EEA includes the 28 EU Member States plus Iceland, Liechtenstein, and Norway. You should note that although the UK is leaving the EU, it's still covered by these rules.

So, what do these rules mean? Basically, it's not enough just to have a Privacy Policy. Your Policy needs to include specific clauses. You also need to comply with general privacy laws; namely, the General Data Protection Regulation (GDPR).

There are essentially 4 requirements for a Privacy Policy for your Facebook page:

• Comply with Facebook's requirements
• Explain what happens to this personal data
• Identify who is responsible for protecting the data
• Tell people who they can contact for more information and to find out what data you process

In other words, your Facebook Page Privacy Policy isn't complete if you only cover these 4 points. You need to cover everything.

For the avoidance of doubt, personal data is essentially anything that can be used to identify an individual person. This identifier can be anything from an IP address to a name, which means there's a whole host of data that might be "personal."

So, why do you need to comply with these rules? There are 2 simple reasons.

• First, every platform can set its own rules (within the scope of the law, of course). If you want to use the platform, you need to comply with whatever rules the service provider sets.

• Second, it's not just Facebook that is responsible for data protection compliance. By law, you are, too. In fact, you and Facebook share the responsibility of:

  • Protecting personal data
  • Informing people of their privacy rights

If you don't comply, Facebook can shut your Page down and it could be hard to start a new Page.

Let's cover some basics so you're clear on exactly what the rules are, and why they apply to you.

Why Does Facebook Require a Privacy Policy for Pages?

Privacy Policies are required by a number of laws around the world. These laws aim to help people protect their personal data. People using your website, service or platform have the right to know what happens to their information when doing so.

Some of the relevant global privacy laws include the GDPR, CalOPPA and PIPEDA.

Facebook Pages fall under the scope of these laws meant to protect user rights because:

• Facebook Pages use cookies to collect data about visitors.
• Page Insights let you see how people interact with your posts and Page content. Through these analytics, you can improve your future posts.
• To use Page Insights, you're accessing personal data about Page visitors or subscribers.
• Accessing or collecting personal data means you need a Privacy Policy.

Every legally compliant Privacy Policy needs certain clauses. Let's quickly run over these before we move on to the Facebook-specific ones.

Your Privacy Policy needs the following clauses:

• Introduction i.e. explaining that this is a Privacy Policy
• Contact details
• Outline of the type of data you collect
• Why you collect the data
• How you collect the data
• What happens to this information
• How people can opt-out of marketing and non-essential data collection

To fully comply with the GDPR, you need a few other clauses, too.

Read our GDPR Privacy Policy Template article for more GDPR-specific guidance.

The Facebook Page Insights Controller Addendum

Facebook amended its Page Insights Controller Addendum in 2020. It confirms that Page admins are jointly responsible for protecting personal data captured for Page Insights.

So, if you're a Facebook Page admin, you agree that you and Facebook are jointly responsible for protecting personal data:

But what does this mean? In reality, you don't have as much responsibility as this implies. For the most part, Facebook is responsible for most things:

Meaning, Facebook takes responsibility for:

• Telling users about the Addendum
• Informing users of their Page Insights privacy rights
• Fulfilling data access requests
• Telling the relevant supervisory authorities if there's a data breach

So, what are you responsible for?

• Setting out your legal basis for processing the data in the first place
• Identifying yourself as a joint controller

In other words, you need a clear reason for capturing someone's personal data through Page Insights. We'll take a closer look at valid reasons below, but for now, let's consider what it means to be a joint controller.

Joint Controllers

According to Article 4 of the GDPR, a controller is someone who decides what personal data to collect and why the collection is necessary. So, a joint controller is simply someone who undertakes this responsibility alongside another controller.

But is there ever a time when you could be the single data controller? Is there ever a scenario when you're expected to take on more responsibility? Yes, actually.

If you interact directly with Page visitors and collect information from them e.g. email addresses to run a contest, you are the controller. Not Facebook.

Why? Because this type of data collection has nothing to do with Page Insights. You can see this exception in Facebook's Pages Policy:

So, you need to get someone's consent to collect their data and use it in a specific way. Always keep this rule in mind when you're using Facebook Pages.

Who Must Provide a Privacy Policy?

Before we move on, let's just be clear on exactly who needs to comply with these new requirements:

• There's probably no need to make these changes if you only use your Page for personal reasons. That's because, under the GDPR, you don't need to protect personal data collected for home or purely domestic use.
• You don't need to comply if you run a Community Page, either, but you need to comply if your Page status changes.
• If you use your Page for any other reason, and collect any amount of personal data, you need to comply with the Addendum.

In other words, if you run a Facebook Page and collect any personal information at all from Page visitors, you must update your Privacy Policy, or draft one now.

So, how do you go about drafting or updating your Privacy Policy to reflect the Addendum?

What You Must Include in Your Facebook Pages Privacy Policy

Declaration of Controllers

People have a right to know who the data controller is. So, you need to declare that you're a data controller. More specifically, you need to explain that you're a controller alongside Facebook.

Here's an example from Eppendorf. It has one Privacy Policy which covers everything. In other words, the company is sometimes the only controller.

It first identifies that the company is a data controller within the meaning of the GDPR:

Then, in clause 5, the company explains it sometimes acts as a joint controller with Facebook:

There's no specific language you need to use. All that matters is that you identify your company as a joint controller with Facebook for Page insights.

As with Eppendorf, it's good practice to link to Facebook's Addendum so people can read more about it for themselves.

Facebook's Full Details

Remember, although you're joint controllers, Facebook has the most responsibility for protecting data. You need to include Facebook's details so that people can contact them with questions about Pages or Facebook's Privacy Policy more generally.

Eppendorf, for example, puts Facebook's business details at the start of section 5, seen in the previous image here. Although the clause doesn't include an email address or telephone number, it's easy for people to click through the link provided and find these details for themselves. This is sufficient for Addendum purposes.

Your Contact Information

You need to set out your business contact details in full in your Privacy Policy. Just linking to another page isn't sufficient. It's not enough to just leave your business address, either.

You should include at least one free method of contact, such as an email address or online contact form.

Lufthansa, for example, sets out its contact details beside Facebook's. Setting out contact details like this reinforces the idea that they're joint controllers, but as we can see from Eppendorf above, it's not necessary. Simply providing the contact details is enough:

Your Legal Basis for Processing

Next, you need to specify your legal basis for processing data at all. Under the GDPR, there are 6 recognized grounds for processing a data subject's information:

• You have a legitimate interest
• It's in the public interest
• You're protecting the subject's vital interests
• It's part of your contract with the subject
• You have their express consent
• You're fulfilling your legal obligations in some other way

So, for example, you don't need someone's consent to process personal data if you need that information to complete a contract. In the same way, you don't need consent or any contract in place if you're acting in the interests of public security.

Lufthansa identifies 2 legal bases: Performing a contract, and acting in the company's own legitimate interests:

Remember, people have specific rights over their personal data. Namely, they have the right of:

• Rectification
• Erasure
• Access

If people want to exercise these rights, they need to lodge a request with the data controller. There are 2 points to note here.

First, if someone makes an access request about personal data processed through Page Insights, only Facebook can deal with it. This is stated in the Addendum:

So, all you need to do is complete and submit the form linked in the Addendum. You can't complete the access request.

The second point is that if someone makes an access request for data you processed in any other capacity, it's your responsibility to deal with. You only forward the request to Facebook if it relates to insights.

How to Display Your Privacy Policy for Facebook Pages

The final point we need to cover is where to display this Privacy Policy.

Ideally, you should link to your Privacy Policy on your actual Facebook Page. The admin section of your Page is set up to allow this.

• While signed in as an admin, click "About" in the left side menu
• Click "Edit Privacy Policy" from the options that pop up
• From here, you can link to your Privacy Policy so it shows up on your Page

Here's an example from Lufthansa's Facebook Page:

You don't need to post your whole Policy on the Facebook Page. You only need to provide a visible link.

Conclusion

If you have a Facebook Page and you use Insights you need to provide a GDPR-compliant Privacy Policy and link to it somewhere on your Page. You'll find the rules in the Facebook Page Insights Controller Addendum.

• Alongside Facebook, you are jointly responsible for any personal data processed through Page Insights.
• You need to inform people that you're a joint controller and that you capture personal data from them.
• You must also identify your legal basis for processing and provide your contact details.
• If you receive a data access request for information captured through Pages, you must forward it to Facebook.
• You must otherwise comply with your responsibilities under the GDPR.

If you breach these requirements, you'll probably lose your Page. Users could also raise a complaint against your company for failing to handle their data properly.