Retargeting is an incredibly useful marketing tool for businesses. What's so great about retargeting is that it specifically allows you to target already-warm leads. However, it's vital that you retarget legally, and that's where privacy law comes in.
Users have a right to control what happens to their personal data and who has access to it. Various privacy laws exist across the world; for example, the General Data Protection Regulation (GDPR) in the European Union (EU), and the California Consumer Privacy Act (CCPA). They all empower users by giving them control over their data, and this includes data handled by third parties.
Before we look at any specific clauses, let's be clear on how Facebook Retargeting (FBR) works and why privacy law applies.
- 1. How Facebook Retargeting Works
- 2. Facebook Retargeting and Privacy Policies
- 3.1. Collection of Personal Data
- 3.2. Method of Data Collection
- 3.3. Purpose of Data Collection
- 3.4. How Users Can Opt Out
- 4. Facebook Retargeting-Specific Clauses
- 4.1. Advertising and Analytics
- 4.2. Third Party Sharing
- 4.3. Cookies
- 4.4. How Users Can Opt Out of Retargeting
- 6. Displaying Your Privacy Notice
- 7. Conclusion
How Facebook Retargeting Works
Also known as remarketing, retargeting lets you specifically target users who don't convert to paying customers on their first visit. How it works is very simple:
- A potential customer visits your website
- Your site places an unobtrusive marketing cookie on their browser
- When the user next browses the web, the cookie triggers retargeting ads
- The user sees these ads and, hopefully, clicks through them and returns to your website
Since so many people have Facebook accounts, Facebook is the ideal platform for ad retargeting or remarketing. To get started, all you need is:
- A Facebook Ad Account
- A Facebook Pixel installed, which allows you to track things like purchases and web traffic
Once you have these features installed, you can start using Facebook Retargeting to retarget your visitors. You can remarket your goods and services to these visitors in various ways, including:
- Reminding them to complete their purchase
- Inviting them to contact support for any assistance they need
- Highlighting the same product, or similar products to the ones which they seemed interested in
- Targeting them on specific devices, such as a mobile phone
So, how does privacy law apply to Facebook Retargeting?
Facebook Retargeting and Privacy Policies
If you plan on using Facebook's business tools, including retargeting features, then you must comply with the platform's Business Tools Terms. You can view the terms in full here.
Once you enter the Facebook Business Center, you'll see that the platform requires you to:
- Tell visitors how you process or share data that you collect from visitors with any third parties
In short, this all means that if you're using cookies to gather information on a user for marketing or analytics purposes, you need to make them aware that you're doing this, and you need their informed consent.
We'll look specifically at cookies later, but for now, let's concentrate on your specific responsibilities under the Facebook developer rules.
Facebook sets out that developers must give notice that:
- Third parties may gather information from your website and use it to send the user targeted ads
- It's possible for users to opt-out of this information gathering
- Users can find out more information elsewhere
Facebook also provides additional rules for operating in areas where you need user consent to store and access cookies. You'll note that the onus is on you to ensure you have explicit and verifiable user consent:
Essentially, then, Facebook's own Business Tools Terms are in line with existing privacy laws around the world. Everyone has the right to control what personal data they share with businesses and third parties, and what ultimately happens to that data once it's shared.
Don't worry, though. Complying with Facebook's Business Tools Terms and general privacy law is easier than it sounds.
To stay on track with your obligations, here's all you have to do:
- Be clear that you participate in social media marketing
- Display the Privacy and/or Cookies Policy somewhere that users can see it
So, you plan on using Facebook Retargeting and you're ready to amend or create compliant policies. Let's consider what clauses you'll need, why you need them, and what they look like.
- The type of information you collect
- How you collect that data
- What you do with the data you've collected
- How users can opt-out of personal data collection
- Where users can go for further information
To comply with Facebook's own Business Tools Terms, you also need clauses explaining:
- Your advertising and analytics policies
- That it's possible for users to specifically opt-out of retargeting and analytics
- Where users can opt out of (with specific links provided)
Let's consider these clauses in turn.
Collection of Personal Data
Users have a right to know that businesses collect their personal data, whatever the purpose.
Barnes & Noble, for example, sets out that it collects data from visitors, and it gives examples of what this data includes:
Method of Data Collection
You must explain how you collect a user's personal data, and at what stages. For example, when users add something to their cart, or when they go through the checkout process.
Barnes & Noble notes its three main methods of data collection which are site analytics, internet browsers, and cookies:
Tip: Make it easy for users to find the information they're looking for.
Purpose of Data Collection
Privacy laws make it clear that you can't collect personal information from users without explaining why you need to collect it, and in some cases without getting informed consent. Essentially, you shouldn't collect any more data from a user than is necessary.
Tip: If you're collecting data from users, especially if it's for advertising or marketing purposes, make it clear.
How Users Can Opt Out
Users must always be able to opt-out of unnecessary data collection. For example, if you're using cookies for marketing analytics or advertising.
Gymshark has a great clause for this that's clear, specific, and customer-focused.
You'll see from the clause that the retailer sets out consumers' rights in large, clear bullet points and highlights the control that users have over their personal data, including the right to opt out of marketing:
Make sure consumers know where to go for further information about their privacy rights. Here's an example from Levi's:
Tip: To ensure you comply with Facebook's Business Tools Terms for remarketing, including clear, concise, consumer-focused clauses like this. Make it easy for consumers to find the information they need to make informed choices.
Facebook Retargeting-Specific Clauses
Advertising and Analytics
You must tell consumers that you:
- Collect their data for advertising and analytics purposes
- Share this data with third-party providers, including social media platforms
- It tells consumers that they target them through online advertising
- It tells consumers that they may see ads on social media based on the personal information they've shared with ASOS, or their previous browsing history
Tip: Expressly state that you may target users through social media. This covers targeted marketing for all social platforms, including Facebook.
Third Party Sharing
Although it's implied that you're sharing personal data with third parties if you're using targeted ads on social media, you must:
- Expressly state that you share data with third parties
- Explain the purpose of sharing the data with these third parties
This is the approach taken by Shopify:
Tip: Although you don't have to specifically "name" Facebook in your clause, it's very good practice to do so, as it ensures you're fully complying with Facebook's own requirements.
You should explain to users that you plan on installing cookies on their computer, and you should also explain what cookies actually are.
FLEO retailer defines cookies succinctly and clearly:
Then, you should highlight that third parties may install these cookies for analytics and remarketing purposes. Here's an example from Shopify:
You'll note there's also a link here to where customers can find further information, which is great practice.
How Users Can Opt Out of Retargeting
You need a specific clause for how users can opt out of targeted ad marketing. This is a more specific version of the opt-out clause mentioned above. It's good practice to have both.
Here's Shopify's opt-out clause:
Tip: Make it clear that users can opt out of targeted ad marketing.
- Answer the questions related to your entity type and location.
- Answer the questions relating to what type of information you collect from your users.
Displaying Your Privacy Notice
The key thing is that it's easy for customers to find the policies when they want to view them. This in line with Facebook's rule that you need verifiable and informed customer consent for remarketing and targeted ads.
Get consent before a user browses the site through a pop-up banner which users must click to close. That way, you're entitled to assume that the user accepts your policies, and that they understand how to amend their privacy settings.
Here's an example from Barnes & Noble:
As you can see, users can click through the links and read the relevant policies before continuing to the site. They can also, importantly, manage their preferences from the outset.
- You share information with third parties
- Third parties may install cookies for analytics purposes or to place targeted ads
- It's possible for users to opt out of targeted ads and personal data collection
- Users have rights to and amend their preferences
While Facebook Retargeting is undoubtedly a great marketing tool, it's essential that you comply with the platform's Business Tools Terms. You must demonstrate that users have given you clear, informed, and verifiable consent to sharing data for marketing and targeted ads.