Privacy Policy for Facebook Retargeting

You can't use Facebook Retargeting without creating a Privacy Policy that tells users you use targeted ads. Why? Because it involves personal data collection, which triggers various privacy laws around the world.
Retargeting is an incredibly useful marketing tool for businesses. What's so great about retargeting is that it specifically allows you to target already-warm leads. However, it's vital that you retarget legally, and that's where privacy law comes in.
Users have a right to control what happens to their personal data and who has access to it. Various privacy laws exist across the world; for example, the General Data Protection Regulation (GDPR) in the European Union (EU), and the California Consumer Privacy Act (CCPA) as amended by the CPRA. They all empower users by giving them control over their data, and this includes data handled by third parties.
Before we look at any specific clauses, let's be clear on how Facebook Retargeting (FBR) works and why privacy law applies.
- 1. How Facebook Retargeting Works
- 2. Facebook Retargeting and Privacy Policies
- 3. Drafting a Facebook Retargeting-Compliant Privacy Policy
- 3.1. Collection of Personal Data
- 3.2. Method of Data Collection
- 3.3. Purpose of Data Collection
- 3.4. How Users Can Opt Out
- 4. Facebook Retargeting-Specific Clauses
- 4.1. Advertising and Analytics
- 4.2. Third Party Sharing
- 4.3. Cookies
- 4.4. How Users Can Opt Out of Retargeting
- 5. How to Create a Privacy Policy for Your Website
- 6. Displaying Your Privacy Notice
- 7. Conclusion
How Facebook Retargeting Works
Also known as remarketing, retargeting lets you specifically target users who don't convert to paying customers on their first visit. How it works is very simple:
- A potential customer visits your website
- Your site places an unobtrusive marketing cookie on their browser
- When the user next browses the web, the cookie triggers retargeting ads
- The user sees these ads and, hopefully, clicks through them and returns to your website
Since so many people have Facebook accounts, Facebook is the ideal platform for ad retargeting or remarketing. To get started, all you need is:
- A Facebook Ad Account
- A Facebook Pixel installed, which allows you to track things like purchases and web traffic
Once you have these features installed, you can start using Facebook Retargeting to retarget your visitors. You can remarket your goods and services to these visitors in various ways, including:
- Reminding them to complete their purchase
- Inviting them to contact support for any assistance they need
- Highlighting the same product, or similar products to the ones which they seemed interested in
- Targeting them on specific devices, such as a mobile phone
So, how does privacy law apply to Facebook Retargeting?
Facebook Retargeting and Privacy Policies
If you plan on using Facebook's business tools, including retargeting features, then you must comply with the platform's Business Tools Terms. You can view the terms in full here.
Once you enter the Facebook Business Center, you'll see that the platform requires you to:
- Tell visitors how you use cookies
- Tell visitors how you process or share data that you collect from visitors with any third parties
In short, this all means that if you're using cookies to gather information on a user for marketing or analytics purposes, you need to make them aware that you're doing this, and you need their informed consent.
We'll look specifically at cookies later, but for now, let's concentrate on your specific responsibilities under the Facebook developer rules.
Facebook sets out that developers must give notice that:
- Third parties may gather information from your website and use it to send the user targeted ads
- It's possible for users to opt-out of this information gathering
- Users can find out more information elsewhere
Facebook also provides additional rules for operating in areas where you need user consent to store and access cookies. You'll note that the onus is on you to ensure you have explicit and verifiable user consent:
Essentially, then, Facebook's own Business Tools Terms are in line with existing privacy laws around the world. Everyone has the right to control what personal data they share with businesses and third parties, and what ultimately happens to that data once it's shared.
Don't worry, though. Complying with Facebook's Business Tools Terms and general privacy law is easier than it sounds.
To stay on track with your obligations, here's all you have to do:
- Create a compliant Privacy Policy, or amend your existing one
- Include a few clauses on how you use cookies, or create a separate Cookies Policy
- Be clear that you participate in social media marketing
- Display the Privacy and/or Cookies Policy somewhere that users can see it
So, you plan on using Facebook Retargeting and you're ready to amend or create compliant policies. Let's consider what clauses you'll need, why you need them, and what they look like.
Drafting a Facebook Retargeting-Compliant Privacy Policy
There's no one specific template for writing an FBR-compliant Privacy Policy, but there are a few clauses you'll need at a minimum.
First, your Privacy Policy should comply with general data privacy laws. This means you should include general clauses explaining:
- The type of information you collect
- How you collect that data
- What you do with the data you've collected
- How users can opt-out of personal data collection
- Where users can go for further information
To comply with Facebook's own Business Tools Terms, you also need clauses explaining:
- Your advertising and analytics policies
- How you use cookies, and which cookies you use
- That it's possible for users to specifically opt-out of retargeting and analytics
- Where users can opt out of (with specific links provided)
Let's consider these clauses in turn.
Collection of Personal Data
Users have a right to know that businesses collect their personal data, whatever the purpose.
Barnes & Noble, for example, sets out that it collects data from visitors, and it gives examples of what this data includes:
Tip: Include this clause at the start of your Privacy Policy.
Method of Data Collection
You must explain how you collect a user's personal data, and at what stages. For example, when users add something to their cart, or when they go through the checkout process.
Barnes & Noble notes its three main methods of data collection which are site analytics, internet browsers, and cookies:
It's also a good idea to clearly list the main ways you collect data, and put this list somewhere near the beginning of your Privacy Policy. This is the approach taken by Barnes & Noble.
Tip: Make it easy for users to find the information they're looking for.
Purpose of Data Collection
Privacy laws make it clear that you can't collect personal information from users without explaining why you need to collect it, and in some cases without getting informed consent. Essentially, you shouldn't collect any more data from a user than is necessary.
Here's an example from Levi's. First, the company clearly highlights a type of personal data it collects from website visitors. Then, it explains why it collects this data. A clause like this clearly meets Privacy Policy obligations:
Tip: If you're collecting data from users, especially if it's for advertising or marketing purposes, make it clear.
How Users Can Opt Out
Users must always be able to opt-out of unnecessary data collection. For example, if you're using cookies for marketing analytics or advertising.
Gymshark has a great clause for this that's clear, specific, and customer-focused.
You'll see from the clause that the retailer sets out consumers' rights in large, clear bullet points and highlights the control that users have over their personal data, including the right to opt out of marketing:
Make sure consumers know where to go for further information about their privacy rights. Here's an example from Levi's:
Tip: To ensure you comply with Facebook's Business Tools Terms for remarketing, including clear, concise, consumer-focused clauses like this. Make it easy for consumers to find the information they need to make informed choices.
Facebook Retargeting-Specific Clauses
Now that we're clear on the type of general clauses every Privacy Policy needs, here's an overview of the additional specific clauses you'll need if you plan on using Facebook remarketing or retargeting.
Advertising and Analytics
You must tell consumers that you:
- Collect their data for advertising and analytics purposes
- Share this data with third-party providers, including social media platforms
Here's an example from ASOS. Although ASOS's Privacy Policy doesn't specifically mention Facebook, it complies with Facebook's Business Terms for two major reasons:
- It tells consumers that they target them through online advertising
- It tells consumers that they may see ads on social media based on the personal information they've shared with ASOS, or their previous browsing history
Gymshark takes a similar approach, except that it sets out these details in a separate Cookie Policy:
Tip: Expressly state that you may target users through social media. This covers targeted marketing for all social platforms, including Facebook.
Third Party Sharing
Although it's implied that you're sharing personal data with third parties if you're using targeted ads on social media, you must:
- Expressly state that you share data with third parties
- Explain the purpose of sharing the data with these third parties
You'll note that transparency i.e. why you collect the data you collect is at the cornerstone of a good Privacy Policy. Here's how ASOS handles its obligations:
The easiest way to comply with Facebook's policy requirements here is of course to name Facebook in your Privacy Policy and state that you share data with the platform to use targeted ads.
This is the approach taken by Shopify:
Tip: Although you don't have to specifically "name" Facebook in your clause, it's very good practice to do so, as it ensures you're fully complying with Facebook's own requirements.
Cookies
You should explain to users that you plan on installing cookies on their computer, and you should also explain what cookies actually are.
FLEO retailer defines cookies succinctly and clearly:
Then, you should highlight that third parties may install these cookies for analytics and remarketing purposes. Here's an example from Shopify:
You'll note there's also a link here to where customers can find further information, which is great practice.
Tip: Simply explain what cookies are, and declare that third parties may use cookies.
How Users Can Opt Out of Retargeting
You need a specific clause for how users can opt out of targeted ad marketing. This is a more specific version of the opt-out clause mentioned above. It's good practice to have both.
Here's Shopify's opt-out clause:
Tip: Make it clear that users can opt out of targeted ad marketing.
How to Create a Privacy Policy for Your Website
Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:
- Click on "Start creating your Privacy Policy" on our website.
- Select the platforms where your Privacy Policy will be used and go to the next step.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
-
Enter your email address where you'd like your Privacy Policy sent and click "Generate".
And you're done! Now you can copy or link to your hosted Privacy Policy.
Displaying Your Privacy Notice
Companies typically place links to their Privacy Policy and Cookie Policy in their website footer, like Gymshark does here:
The key thing is that it's easy for customers to find the policies when they want to view them. This in line with Facebook's rule that you need verifiable and informed customer consent for remarketing and targeted ads.
Get consent before a user browses the site through a pop-up banner which users must click to close. That way, you're entitled to assume that the user accepts your policies, and that they understand how to amend their privacy settings.
Here's an example from Barnes & Noble:
As you can see, users can click through the links and read the relevant policies before continuing to the site. They can also, importantly, manage their preferences from the outset.
Conclusion
If you plan on using Facebook Retargeting, you need a compliant Privacy Policy. At a minimum, your Privacy Policy must lay out that:
- You share information with third parties
- Third parties may install cookies for analytics purposes or to place targeted ads
- It's possible for users to opt out of targeted ads and personal data collection
- Users have rights to and amend their preferences
While Facebook Retargeting is undoubtedly a great marketing tool, it's essential that you comply with the platform's Business Tools Terms. You must demonstrate that users have given you clear, informed, and verifiable consent to sharing data for marketing and targeted ads.
The good news is that it's easy to comply with both Facebook's terms and general privacy law. Create a Privacy Policy with a few specific clauses. Be transparent, and make it easy for users to revoke their consent or change their settings at any time.