Menu Cookie Consent Start here

Privacy Policy for Facebook Retargeting

Last updated on 14 March 2023 by Jennifer Laird (PrivacyPolicies.com Legal writer)
Privacy Policy for Facebook Retargeting

You can't use Facebook Retargeting without creating a Privacy Policy that tells users you use targeted ads. Why? Because it involves personal data collection, which triggers various privacy laws around the world.

Retargeting is an incredibly useful marketing tool for businesses. What's so great about retargeting is that it specifically allows you to target already-warm leads. However, it's vital that you retarget legally, and that's where privacy law comes in.

Users have a right to control what happens to their personal data and who has access to it. Various privacy laws exist across the world; for example, the General Data Protection Regulation (GDPR) in the European Union (EU), and the California Consumer Privacy Act (CCPA) as amended by the CPRA. They all empower users by giving them control over their data, and this includes data handled by third parties.

Before we look at any specific clauses, let's be clear on how Facebook Retargeting (FBR) works and why privacy law applies.


How Facebook Retargeting Works

Also known as remarketing, retargeting lets you specifically target users who don't convert to paying customers on their first visit. How it works is very simple:

  • A potential customer visits your website
  • Your site places an unobtrusive marketing cookie on their browser
  • When the user next browses the web, the cookie triggers retargeting ads
  • The user sees these ads and, hopefully, clicks through them and returns to your website

Since so many people have Facebook accounts, Facebook is the ideal platform for ad retargeting or remarketing. To get started, all you need is:

  • A Facebook Ad Account
  • A Facebook Pixel installed, which allows you to track things like purchases and web traffic

Once you have these features installed, you can start using Facebook Retargeting to retarget your visitors. You can remarket your goods and services to these visitors in various ways, including:

  • Reminding them to complete their purchase
  • Inviting them to contact support for any assistance they need
  • Highlighting the same product, or similar products to the ones which they seemed interested in
  • Targeting them on specific devices, such as a mobile phone

So, how does privacy law apply to Facebook Retargeting?

Facebook Retargeting and Privacy Policies

Facebook Retargeting and Privacy Policies

If you plan on using Facebook's business tools, including retargeting features, then you must comply with the platform's Business Tools Terms. You can view the terms in full here.

Once you enter the Facebook Business Center, you'll see that the platform requires you to:

  • Tell visitors how you use cookies
  • Tell visitors how you process or share data that you collect from visitors with any third parties

In short, this all means that if you're using cookies to gather information on a user for marketing or analytics purposes, you need to make them aware that you're doing this, and you need their informed consent.

We'll look specifically at cookies later, but for now, let's concentrate on your specific responsibilities under the Facebook developer rules.

Facebook sets out that developers must give notice that:

  • Third parties may gather information from your website and use it to send the user targeted ads
  • It's possible for users to opt-out of this information gathering
  • Users can find out more information elsewhere

Facebook Business Tools Terms: Special Provisions Concerning the Use of Facebook Pixels and SDKs clause - Notice requirement section

Facebook also provides additional rules for operating in areas where you need user consent to store and access cookies. You'll note that the onus is on you to ensure you have explicit and verifiable user consent:

Facebook Business Tools Terms: Special Provisions Concerning the Use of Facebook Pixels and SDKs clause - Informed Consent requirement section

Essentially, then, Facebook's own Business Tools Terms are in line with existing privacy laws around the world. Everyone has the right to control what personal data they share with businesses and third parties, and what ultimately happens to that data once it's shared.

Don't worry, though. Complying with Facebook's Business Tools Terms and general privacy law is easier than it sounds.

To stay on track with your obligations, here's all you have to do:

  • Create a compliant Privacy Policy, or amend your existing one
  • Include a few clauses on how you use cookies, or create a separate Cookies Policy
  • Be clear that you participate in social media marketing
  • Display the Privacy and/or Cookies Policy somewhere that users can see it

So, you plan on using Facebook Retargeting and you're ready to amend or create compliant policies. Let's consider what clauses you'll need, why you need them, and what they look like.

Drafting a Facebook Retargeting-Compliant Privacy Policy

Drafting a Facebook Retargeting-Compliant Privacy Policy

There's no one specific template for writing an FBR-compliant Privacy Policy, but there are a few clauses you'll need at a minimum.

First, your Privacy Policy should comply with general data privacy laws. This means you should include general clauses explaining:

  • The type of information you collect
  • How you collect that data
  • What you do with the data you've collected
  • How users can opt-out of personal data collection
  • Where users can go for further information

To comply with Facebook's own Business Tools Terms, you also need clauses explaining:

  • Your advertising and analytics policies
  • How you use cookies, and which cookies you use
  • That it's possible for users to specifically opt-out of retargeting and analytics
  • Where users can opt out of (with specific links provided)

Let's consider these clauses in turn.

Collection of Personal Data

Users have a right to know that businesses collect their personal data, whatever the purpose.

Barnes & Noble, for example, sets out that it collects data from visitors, and it gives examples of what this data includes:

Barnes and Noble Privacy Policy: What is the personal information that we collect clause

Tip: Include this clause at the start of your Privacy Policy.

Method of Data Collection

You must explain how you collect a user's personal data, and at what stages. For example, when users add something to their cart, or when they go through the checkout process.

Barnes & Noble notes its three main methods of data collection which are site analytics, internet browsers, and cookies:

Barnes and Noble Privacy Policy: How do we collect your personal information clause - Information you provide to us section

It's also a good idea to clearly list the main ways you collect data, and put this list somewhere near the beginning of your Privacy Policy. This is the approach taken by Barnes & Noble.

Tip: Make it easy for users to find the information they're looking for.

Purpose of Data Collection

Purpose of Data Collection

Privacy laws make it clear that you can't collect personal information from users without explaining why you need to collect it, and in some cases without getting informed consent. Essentially, you shouldn't collect any more data from a user than is necessary.

Here's an example from Levi's. First, the company clearly highlights a type of personal data it collects from website visitors. Then, it explains why it collects this data. A clause like this clearly meets Privacy Policy obligations:

Levis Privacy Policy: Categories of Personal Information We Collect clause - Contact Information - Why We Collect It section highlighted

Tip: If you're collecting data from users, especially if it's for advertising or marketing purposes, make it clear.

How Users Can Opt Out

Users must always be able to opt-out of unnecessary data collection. For example, if you're using cookies for marketing analytics or advertising.

Gymshark has a great clause for this that's clear, specific, and customer-focused.

You'll see from the clause that the retailer sets out consumers' rights in large, clear bullet points and highlights the control that users have over their personal data, including the right to opt out of marketing:

Gymshark Privacy Policy: Your Rights clause

Make sure consumers know where to go for further information about their privacy rights. Here's an example from Levi's:

Levis Privacy Policy: Opting Out Blocking Cookies clause

Tip: To ensure you comply with Facebook's Business Tools Terms for remarketing, including clear, concise, consumer-focused clauses like this. Make it easy for consumers to find the information they need to make informed choices.

Facebook Retargeting-Specific Clauses

Facebook Retargeting-Specific Clauses

Now that we're clear on the type of general clauses every Privacy Policy needs, here's an overview of the additional specific clauses you'll need if you plan on using Facebook remarketing or retargeting.

Advertising and Analytics

You must tell consumers that you:

  • Collect their data for advertising and analytics purposes
  • Share this data with third-party providers, including social media platforms

Here's an example from ASOS. Although ASOS's Privacy Policy doesn't specifically mention Facebook, it complies with Facebook's Business Terms for two major reasons:

  • It tells consumers that they target them through online advertising
  • It tells consumers that they may see ads on social media based on the personal information they've shared with ASOS, or their previous browsing history

ASOS Privacy and Cookies Policy: Seeing adverts for ASOS online clause

Gymshark takes a similar approach, except that it sets out these details in a separate Cookie Policy:

Gymshark Cookie Policy: Excerpt of What are cookies used for clause - Marketing, advertising and social media section highlighted

Tip: Expressly state that you may target users through social media. This covers targeted marketing for all social platforms, including Facebook.

Third Party Sharing

Although it's implied that you're sharing personal data with third parties if you're using targeted ads on social media, you must:

  • Expressly state that you share data with third parties
  • Explain the purpose of sharing the data with these third parties

You'll note that transparency i.e. why you collect the data you collect is at the cornerstone of a good Privacy Policy. Here's how ASOS handles its obligations:

ASOS Privacy and Cookies Policy: Sharing your information - Third parties clause

The easiest way to comply with Facebook's policy requirements here is of course to name Facebook in your Privacy Policy and state that you share data with the platform to use targeted ads.

This is the approach taken by Shopify:

Shopify Cookies Policy: Advertising third party chart with Facebook highlighted

Tip: Although you don't have to specifically "name" Facebook in your clause, it's very good practice to do so, as it ensures you're fully complying with Facebook's own requirements.

Cookies

You should explain to users that you plan on installing cookies on their computer, and you should also explain what cookies actually are.

FLEO retailer defines cookies succinctly and clearly:

FLEO Privacy Statement: Cookies clause

Then, you should highlight that third parties may install these cookies for analytics and remarketing purposes. Here's an example from Shopify:

Shopify Cookie Policy: Third Party Analytics and Advertising Cookies clauses

You'll note there's also a link here to where customers can find further information, which is great practice.

Tip: Simply explain what cookies are, and declare that third parties may use cookies.

How Users Can Opt Out of Retargeting

You need a specific clause for how users can opt out of targeted ad marketing. This is a more specific version of the opt-out clause mentioned above. It's good practice to have both.

Here's Shopify's opt-out clause:

Shopify Cookie Policy: How to Control Cookies clause - Third party advertising and opt-out section

Tip: Make it clear that users can opt out of targeted ad marketing.

How to Create a Privacy Policy for Your Website

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy" on our website.
  2. Select the platforms where your Privacy Policy will be used and go to the next step.

    3. PrivacyPolicies.com: Privacy Policy Generator - Select platforms - Step 1

  3. Add information about your business: your website and/or app.

    4. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  4. Select the country:

    5. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  5. Answer the questions from our wizard relating to what type of information you collect from your users.

    6. PrivacyPolicies.com: Privacy Policy Generator - Answer questions from our wizard - Step 3

  6. Enter your email address where you'd like your Privacy Policy sent and click "Generate".

    PrivacyPolicies.com: Privacy Policy Generator - Enter your email address - Step 4

    And you're done! Now you can copy or link to your hosted Privacy Policy.


Displaying Your Privacy Notice

Displaying Your Privacy Notice

Companies typically place links to their Privacy Policy and Cookie Policy in their website footer, like Gymshark does here:

Gymshark website footer with Privacy Notice and Cookie Policy links highlighted

The key thing is that it's easy for customers to find the policies when they want to view them. This in line with Facebook's rule that you need verifiable and informed customer consent for remarketing and targeted ads.

Get consent before a user browses the site through a pop-up banner which users must click to close. That way, you're entitled to assume that the user accepts your policies, and that they understand how to amend their privacy settings.

Here's an example from Barnes & Noble:

Barnes and Noble Cookie Consent Notice

As you can see, users can click through the links and read the relevant policies before continuing to the site. They can also, importantly, manage their preferences from the outset.

Conclusion

If you plan on using Facebook Retargeting, you need a compliant Privacy Policy. At a minimum, your Privacy Policy must lay out that:

  • You share information with third parties
  • Third parties may install cookies for analytics purposes or to place targeted ads
  • It's possible for users to opt out of targeted ads and personal data collection
  • Users have rights to and amend their preferences

While Facebook Retargeting is undoubtedly a great marketing tool, it's essential that you comply with the platform's Business Tools Terms. You must demonstrate that users have given you clear, informed, and verifiable consent to sharing data for marketing and targeted ads.

The good news is that it's easy to comply with both Facebook's terms and general privacy law. Create a Privacy Policy with a few specific clauses. Be transparent, and make it easy for users to revoke their consent or change their settings at any time.

Jennifer Laird
PrivacyPolicies.com Legal writer

Last updated on 14 March 2023

Legal information, legal templates and legal policies are not legal advice. Please read the disclaimer.

Article categories

Start here

Related articles

Brazil's LGPD

Brazil's LGPD

If you sell goods or services in Brazil, or collect Brazilian personal data, then you need to comply with the Lei Geral de Proteção de Dados (LGPD). The LGPD is essentially...

Do I Need a Lawyer for a Privacy Policy?

Do I Need a Lawyer for a Privacy Policy?

Practically every website and app will need a Privacy Policy. However, most business owners will not necessarily need a lawyer to create their Privacy Policy. This article explains how to determine...

GDPR Compliance Statement

GDPR Compliance Statement

A GDPR Compliance Statement complements your GDPR-compliant Privacy Policy. It's a shorter, standalone document that describes how you engage with the GDPR. While a GDPR Compliance Statement isn't required, having...