Skip to content

Brought to you by

Dentons logo

Privacy and Cybersecurity Law

Coverage and commentary on developments in data protection.

open menu close menu

Privacy and Cybersecurity Law

  • Home
  • About Us

EDPB guidelines on the targeting of social media users

By Rosemarie Schaar and Rosemarie Schaar
April 1, 2021
  • General
Share on Facebook Share on Twitter Share via email Share on LinkedIn

The European Data Protection Board’s (EDPB) guidelines on the targeting of social media users (the Guidelines), represent one of a number of moves by regulators and legislators to contain the perceived risks caused by the use, especially by big tech, of information on individuals’ online behavior to generate personal profiles for advertising purposes.

The Guidelines build on recent case law of the Court of Justice of the European Union (CJEU). The EDPB aims to clarify the roles and responsibilities of social media providers and targeters, while considering the legal parameters for protecting online users.

The Guidelines explain how targeting may expose individuals to significant risks. The targeting of social media users may involve uses of personal data that go beyond individuals’ reasonable expectations. This can result in a lack of control and transparency. Targeting can even influence the behavior and choices of individuals. The Guidelines touch on how targeting can have a “chilling effect” on freedom of expression, including access to information.

The main actors in the social media targeting context are users, social media providers, targeters, other adtech actors and data brokers. The Guidelines focus on social media providers and targeters. The importance of correctly identifying the roles and responsibilities of the various actors has been highlighted in recent CJEU judgements.

Following CJEU case law, the EDPB will consider social media providers and targeters when determining the purposes and means of processing. The EDPB clarifies that it will treat their relationship as joint controllership when they decide what ad to display to which person (but possibly as independent controllership before or after that point). As part of this joint controllership, both the social media providers and targeters must be able to demonstrate the existence of a legal basis for their use of personal data.

The EDPB takes the view that the legal bases that would be likely to apply in the targeting context are:

  1. consent (Art. 6 (1) (a) GDPR); and
  2. legitimate interests (Art. 6 (1) (f) GDPR).

The EDPB notes that consent is the most suitable legal basis when it comes to tracking or more intrusive profiling for advertising purposes. Valid consent involves meeting the high standard of the GDPR. This requires a clear explanation to the user of why they might be seeing an ad – a mere reference to advertising is not enough. And, even if consent is obtained, this would not legitimize any targeting that is disproportionate or unfair. Valid consent must be obtained prior to the processing, which implies that joint controllers need to assess when and how information should be provided and consent should be obtained.

The Guidelines also tackle the application of key data protection requirements, such as transparency and right of access; Data Protection Impact Assessments; special categories of data; and the level of responsibility which is maintained throughout joint controllership arrangements.

33 comments were submitted by the close of the consultation period in October 2020. We are now waiting for the EDPB to adopt the final version of the Guidelines.

Share on Facebook Share on Twitter Share via email Share on LinkedIn
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Rosemarie Schaar

About Rosemarie Schaar

Rosemarie Schaar is an associate in the Amsterdam office of Dentons. She focuses on matters involving IT, commercial contracting and privacy.

All posts Full bio

Rosemarie Schaar

About Rosemarie Schaar

Rosemarie Schaar is an associate in the Amsterdam office of Dentons. She focuses on matters involving IT, commercial contracting and privacy.

All posts

RELATED POSTS

  • General

The European Commission’s GDPR review in short

By Akkeroos Kremers and Marc Elshof
  • General

Regulatory agenda of the Brazilian national data protection authority for the 2021-2022 biennium

By Patricia Barbosa and Isabella Rovesta
  • Accountability
  • Asia Pacific
  • Canada
  • Consumer Protection
  • Europe
  • General
  • Latin America
  • New and Proposed Laws
  • Privacy Rights
  • United Kingdom
  • United States

Dentons artificial intelligence (AI) survey

By Giangiacomo Olivi

About Dentons

Dentons is designed to be different. As the world’s largest law firm with 20,000 professionals in over 200 locations in more than 80 countries, we can help you grow, protect, operate and finance your business. Our polycentric and purpose-driven approach, together with our commitment to inclusion, diversity, equity and ESG, ensures we challenge the status quo to stay focused on what matters most to you. www.dentons.com

Dentons boilerplate image

Twitter

Categories

  • Accountability
  • Asia Pacific
  • Canada
  • Cloud Computing
  • Consumer Protection
  • Cybersecurity
  • Data Breach
  • Data Transfers
  • Employee Privacy
  • Enforcement
  • Europe
  • General
  • Government Information
  • Health Information Privacy
  • Latin America
  • Marketing, Cookies & Spam
  • New and Proposed Laws
  • Privacy Notices
  • Privacy Rights
  • Record Retention
  • Smart Cities
  • United Kingdom
  • United States

Subscribe and stay updated

Receive our latest blog posts by email.

Stay in Touch

Dentons logo

© 2023 Dentons

  • Legal notices
  • Privacy policy
  • Terms of use
  • Cookies on this site