Is Facebook GDPR compliant?

GDPR was implemented to help protect people’s privacy. One of the most important concerns for people today is their privacy and the risk of losing important personal information.

Research carried out on 7,500 consumers in France, Germany, Italy, the UK and the U.S by RSA Data Privacy & Security Report revealed that 80% of consumers said lost banking and financial data is a top concern while lost security information such as passwords and identity information like passports or driving license was cited as a concern for 75 percent of the respondents.

If your company stores, manages or analyses data of any kind, it means GDPR affects your company.

If you are an advertiser that uses Facebook, GDPR will be relevant because if your website uses cookies, visitors from EU can visit your pages and even opt into your newsletter. Below are the main implications of complying with GDPR on Facebook ads:

  • You must inform your subscribers how you will use their data
  • People must give their consent before you use their data. They are also free to withdraw their consent whenever they want.
  • It is mandatory for you to show your customers their information whenever they demand to see it.
  • Users must be able to edit any information they want
  • Users can delete their information whenever they want

GDPR and Facebook Pixel

As an advertiser on Facebook, pixels on your website are used to give users a better experience and to show those that use your services and products, relevant ads on Facebook.

It is important to remember that GDPR affects Facebook pixels. If using Facebook pixel on your website, then you are liable to comply with GDPR.

Cases where you will need to get the prospects’ consent includes:

  • A retail website that uses cookies to collect information about the products people view on the site to target ads to people based on their activity on the site
  • A blog that uses an analytics provider who uses cookies to capture aggregate demographic info about its readers
  • A news media website that uses a third-party ad server to display ads, when the third party uses cookies to collect information about who views those ads
  • A Facebook advertiser who installs the Facebook or Atlas pixel on its website to measure ad conversions or retarget advertisements on Facebook

If any of the above apply, then you will need to obtain consent from your users. You can do this by showing a message when the page loads for the first time. This is referred to as a “cookie banner” to tell users how to give their consent.

Secondly, you can also obtain consent when they are signing up for your offer. A free tool you can use is cookie consent notification. It will display consent notification for users to accept or reject on your webpage.

GDPR and Facebook custom audiences

Custom audiences are audiences from your email list, and these are affected by GDPR too. You can upload the audiences to your Facebook ads to target them directly.

Uploading email list or contact information into a Facebook custom audience makes you a data controller.

GDPR stipulates that as a data controller, you must ensure that your subscribers give their consent before you can market to them.

If you have email lists from LinkedIn contact, email addresses from business cards, purchased or scraped email lists and shared pixel information from other parties without users’ consent, you need to delete the information from your Facebook ad account. You cannot market to them and you are only allowed to market to users who have given you their consent.

You must also ensure that your custom audience lists are continuously updated so you can delete those subscribers who have opted out of your list. This means they have withdrawn their consent from your marketing list.

GDPR and Facebook Lookalike Audiences

Lookalike Audiences is a term for targeting audience based on a custom audience. Examples of custom audiences include people on your email list, website visitors, and Facebook users who engage with your video or Facebook page.

 This is where it uses a “seed” audience of one of your custom audiences to search for new people to add to the lookalike audience. You don’t need their permission to show your ads to them.

But you should update your privacy policy to make sure you inform your audiences about how you intend to use their data. This can be done by inserting your privacy policy on your landing pages. The key is to be transparent about how you use the data.

Adding a link to your privacy policy on every page of your website is also something else that can be done – this includes pages with email opt-ins.

An example of this could be if you were driving traffic from a Facebook ad to a lead magnet, ensure that the page has a cookie consent banner, an email opt-in that complies with GDPR and a link to your privacy policy.


It is vitally important to make sure you comply with GDPR when using Facebook ads. Otherwise you will risk potentially heavy fines and even small businesses could also face legal issues – which could ultimately ruin their reputation, you need to ensure that you comply with the law, especially if your business is dealing with EU audience.

Download 2019 GDPR Guide
Scroll to Top