Facebook starts to roll out GDPR notifications and consent requests

Facebook previously announced that it would apply General Data Protection Regulation (GDPR) privacy protections and rules globally to all its users. This was a major decision — partly practical, partly principled and partly public relations. Yesterday, the company began to explain how it will start implementation of the new guidelines.

Starting in Europe, Facebook will ask users to make decisions about what data on their profiles is to be shared and what data can be used to show them ads. Among the choices Facebook users will have to make are:

• Whether it’s OK for Facebook to incorporate data collected from partners (e.g., third parties that have the Like button on their sites) as part of ad targeting.
• Whether to make information on “political, religious, and relationship information” available to marketers. Facebook implies this will need to be deleted to avoid being used for targeting.
• Whether to allow facial recognition technology, which the company argues improves privacy and security.

In its blog post, Facebook offered example screens that users will see during the process. The following image pertains to authorizing the use of facial recognition.

People will also be asked to approve updated terms and its new data policies. The company says that “people in the EU will see specific details relevant only to people who live there, like how to contact our Data Protection Officer under GDPR.” However, the company indicated that the requirements of GDPR around consent and data collection will be honored globally.

These screens and messages will start to appear this week in Europe, ahead of the May 25 GDPR deadline. Others around the world will see some version of these same questions and approval requests “on a slightly later schedule.”

Facebook further discussed how it will comply with advertising and data restrictions surrounding minors:

Later this year we’ll introduce a new global online resource center specifically for teens, and more education about their most common privacy questions. Under GDPR, people between the ages of 13 and 15 in some EU countries need permission from a parent or guardian to allow some features on Facebook — seeing ads based on data from partners and including religious and political views or “interested in” on your profile. These teens will see a less personalized version of Facebook with restricted sharing and less relevant ads until they get permission from a parent or guardian to use all aspects of Facebook.

In the post, Facebook previews some of the arguments it will make to persuade users to continue sharing data. It will argue, for example, that data sharing makes ads and experiences on Facebook more relevant and personalized. But there are a number of studies that suggest users may not be easily persuaded.

Many people are comfortable sharing personal data for greater personalization or relevance with first-party publishers. However, they typically also don’t want that to be transferred to third parties or, sometimes, commingled with data from other sources. Most of the data that Facebook offers to advertisers qualifies as “personal data” under GDPR and will require opt-in consent.

Multiple surveys suggest the number of users who will continue to share data with Facebook for ad targeting, especially in the wake of the Cambridge Analytica scandal, will decline — perhaps substantially. However, we’ll see.