Guidelines 08/2020 on the targeting of social media users – version for public consultation

Section  5.1  Overview

36 Social media users may be targeted on the basis of provided, observed or inferred data, as well as a combination thereof:

• A)   Targeting individuals on the basis of provided data – “Provided data” refers to information actively provided by the data subject to the social media provider and/or the targeter. For example:

• a social media user might indicate his or her age in the description of his or her user profile. The social media provider, in turn, might enable targeting on the basis of this criterion.

• a targeter might use information provided by the data subject to the targeter in order to target that individual specifically, for example by means of customer data (such as an e-mail address list), to be matched with data already held on the social media platform, leading to all those users who match being targeted with advertising.

• B)  Targeting on the basis of observed data–Targeting of social media users can also take place on the basis of observed data. Observed data are data provided by the data subject by virtue of using a service or device. For example, a particular social media user might be targeted on the basis of:

• his or her activity on the social media platform itself (for instance the content that the user has shared, consulted or liked);

• the use of devices on which the social media’s application is executed (for instance GPS coordinates, mobile telephone number);

• data obtained by a third-party application developer by using the application programming interfaces (APIs) or software development kits (SDKs) offered by social media providers;

• data collected through third-party websites that have incorporated social plugins or pixels;

• data collected through other third parties (e.g. parties with whom the data subject has interacted, purchased a product, subscribed to loyalty cards, …); or

• data collected through services offered by companies owned or operated by the social media provider.

• C)  Targeting on the basis of inferred data – “Inferred data” or “derived data” are created by the data controller on the basis of the data provided by the data subject or as observed by thecontroller. For example, a social media provider or a targeter might infer that an individual is likely to be interested in a certain activity or product on the basis of his or her web browsing behaviour and/or network connections.