GDPR and Social Media Marketing

Social Media Marketing has become one of the biggest marketing tools since TV commercials were first introduced. They are used on every major platform. Facebook, TikTok, Twitter, Instagram, YouTube, LinkedIn, etc. That said, what has become of Social Media Marketing when GDPR was enacted?

What is GDPR

The General Data Protection Regulation, or GDPR, is a legal framework that sets guidelines for the collection and processing of personal data from individuals who live in the European Union (EU).

GDPR is one of the world's strictest security and privacy laws that imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the European Union. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.

The GDPR has seven principles: 1) lawfulness, fairness and transparency; 2) purpose limitation; 3) data minimization; 4) accuracy; 5) storage limitation; 6) integrity and confidentiality (security); and 7) accountability. Accountability is a new addition to the data protection regulations. In the UK all the other principles are similar to those that existed under the 1998 Data Protection Act. The following definitions are paraphrased from ICO’s site found here.

Related: GDPR Compliance Guide.

How GDPR is Affecting Social Media Marketing

While it is an EU law, it is applicable to any organization with personal data of EU citizens and residents. So if you are a business with customers in the EU, the GDPR will be applicable to you when you are handling personal data of your EU customers. Its focus is to ensure that consumers have rights such as:

• The right to erasure
• The right to restriction
• The right to object
• Information notices

Companies will have to be transparent about the ways in which they collect personal data for marketing purposes, asking specific permission as they collect as well as offering consumers a specific reason for having the information.

One purpose is to prevent businesses from holding onto data for long periods of time and have it not be used -- essentially the policy puts an expiration date on data usage.

Organic Social Media Marketing

Organic social media (excluding social media advertising) is largely unaffected by the new regulation. 

This is because most organic social media activities such as posting content and engaging fans do not collect personal data from people who view or engage with it.

That said, there are several instances you want to take note: You would not want to export or scrape (copy data from a website using a computer program) contact details from your social media followers or groups as that is personal data.If you are sending traffic from social media to your website and you’re using Google Analytics to track visitor behavior, you will most likely need to get consent for that.Paid Social Media Marketing (or Social Advertising). Under the GDPR, if you want to use your customers’ data or track their behavior for advertising, you must obtain the legal basis to do so. That is, you have to obtain an explicit opt-in consent from your customers.

Additionally, Your customers must be given a free and genuine choice to accept or reject (and be allowed to easily withdraw their consent). You have to state what data will be collected and how it will be used. The request for consent has to be in a clear and plain language(no vague wording). Inactivity also doesn’t constitute consent. Your customers have to pick an action. (E.g. Pre-tick boxes for consent are not allowed) If they don’t answer, then it’s a “no” not a “yes”. As there are very stringent requirements for obtaining consent, it’s best to refer to the regulations directly and check with your legal advisor. As for your employees, you must review your workplace social media policies to make sure they don’t conflict with privacy laws.