Hi Laura 

I've been looking at this quite a bit lately. Here are some of the areas of concern I have identified:

It's a transfer of personal data (email addresses) to a non-EEA Controller - even more significant if the email address owner doesn't have a Facebook account or is using a different email account to interact with  Facebook

Although FB claim to delete the matched and unmatched hashes after comparison, their further use of the fact that matches were found and an ad delivered is entirely opaque. It is entirely possible that they use the matching data to identify cross-device use and add the additional information to the user's profile

It's very difficult to justify FB CA under legitimate interests (as tested on a group of fundraisers recently!) - the only other option for a legal basis is consent, which kind of negates the benefit of ambushing the FB user with an ad in the first place - why not just send the communication by email?!

The use of FB CA would need to be clearly explained in a privacy notice

I hope that's a useful starting point for you

Regards 

-- 
Rowenna Fielding
@MissIG_Geek
www.missinfogeek.net

From: Laura Jones <[log in to unmask]>
Reply: Laura Jones <[log in to unmask]>
Date: 3 October 2017 at 14:28:34
To: [log in to unmask] <[log in to unmask]>
Subject:  [data-protection] Facebook Custom Audiences

Hi,

 

Anyone advised on DP risks associated with Facebook’s custom audience advertising tool? Would be grateful to hear what approach you took. I’m quite concerned that we would need to be transparent with our marketing contacts about the fact that we want to share their details with Facebook in order to target advertising at them.

 

Also interested on any experiences of advising on a similar Facebook feature – Lookalike audiences

 

Thanks,

 

Laura

 

Laura Jones| Solicitor | Information Law

Legal Services|The Manchester Metropolitan University | Room 215 | All Saints| Oxford Road |

Manchester | M15 6BH

 

Email: [log in to unmask]

Telephone: 0161 247 3406

 

 

 

"Before acting on this email or opening any attachments you should read the Manchester Metropolitan University email disclaimer available on its website http://www.mmu.ac.uk/emaildisclaimer "

All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html

Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):

All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html and are sent in the body of an otherwise blank email to [log in to unmask]

Any queries about sending or receiving messages please send to the list owner [log in to unmask]

(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)

All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html

Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):

All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html and are sent in the body of an otherwise blank email to [log in to unmask]

Any queries about sending or receiving messages please send to the list owner [log in to unmask]

(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)