Social Media and Email Marketing Compliance

Learn how to protect your business, meet legal obligations, and build trust with your audience through clear privacy policies and compliance with evolving regulations. From GDPR requirements on Facebook and LinkedIn ads to crafting compliant email marketing strategies, this guide covers the essentials to keep your campaigns lawful and effective.

Published by Usercentrics

11 mins to read

Sep 26, 2024

Chapter 2

The GDPR and social media: What marketers need to know to comply

Social media strategy is a huge challenge for marketers. Which platforms? What content types? Posting velocity? What data do you need? What consent do you need from users? If you collect data on your social media followers, the key question is how to ensure your data collection and usage comply with GDPR requirements.

GDPR compliance requirements aren’t just for websites. They apply to apps, social platforms, and wherever you collect and process users’ personal data. Obtaining valid consent isn’t just a legal requirement, though. It’s a key step in building trust and engagement. And it’s simpler than you think once you understand the basics.

At its core, the General Data Protection Regulation (GDPR) is a law designed to empower individuals by giving them greater control over and protection of their personal data.

It was created by the European Union to protect the privacy of anyone living in the EU. The law makes sure companies that collect personal data—like names, email addresses, and even browsing habits—are doing it in a responsible and transparent way.

Even if a business is located outside of Europe, if they’re dealing with EU residents’ data, they still have to follow these rules. The GDPR is all about making sure companies are clear about what data they collect, why they need it, and how they use it, as well as providing rights to individuals to control access to and use of their data.

The main goals of the GDPR are to make sure that businesses:

are transparent about how they use personal data
limit the amount of data they collect (only what’s necessary)
keep data safe and secure
respect rights and promptly act on requests to access, change, or delete user data

The regulation provides individuals with several rights, such as the right to request a copy of the data a company has about them, the right to have that data corrected, and the right to have it deleted (also known as the “right to be forgotten”).

Want to learn more about the GDPR?

Learn the key details of the GDPR, how it affects your organization, and more. We’ve compiled a guide that covers everything you need to know.

Learn more about the GDPR

At the heart of the GDPR is the concept of personal data. The term refers to any information that can directly or indirectly identify an individual, either as individual data points or combinations of them. This includes obvious identifiers like names, addresses, and phone numbers. But it also extends to data such as IP addresses, tracking cookies, location data, and social media activity.

Social media platforms, by their very nature, collect vast amounts of personal data. Some of it is generated by users directly — profile information, posts, comments, likes, shares, etc. — and some is generated by user activity — browsing habits, time on site, clicks, types of accounts followed, etc. The GDPR considers all of this data personal, meaning it’s subject to strict protection and oversight.

To comply with the GDPR, companies that collect personal data through social media must ensure they have a lawful basis for processing it. The two most common ways to legally process personal data are obtaining consent from the user, or relying on legitimate interest.

One of the clearest and most straightforward ways to legally process personal data under the GDPR is by obtaining explicit and informed consent from the user. This means the person has to actively agree to their data being collected and used for a specific purpose.

For example, if a company is running a social media campaign and collecting email addresses for a newsletter, they need to ask for clear permission and explain exactly how that data will be used. Importantly, this consent must be freely given, meaning the user isn’t forced or tricked into agreeing, and they should be able to withdraw it just as easily as they gave it.

Another common way to process personal data is through what’s known as “legitimate interest.” This allows organizations to use personal data in ways that are necessary for their business operations, as long as it doesn’t unfairly impact the rights and privacy of the individual. For instance, a company might analyze user behavior on social media to improve their services or target ads. However, this method requires careful consideration. It may seem more convenient, but will bring additional scrutiny and requirements to prove its necessity.

A business needs to ensure that its interests don’t override the privacy rights of the individual. Typically, companies conduct a Legitimate Interest Assessment (LIA) to justify this approach and document their reasoning. It’s also important to consult with a data privacy expert, like a Data Protection Officer, and/or qualified legal counsel.

These two bases help companies stay compliant with the GDPR for their data processing operations, while enabling them to continue to use personal data — in responsible and transparent ways.

The GDPR has fundamentally changed how social media platforms operate, as well as how companies leverage these platforms for marketing and engagement. Social media platforms like Facebook, Instagram, Twitter, LinkedIn, and others rely heavily on collecting personal data to provide personalized services and targeted advertising. With the GDPR in force, these platforms must ensure that they are transparent about how they handle user data and that users are aware of their rights.

One of the most noticeable changes brought by the GDPR across social media is the need for explicit consent. In the past, social media platforms would often bundle user consent for a variety of data processing activities into their terms and conditions. Some platforms have been fined for doing so and burying this relevant information deep on relevant web pages. Under the GDPR, consent must be freely given, specific, informed, and unambiguous, and access to relevant information about data and privacy must be easily accessible — this is becoming more readily enforced. People must have the option to opt in to data collection and processing activities, and they must be able to deny or withdraw consent at any time as easily as giving it.

For example, social media platforms have had to overhaul their privacy settings to make them easier to use and give people clear ways to access information and control their data. Users can now easily look up their data, delete their accounts, or fix any mistakes in their information, or make a request for the company holding the data to do so. These changes don’t just impact the platforms. They also affect third-party apps and advertisers that use social media data for ads or analysis.

The GDPR also limits how automated decision-making and profiling can be used. A common interpretation of “automated decision-making” that’s increasingly in use is for AI tools and using data from social platforms to train large language models (LLMs). Social media platforms often also rely on algorithms to track user behavior and show personalized content or ads. But under the GDPR, if these algorithms affect someone significantly, users must be told about it and given the option to opt-out.

Ensure your online presence meets privacy standards

To effectively use social media for your company’s digital marketing, it’s important to comply with privacy laws and best practices. Here’s what you need to know to ensure your online presence meets these requirements.

Learn more

When it comes to the GDPR, social media platforms have responded in varying ways. It’s also of note that none of the major platforms was founded in the EU. Each platform has employed its own strategies for developing and evolving policies regarding access to personal data. Below are examples of how major platforms have been impacted.

Facebook

As one of the largest social media platforms, Facebook has faced considerable scrutiny under the GDPR. In response, Facebook has introduced significant changes to its privacy controls, making them more accessible and giving users more clarity about how their data is used. For example, Facebook’s privacy dashboard allows users to manage their ad preferences, see what data has been collected, and delete it if they wish. Facebook has also updated its consent forms to ensure users actively opt in to data processing.

Instagram

Also owned by Meta, the parent company of Facebook, Instagram has made similar changes. The platform updated its privacy policies and made it easier for users to control who sees their content and how their data is shared. Instagram also introduced tools that let users download a copy of their data, including photos, comments, and profile information. This measure aligns with the GDPR’s data portability requirements.

X (formerly Twitter)

X (formerly Twitter) tries to emphasize transparency and user control in its approach to GDPR compliance. It offers features that let users manage data preferences, opt out of personalized ads, control data collection like location tracking, and request their data or delete their accounts. However, recent scrutiny has surfaced around its use of user data for AI training without clear consent, sparking concerns about GDPR compliance. In May 2024, the platform began using European users’ data to train its “Grok” AI technology without obtaining explicit consent, leading to complaints filed across Europe. The developments around this case are still ongoing.

LinkedIn, which caters to professional networking and is owned by Microsoft, also adapted to the GDPR by modifying its privacy settings. The platform now offers users clear choices about how their data is used, particularly concerning targeted advertising. LinkedIn provides users with the ability to export their data and manage the collection of third-party tracking data more effectively.

Snapchat

While Snapchat’s data collection practices are relatively limited compared to platforms like Facebook, it still has to comply with GDPR regulations. The platform is also popular with younger people, which creates additional requirements for access to data and consent if it belongs to children. Snapchat updated its privacy policy to clarify what data it collects. It also provides tools for users to download their personal data and manage how that data is used for advertising purposes.

TikTok

As one of the fastest-growing social media platforms globally, TikTok has also encountered regulatory pressure under the GDPR. they’ve also been fined €345 million ($379 million) by the Irish Data Protection Commission (DPC) for GDPR violations related to children’s data protection.

In response, TikTok has implemented several updates to improve privacy transparency and controls, particularly focusing on its younger user base. TikTok’s privacy policy now provides clearer explanations of what data is collected and how it is used. The platform has introduced age-based settings, giving parents and guardians more control over their children’s accounts through tools like Family Pairing. Additionally, TikTok has increased restrictions on targeted advertising for users under 18, aiming to protect minors from excessive data collection. TikTok also provides European users with options to request and delete their data, as well as to review data collection and processing practices.

Pinterest has made notable adjustments in response to GDPR requirements, including revising its privacy settings to help users manage data permissions more effectively. The platform offers a privacy hub where users can review collected data and adjust sharing preferences for greater control over personalization. To comply with the GDPR’s consent requirements, Pinterest aims to require users to actively opt-in to personalized advertising.

However, it is currently facing allegations from the privacy advocacy group NOYB regarding potential non-compliance, including claims of tracking users without explicit consent and lacking proper legal bases for data processing.

Marketers who rely on social media platforms for customer engagement and advertising must navigate the GDPR carefully. Here are key strategies for staying GDPR-compliant while using social platforms and the data generated there.

Consent is a core principle of the GDPR. If you’re collecting data through social media campaigns — such as through lead forms, polls, or contests — you must obtain explicit consent from users. Ensure that consent forms are clear and easy to understand, and make it simple for users to opt-out at any time.

Be transparent about data use

Transparency is essential under the GDPR and pretty much all other data privacy laws. Always inform users about what data you are collecting, how it will be used, for what purposes, as well as what their rights are and how to exercise them. You can do this via your cookie banner and privacy policy. This information should be easily accessible in privacy policies and/or disclosures during the data collection process.

Monitor third-party tools and data

Many marketers use third-party tools to analyze social media metrics or run ads. Ensure that any third-party tools you use are GDPR-compliant, as you are responsible for the data they process on your behalf. Ensure you get data processing agreements signed and review them regularly to ensure compliance from all service providers. Also, avoid collecting data you don’t explicitly need, or retaining it if you no longer need it.

Respect user rights

The GDPR grants individuals several rights over their data, including the right to access, rectify, and erase their information. Marketers must ensure they have processes in place to honor these requests. If a user asks to delete their data, you must act promptly and ensure that all traces of their information are removed, even from backup systems and data held by third parties.

Update privacy policies

Regularly review and update your privacy policies and data processing operations to ensure they remain compliant with the GDPR. Ensure that these policies are easily accessible to users, particularly when they are engaging with you through social media channels.

Use privacy-friendly ad strategies

The GDPR has made targeted advertising more complex, but it hasn’t eliminated it. Marketers can still use privacy-friendly strategies, such as contextual advertising, which targets ads based on the content a user is viewing rather than personal data. Focus on delivering valuable content that resonates with audience segments while respecting their privacy.

No matter your company size, GDPR violations on social media can result in penalties. These are determined using a two-tiered system that takes into consideration the severity of the violation and whether it’s a first or repeat offense.

Less serious breaches can result in fines of up to EUR 10 million or 2 percent of global annual revenue, whichever is higher. More severe violations can result in fines of up to EUR 20 million, or 4 percent of a company’s global annual revenue.

Exact fines are determined by factors in Art. 83 GDPR. These factors include the nature of the violation, any preventive measures taken, and whether affected individuals were notified. Other considerations are the type of personal data involved, the company’s history with data privacy, and its response to warnings. Authorities can also suspend some operations and implement resource-intensive measures like auditing a company’s operations.

GDPR non-compliance can also damage a company’s reputation. With data privacy becoming increasingly important to consumers, companies that fail to protect personal data risk losing the trust of their audience, as well as advertisers, potential investors, and others, which can have long-term consequences for their brand and revenue.

Staying GDPR-compliant on social media doesn’t have to be overwhelming. By prioritizing transparency, obtaining explicit consent, and respecting user rights, marketers can continue to engage their audiences while safeguarding privacy. A proactive approach to data protection will not only help avoid penalties but also build trust with your followers.

Looking to learn more about social media and privacy?

We’ve gathered the most coveted privacy professionals to discuss how to navigate privacy regulations for social media.

Watch for free

FAQ

How does the GDPR affect marketing?

The GDPR significantly impacts marketing by enforcing strict regulatory requirements for how companies collect, process, and use personal data. It also requires explicit consent from individuals before data can be used for marketing purposes.

What’s the impact of social media on one’s privacy?

Social media can compromise one’s privacy by enabling data collection and sharing, often without one’s explicit awareness or consent. This environment increases the risks of identity theft, cyberbullying, and unauthorized access to personal information. People must be vigilant about their online presence and privacy settings.

What are the GDPR guidelines for social media?

The GDPR guidelines require social media companies to get explicit user consent before collecting or processing personal data, including for marketing. This often involves a double opt-in process. Marketers must also provide clear privacy policies, making it easy for users to understand how their data will be used. Transparency in data handling is a key focus.

Are social media posts considered personal data?

Yes, social media posts are considered personal data as they often contain identifiable information such as names, locations, and personal opinions, and are connected with an account, which is an identity. This data can be used to create detailed profiles of individuals, making it susceptible to misuse and privacy breaches.