Our marketing team have asked the following and I have no idea other than working through the principles with the team. Can any one help at all please?
I wanted to check with you what our GDPR policy allows us to do in terms of look-a-like audiences on PPC and Social Media activity.
For this activity, we would have to load customer data (name, job title, etc.) into Google Ads or Facebook/Linkedin paid ads account and then target paid posts or google ads at people who have either the same job titles, location, etc. Is this allowed?
Definitely a number of risks you would have to consider – firstly, you would be processing for a new purpose. Is that covered by the privacy notice given to the individuals concerned upon first collecting/receiving their data? If not, you would need to consider Art. 13(3) or 14(4) [UK] GDPR as applicable and provide new privacy information prior to further processing. Presumably this would be based on legitimate interests so there would be an unqualified right to object and you would need to put in place a mechanism for registering and respecting those objections.
In my view, this would also constitute ‘profiling’, since FB/Google/LinkedIn will be creating a profile of your audience in order to build the lookalike audience (I had to look this up, here’s an article: https://www.ppchero.com/tips-for-building-good-facebook-lookalike-audiences/ ) but I don’t know that the paid ads would be considered direct marketing if they are merely targeted advertisements.
Additionally, consider the position of the advertisers, what they will do with the data, and whether you will remain the controller with the advertiser a processor of that data. If not, you would need to consider this in your legitimate interests assessment and your further processing privacy notice – or the data sharing categories in the existing notice if it covered this use already.
Then take a big step back and consider privacy. Get the marketing team to do the same and consider that respecting individual rights is itself valuable.
You may consider a DPIA in which you could do a consultation with some of the audience the lookalike will be based on, to see what they think of this use of their personal data.