Consent for targeted advertising: the case of Facebook

The EU General Data Protection Regulation (GDPR) recognizes the data subject’s consent as one of the legal grounds for data processing. Targeted advertising, based on personal data processing, is a central source of revenue for data controllers such as Google and Facebook. At present, the implementation of consent mechanisms for such advertisements are often not well developed in practice and their compliance with the GDPR requirements can be questioned. The absence of consent may mean an unlawful data processing and a lack of control of the user (data subject) on his personal data. However, consent mechanisms that do not fully satisfy GDPR requirements can give users a false sense of control, encouraging them to allow the processing of more personal data than they would have otherwise. In this paper, we identify the features, originating from GDPR requirements, of consent mechanisms. For example, the GDPR specifies that a consent must be informed and freely given, among other requirements. We then examine the Ad Consent Mechanism of Facebook that is based on processing of user activity data off Facebook Company Products provided by third parties with respect to these features. We discuss to what extent this consent mechanism respects these features. To the best of our knowledge, our evaluation of Facebook’s Ad Consent Mechanism is the first of its kind.