21 May 2021

The Guidelines [1] aim to clarify the roles and responsibilities of social media providers and 'targeters' with regard to the processing of personal data for the purposes of targeting social media users.

Many users will be aware of the targeting of adverts on social media platforms and how personal data is used beyond individuals’ reasonable expectations. This can result in a lack of transparency, control and can influence the behaviour and choices of individuals. The Guidelines outline how 'Targeting services make it possible […] to communicate specific messages to the users of social media in order to advance commercial, political, or other interests'. The targeting of social media users involves not just the act of 'selecting' the individuals or groups of individuals that are the intended recipients of a particular message (the ‘target audience’), but involves an entire process carried out by a set of stakeholders which results in the delivery of specific messages to individuals with social media accounts. The ICO’s investigation into Cambridge Analytica was one example of such issues involving targeting users on social media platforms.

What are the risks posed by social media targeting?

Targeting of social media users may involve uses of personal data that go against or beyond those individuals’ reasonable expectations and thereby infringes applicable data protection legislation. 

Risks include:

  1. Undermining users’ ability to exercise control over personal data: social media platforms combine personal data from third-party sources with data disclosed by users of their platform, resulting in personal data being used beyond the initial purpose and in ways the individual could not reasonably anticipate.
  2. Discrimination and exclusion: targeting of social media users may involve criteria that, directly or indirectly, have discriminatory effects relating to an individual’s racial or ethnic origin, health status or sexual orientation, or other protected qualities of the individual concerned. For example, the use of such criteria in the context of advertising related to job offers, housing or credit (loans, mortgages) may reduce the visibility of opportunities to persons within certain groups of individuals.
  3. Possible manipulation of users: targeting is used to influence behaviour and choices of individuals – such as purchasing decisions as consumers or even political decisions. An analysis of content shared through social media can reveal information about the emotional state of an individual and when that individual is expected to be more receptive and therefore influenced in thought process and behaviour.
  4. Children: targeting can influence the shaping of children’s personal preferences and interests, which in turn affects their autonomy.

The Guidelines recognise that the increase in concentration and limited number of major actors in the markets of social media and targeting may also increase risks to the rights and freedoms of a substantial number of individuals. The combination of more in-depth profiling of individuals and ever-increasing degree of market and information power, threatens to diminish the data protection and freedom granted to social media users.

Targeting of Social Media Users

Who is involved?

Targeting of social media users involves a variety of different actors:

  • Social media providers: offer an online service that enables the development of networks and communities of users, among which information and content is shared
  • Social media users: individuals who are registered with the service (i.e. those who have an 'account' or 'profile').
  • Targeters: organisations that use social media to direct specific messages at a set of users who have been selected on the basis of specific parameters or criteria. Typical examples include:
    • Brands who use social media to advertise their products and to increase brand awareness.
    • Political parties are also increasingly making use of social media as part of their campaigning strategy.
    • Charities and other non-profit organisations also use social media to target messages at potential contributors or to develop communities.
  • Other actors involved in the targeting process include adtech companies and data brokers.

Targeting mechanisms

Social media users may be targeted on the basis of provided, observed or inferred data, as well as a combination of these datasets:


Provided Data

Observed Data

Inferred Data

What is it?

Information actively provided by the data subject to the social media provider or the targeter.

Such data can be used by social media providers to develop criteria and create target audiences.

Data provided by the data subject by virtue of using a service or device.

For example, the individual’s activity on the social media platform (such as the content they share or like), their use of devices, data collected through other websites which have embedded social plugins or pixels, etc.

Data created on the basis of the data already provided by the data subject or observed by the data controller.

A social media provider or a targeter might infer that an individual is likely to be interested in a certain activity or product on the basis of his or her web browsing behaviour and/or network connections.


Social media user indicates their age in the description of their user profile.


Social media provider enables targeting on the basis of this criterion.


Targeter uses the information to target that social media user specifically, for example by means of customer data (such as an e- mail address list), to be matched with data already held on the social media platform leading to all those users who match being targeted with advertising.

A shoe company wants to show its advertisements to a targeted audience with specific characteristics (e.g. age, gender, relationship status).  The social media provider offers criteria for targeting audiences, based on information its users provide, displays the ads to the targeted audience and shares with the targeter statistical information after the ads are displayed.

Pixel based targeting: an online retailer places a tracking pixel on its website so it can re-target on social media website visitors who have not made a purchase. E.g. an online retailer wishes to target social media users who have visited their website without making a purchase. The retailer uses an integrated tracking pixel on its website, which is made available by the social media provider, in order to display adverts for the retailer’s products on the visiting individuals’ social media feeds.

Geolocation based targeting: a social media network via its app collects GPS from its users on an ongoing basis which the social media network uses to help advertisers better target advertising. E.g. A pizzeria uses this geo-targeting functionality to target individuals who are within a 1km radius of its restaurant for the first time in the last 6 months.

A museum with an upcoming exhibition of impressionists’ paintings wants to advertise the exhibition on social media. It targets social media users who “like” posts of impressionist paintings and events, and also uses criteria such as age, gender and place of residency.

Following CJEU case law, the EDPB will consider social media providers and targeters when determining the purposes and means of processing and will treat their relationship as joint controllership when they decide what advert to display to which person. As part of this joint controllership, both the social media providers and targeters must be able to demonstrate the existence of a legal basis for their use of personal data.

Legal bases for processing

The most likely legal bases to apply under GDPR in the targeting context are:

GDPR and legit interest definitions 

Other data protection issues

1. Transparency: Information presented to data subjects regarding how their personal data will be processed should be concise, transparent, and presented in an intelligible and easily accessible form using clear and plain language. The mere use of the word 'advertising' is not enough to inform users that their activity is being monitored for the purpose of targeted advertising. Instead, individuals should be informed if a profile will be built based on their online behaviour and what types of personal data will be collected to build such profile. Individuals should be provided with the relevant information directly on the screen and through layered notices.

Under Art. 26(2) EU GDPR, joint controllers must make the essence of their joint controllership arrangement available to individuals and take appropriate measures to ensure that data subjects are made aware of the allocation of responsibilities between the joint controllers. The individual is entitled to receive this information at the outset, upon data collection or before the processing starts. In practice, the essence of the arrangement should be directly available on the platform, referred to in a privacy policy, and also made directly accessible by a link, for example, in the targeter’s page on the social media platform or in links such as 'why am I seeing this ad?'.

2. Right of access: an easy to use mechanism must be in place to enable individuals to exercise their data subject rights such as right to erasure, to object and right of access. The Guidelines suggest that individuals be given remote access to a secure system through which the individual can access their data and through which those individuals can check their profile, including the sources used to develop it, the identity of the targeter, the criteria for targeting, as well as recipients of their personal data. As joint controllers, the social media provider and targeter can determine a single point of contact for data subjects to exercise their rights but this does not exclude the possibility for data subjects to exercise their rights against each controller.

3. Data Protection Impact Assessments (DPIAs): joint controller should check whether a DPIA is required, taking into account current criteria identified in EDPB guidelines on DPIAs. Both joint controllers need to assess whether a DPIA is necessary and are both responsible for completing the DPIA. Whether a DPIA is required will depend on:

  1. the nature of the product or service advertised
  2. the content of the message or way the advert is delivered
  3. the purpose of the advertising campaign and its intrusiveness
  4. if the targeting involves the processing of observed or inferred data.

4. Special categories of data: special category data includes, for example, data about an individual’s health, racial or ethnic origin, biometry, religious belief or political opinion. If special categories of personal data are processed in the context of targeting, then along with a legal basis under Art. 6 EU GDPR, a condition under Art. 9(2) EU GDPR also needs to be established: the most relevant being: (i) explicit consent; and (ii) data manifestly made public by the data subject. Whether the latter conditions applies will depend on:

  1. the default settings of the social media platform (whether the individuals actively changed these settings from private to public)
  2. the nature of the social media platform (e.g. a platform designed for business professionals to connect or an online dating platform)
  3. the accessibility of the page where the special category data is published (i.e. whether an account is required to access this information)
  4. how visible it is to the individual that the information will be public (i.e. is there a continuous banner on the page?)
  5. whether the individual has themselves published the special category data or this information is published by a third party (e.g. a user’s friend) or is inferred.

5. Joint controllership: targeters and social media providers are required to determine their respective data processing operations (for which they are jointly responsible) in an arrangement. Both the social media provider and the targeter must be aware of and have sufficiently detailed information regarding the specific data processing operations taking place. The Guidelines clarify that the arrangement should reflect the purposes of processing and the corresponding legal basis as well as documenting how the arrangement will be fulfilled in practice.

If you have any questions or would otherwise like to discuss any issue raised in this article, then please contact us.

This article was written by Olivia Ward.

[1] In relation to the application of EDPB guidelines in the UK, EDPB guidelines are no longer directly relevant to the UK data protection regime and will not be considered binding. However, they may still provide helpful guidance on certain issues in relation to processing of data related to individuals that are resident in the UK and they will still be applicable where the processing is carried out by UK businesses in relation to individuals in the EU and therefore subject to the EU GDPR.

Key contact

A photo of David Varney

David Varney Partner

  • Data Protection and Cybersecurity
  • Technology and Communications
  • Outsourcing

Subscribe to news and insight

Burges Salmon careers

We work hard to make sure Burges Salmon is a great place to work.
Find out more