Facebook Custom Audience[1]

Facebook’s “custom audience” feature lets marketers find and target advertising toward specific individuals among Facebook’s users. Marketers use e-mail addresses, phone numbers or Facebook User ID’s to match up with Facebook users in order to generate a “custom audience” created from data they already have. To generate the “custom audience,” the marketer uses a tool called the “power editor” to input an email or phone list representing their “segments” (groups of customers they’d like to target—may be current customers, prospects, loyalty club members…etc.). To protect the data, Facebook never receives the customer list. The list of emails or phone numbers is “hashed” on their own computer when using the power editor. Hashing is a method of securing information. Unlike encryption (another method of securing information), hashing summarizes text into a short fingerprint that can’t be decrypted.

Does this feature comport with the TCPA and the Consumer Privacy Bill of Rights?

Do Facebook Custom Audiences Run Afoul of the TCPA?

The Telephone Consumer Protection Act of 1991 (TCPA) was enacted to restrict telephone solicitation (i.e., telemarketing) and the use of automated telephone equipment. The TCPA limits the use of automatic dialing systems, artificial or prerecorded voice messages, SMS text messages, and fax machines. In recent cases, a text message has been interpreted as fitting within the definition of a “call” within the statute[2], however courts have split on the issue of how to deal with phone numbers provided by consumers to businesses.

Can it be said that Facebook Advertising may be similar to a text message, putting the “custom audience” feature within the domain of the TCPA? I see many problems with this application. A person receiving a text message or phone call is much more invasive than viewing a simple advertisement on Facebook. Also, while “call” is ambiguous, I think that a court could not rationally say that an advertisement fits the definition.

Are Facebook’s Custom Audiences Consistent with Obama’s Proposed “Consumer Privacy Bill of Rights?”

In February 2012, President Obama announced the “Consumer Privacy Bill of Rights” (CPBR) and urged Congress to make the principles it contains law. In his introduction, Obama wrote,

These rights give consumers clear guidance on what they should expect from those who handle their personal information, and set expectations for companies that use personal data. I call on these companies to begin immediately working with privacy advocates, consumer protection enforcement agencies, and others to implement these principles in enforceable codes of conduct. My Administration will work to advance these principles and work with Congress to put them into law.[3]

Since its announcement, the CPBR has (predictably) received little attention in Congress.

The CPBR applies to “personal data,” defined as any data linkable to a specific individual. Seven principles are to be encompassed by future legislation regarding handling personal data:

INDIVIDUAL CONTROL: Consumers have a right to exercise control over what personal data companies collect from them and how they use it.

TRANSPARENCY: Consumers have a right to easily understandable and accessible information about privacy and security practices.

RESPECT FOR CONTEXT: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.

SECURITY: Consumers have a right to secure and responsible handling of personal data.

ACCESS AND ACCURACY: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.

FOCUSED COLLECTION: Consumers have a right to reasonable limits on the personal data that companies collect and retain.

ACCOUNTABILITY: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.[4]

I believe that if Congress takes action and legislates pursuant to these principles, Facebook will have to narrowly tailor use of the “custom audience” feature. Currently, marketers are able to target consumers on Facebook by inputting current e-mail lists and phone numbers into the “power editor,” thereby using customer data in a way that they likely would not have anticipated when providing their information. The CPBR focuses on consumer control, which is not just a trend, it is the future of laws regulating online advertising.