What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR), which went into effect May 25, 2018, creates consistent data protection rules across Europe. It applies to all companies that process personal data about individuals in the EU, regardless of where the company is based. Processing is defined broadly and refers to anything related to personal data, including how a company handles and manages data, such as collecting, storing, using and destroying data.
While many of the principles of this regulation build on current EU data protection rules, the GDPR has a wider scope, more prescriptive standards and substantial fines. For example, it requires a higher standard of consent for using some types of data, and broadens the rights individuals have for accessing and transferring their data. Failure to comply with the GDPR can result in significant fines — up to 4% of global annual revenue for certain violations.
Facebook's Commitment & Preparation
Data protection is central to the Facebook Companies (Facebook and Messenger, Instagram, Oculus and WhatsApp). We comply with current EU data protection law, which includes the GDPR. Our GDPR preparations were led by our Dublin-based data protection team and supported by the largest cross-functional team in Facebook's history.
Throughout the preparation process, Facebook is committed to the following:

Transparency
Our Data Policy defines how we process people's personal data. We'll provide education on our Data Policy to people using Facebook Company Products. We'll do this through in-product notifications and consumer education campaigns to ensure people understand how their data is being used and the choices they have.

Control
We'll continue to provide people with control over how their data is used. We've launched a new control center to make privacy settings easier to understand and update. We also remind people as they use Facebook about how to view and edit their settings.

Accountability
We have Privacy Principles that explain how we think about privacy and data protection. We have a team of people who help ensure we are documenting our compliance. Additionally, we meet regularly with regulators, policymakers, privacy experts and academics from around the world to keep them apprised of our practices, get feedback and continue to improve how we protect personal information.
Information for Businesses
TABLE OF CONTENTS
Businesses that advertise with the Facebook Companies can continue to use Facebook platforms and solutions in the same way they do today. Each company is responsible for complying with the GDPR, just as they are responsible for complying with the laws that apply to them today. For more information about specific Facebook ad products, see the FAQs.
Key Legal Bases
Under the GDPR, there are a number of approved reasons (or “legal bases”) a company might legitimately process a person's data. Below, we've outlined the most relevant legal bases under the GDPR.
Reason | Requirements |
|---|---|
Contractual necessity |
|
Consent |
|
Legitimate interests |
|
Facebook as the Data Controller vs. Facebook as the Data Processor
“Data controller” and “data processor” are important concepts in understanding a company's responsibilities under the GDPR. Depending on the scenario, a company may be a data controller, data processor or both — and has specific responsibilities as a result:
Data Controller
A company is a data controller when it has the responsibility of deciding why and how (the 'purposes' and 'means') the personal data is processed.
- Under the GDPR, data controllers have to adopt compliance measures to cover how data is collected, what it's used for and how long it's retained. They also need to make sure people can access the data about them.
- Data controllers must ensure data processors meet their contractual commitments to process data safely and legally.
Data Processor
A company is a data processor when it processes personal data on behalf of a data controller. Under the GDPR, data processors have obligations to process data safely and legally.
While Facebook operates the majority of our services as a data controller, there are some instances in which we operate as a data processor when working with businesses and other third parties. When Facebook processes data on an advertiser's behalf, the advertiser must have an appropriate legal basis for Facebook to process this data.
Examples where Facebook acts as the data processor include:
Data File Custom Audiences
Facebook uses a business's CRM data to match it to people in our database to create a custom audience for advertising campaigns.
Measurement and analytics
Facebook processes data on an advertiser's behalf in order to measure the performance and reach of advertising campaigns and report back insights about the people who saw and interacted with the ads.
Workplace by Facebook
Workplace Premium allows people at a company to collaborate with their coworkers using Facebook's tools. We process personal data in order to provide this service.
Transfers
As is the case today, any transfers of personal data outside of the EEA (European Economic Area) must meet certain legal requirements. Facebook Inc. is certified under the Privacy Shield framework. Under this framework, we receive and process personal data from our advertisers in the EU. We do this in connection with certain products, including data file Custom Audiences, Attribution Checkup and certain Offline Conversion Lift studies. Learn more.
Advertiser Terms
Where Facebook acts as a data processor on the behalf of our EU advertisers and business partners, we ensure that we comply with the specific requirements for data processors. We’ve updated any related terms of service to align with the GDPR. Where we appoint parties to act as data processor on our behalf, we’ve ensured that we have appropriate terms in place to comply with our requirements under the GDPR and to safeguard personal data. And where we act as a data processor on an advertiser's behalf, we rely on our advertiser's legal basis as data controller for our processing of this data.
Workplace
With Workplace, we operate as both the data processor for customers using the Premium version of our product, and the data controller for Standard customers. Workplace Premium customers act as data controllers and appoint Facebook as a data processor under the Workplace agreement. We've made sure our contractual commitments allow customers to confirm their compliance with the GDPR. More information on Workplace and its security certificates can be found on our Workplace security site.
Messenger
On the Messenger Platform, Facebook is a data controller in most cases since conversation between people and businesses is considered on-platform activity. As the data controller, we handle personal data as described in our Data Policy. Please note, even in instances where Facebook is a data controller, your business may also be considered a data controller under the GDPR.
Resources
- Facebook for Business post - Product Terms updates
- Custom Audience Terms
- Facebook Business Tools Terms
- Terms of Service
- Facebook Data Policy
- Cookies Policy
- Cookies Consent Guide
- Pixel Events in Buttons and Advanced Scenarios
- Workplace GDPR blog post
- Facebook Developers GDPR FAQs
- Getting Started with App Events (iOS and Android)
FAQs
Facebook and its companies, including Instagram, Oculus and WhatsApp, will all comply with the GDPR. With respect to your ads on Instagram, Facebook operates the advertising service that shows ads on Instagram.
Both, depending on the circumstances. We've outlined details about Facebook's role in each of these designations below.
- Data controller: In most cases, the Facebook Companies act as a data controller. When Facebook is the data controller, we handle personal data as described in our Data Policy. For example, Facebook is the data controller of most on-Facebook activity. WhatsApp and Oculus each handle personal data as described in their own data policies. We've ensured that services across the Facebook Companies align with the GDPR, which involved providing new tools and updating existing tools to make sure we honor our obligations.
- Data processor: Data processing includes a number of activities, such as collecting, storing, using and destroying data. In certain instances, Facebook acts as a data processor on behalf of advertisers or business partners that are acting as data controllers. Examples of this include Data File Custom Audiences and Workplace Premium. There are specific compliance requirements for data processors that we comply with. We've updated our terms to align with the updated GDPR requirements.
After listening to feedback from businesses, we've consolidated some of our product terms so that you can find more terms in one place. We're introducing the term Facebook Business Tools, which refers to the tools that we provide to help website owners and publishers, developers, advertisers, business partners (and their customers) and others integrate, use and exchange information with Facebook. Facebook Business Tools include:
- APIs
- SDKs
- The Facebook pixel
- Social plugins, such as the Like and Share buttons, Facebook Login and Account Kit
- Facebook measurement and analytics products
- Other platform integrations, plugins, code, specifications, documentation, technology and services
Finally, we have made updates to our terms in connection with our compliance with the GDPR. For example, we now clarify when we are acting as a data processor versus data controller, and we've added a data processing addendum for advertisers who process personal data associated with customers in the EU.
The processing of personal data for people in the EU is regulated by the GDPR; the collection of data via cookies and the use of Facebook's advertising tools ordinarily involves the processing of personal data; as such, we comply with the GDPR to the extent that data from EU customers is involved.
Who is responsible for obtaining consent when personal information is used to place ads on Facebook?
Facebook is the data controller when an advertiser places ads based on info people provide directly to Facebook, or on data received through the Facebook pixel and SDK. The advertiser is the data controller when they place ads using data file Custom Audiences or upload peoples' personal info through other Facebook measurement and analytics services. If an advertiser is acting as a data processor, they must ensure compliance for processing personal data. That said, even where we are a data controller, you may have certain obligations under our terms and the law.
- Http Headers - Anything present in HTTP headers. HTTP Headers are a standard web protocol sent between any browser request and any server on the internet. HTTP Headers include IP addresses, information about the web browser, page location, document, referrer and person using the website.
- Pixel-specific Data - This includes Pixel ID and the Facebook Cookie.
- Button Click Data - This includes any buttons clicked by site visitors, the labels of those buttons and any pages visited as a result of the button clicks.
- Optional Values - Developers and marketers can optionally choose to send additional information about the visit through Custom Data events. Example custom data events are conversion value, page type and more.
- Form Field Names - This includes website field names like ‘email’, ‘address’, and ‘quantity’ when a person purchases a product or service. The pixel does not capture field values unless an advertiser includes them as part of Advanced Matching or optional values.
We include a detailed table within our Cookies policy, specifying the expiration of each cookie Facebook sets. We inform people on Facebook about the cookies on their browsers through our Facebook Data and Cookies Policies. Also, we require our advertisers to provide sufficient notice to, and gain all necessary consent from, their customers for their use of the Facebook products and data collection. Consent requirements are explained in our Terms, which includes a link to Facebook's Cookies Consent Guide for sites and apps.
As is the case today, the GDPR requires that data is only held for so long as is necessary for the purposes for which it was collected, and that data subjects are informed of the retention period and retention period criteria. Facebook will continue to comply with these requirements.
We operate a global infrastructure and process data in both EU and US-based servers. We comply with regulations for safeguarding any transfers of personal data outside of the EU. Facebook has certified certain products for which it acts as the data processor under Privacy Shield, as explained further in its Privacy Shield Announcement and Certification.
Advertisers can continue to use Facebook platforms and solutions in the same way, but they are responsible for ensuring compliance with the applicable GDPR rules. When an advertiser is the data controller (e.g. data file Custom Audiences), they must ensure compliance with applicable law, including ensuring a relevant legal basis (such as consent, contractual necessity or legitimate interests).
When you use the Facebook pixel, you have to comply with the GDPR. Our terms provide that companies implementing our tools must comply with applicable laws when they use our tools. For companies operating in the EU, this includes having a valid legal basis to process data and under laws applying to cookies, obtaining prior informed consent for the storing of and access to cookies or other information on a person's device. We offer a consent guide for sites and apps that provides some practical guidance and best practice for these consent requirements.
Advertisers today and under the GDPR act as the data controller of any customer lists uploaded as part of data file Custom Audiences. They are responsible for ensuring compliance with applicable law for using that data. This means, among other things, that advertisers must have a clear legal basis for collecting the data (such as consent, contractual necessity or legitimate interest). Facebook's terms require advertisers to ensure they have a legal basis to upload and use the data they provide in connection with Custom Audiences; requirements may vary depending on the laws that apply to them.
In the case of lead ads, both Facebook and the business are data controllers. As a result, both parties are responsible for ensuring compliance by providing notice and establishing a legal basis for processing the data provided by a person using our platform. The lead ads product gives advertisers an option to link to their privacy policies and terms related to the collection and use of personal data.
We have updated our product terms so that it is clear when an advertiser is acting as a data controller or data processor when using offline conversions. When processing offline conversions data to provide measurement or analytics reports, Facebook is acting as a data processor and the advertiser must have an appropriate legal basis for our processing of this data.
Facebook has been directly subject to European data protection law, including the right of access, since 2010. We offer a range of tools for people to access, correct and transfer their data. For example, we offer Download Your Information and Activity Log, as well as other in-product information. We have developed and provided more features like these across our apps and services in compliance with the GDPR.
We evaluate each piece of data we hold to understand how the law applies and ensure that we meet our compliance obligations where applicable. We already provide access to many identifiers via our Download Your Information tool and other features and will continue to provide access as required by the GDPR.
Facebook has updated its terms and policies in connection with the GDPR. Facebook has ensured that it has an appropriate legal basis for the processing data for people in the EU under the GDPR.
Skills and Training
Guides and Resources