Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.

At a glance

  • Any use of cookies or similar technologies for the purposes of online advertising requires prior consent under Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR) – you cannot rely on any other lawful basis for the setting of cookies for this purpose.
  • Similarly, any other third party plugin your online services uses, such as pixel tags from a social media platform, also requires prior consent under PECR where it is used to target political messaging.
  • If you use social media or online advertising technologies or both to target political messaging, you must be very clear about what personal data will be involved, the tools and techniques you are using, and how you will provide privacy information to individuals.
  • When using a social media platform to target political messaging, you are likely to be a joint controller with the platform, and therefore need to establish who is responsible for each aspect of the processing, and ensure you have an appropriate arrangement in place.
  • If your campaign uses a third party platform, you need to ensure that any processing is in line with data protection requirements.

In more detail

What’s different in the online world?

In recent years there has been a sharp rise in the use of social media platforms, online advertising and third-party campaigning platforms in political campaigning.

In the online world, the tools and techniques and amount of personal data available differ substantially from traditional advertising methods and therefore have a greater potential impact on individual rights.

One of the most obvious examples is the concept of “micro-targeting”. This is where you select your messages or your intended audience or both according to the perceived characteristics, interests or preferences of the individuals concerned.

The type and volume of processing that you can undertake in the online world means that you are highly likely to have to undertake a data protection impact assessment prior to the processing, particularly where using the available tools and techniques for political campaigning. This is because the processing may involve:

  • the use of new technologies;
  • profiling of individuals on a large scale;
  • combining, comparing or matching personal data obtained from multiple sources;
  • personal data that has not been obtained directly from individuals, where you consider that compliance with Article 14’s transparency obligations are impossible or involve disproportionate effort – known as “invisible processing”;
  • tracking an individual’s geolocation or behaviour; and
  • the use of personal data of vulnerable individuals for marketing purposes, profiling or other automated decision-making.

These are all examples of processing likely to result in a high risk to the rights and freedoms of individuals, for which you are required to carry out a DPIA.

Further reading – ICO guidance

See our guidance on DPIAs in the Guide to the UK GDPR for more information.

You should also read the examples of high risk processing, where DPIAs are legally required.

 

Does online political messaging count as direct marketing?

In the vast majority of cases, delivering political messages online through the use of social media platforms and online advertising technologies involves processing personal data and also constitutes direct marketing (in cases where it is directed to an individual). This means that you need to comply with data protection law.

If you use cookies and similar technologies – which most online advertising does – then PECR also applies, whether or not this use involves processing personal data or constitutes direct marketing.

If this is the case, you must look to PECR first, because its rules clarify data protection law in certain areas such as cookies.

Not all online advertising is covered by data protection and e-privacy laws. For example, if:

  • the method of delivery for the advertisement does not involve the storage of information, or access to information stored, on user devices, then Regulation 6 of PECR is not engaged; and
  • the advertisements themselves do not involve processing personal data (ie they are not based on any interests or behaviours, or any other information about an individual),  then they may not involve the UK GDPR.

Further reading – ICO guidance

See the Canllaw i’r PECR and the Guide to the UK GDPR for more information.

 

How does PECR apply to political messaging and online advertising?

PECR has specific rules about the use cookies or similar technologies (including tracking pixels and device fingerprinting techniques). These cover any technology used to store information or access information stored on a user’s device, including:

  • first-party and third-party advertising cookies;
  • device fingerprinting techniques;
  • tracking pixels and plugins from third parties, such as social media platforms; and
  • other third-party tracking technologies.

Your website may incorporate some or all of the above, depending on the decisions that you take when you build and develop it. They facilitate the tracking and targeting of individuals in the online (and, increasingly, offline) environment.

If your online service uses cookies, you need to understand that you are not only using cookies to target individuals for your own purposes, but also allowing third parties to do the same.

Example

A political party’s website incorporates a number of third-party advertising technologies, including cookies, tracking pixels and social media plugins.

When a user visits the website, these technologies process information about that user’s device, as well as their personal data.

This means that both the website and a variety of third parties may process this information, and potentially the user’s personal data as well. Therefore, both PECR and the UK GDPR may apply.

In the case of a social media tracking pixel, the user’s visit to the website can lead to the social media platform adding that user to an audience and targeting them with messaging when they visit the platform.

If you are planning to use cookies to show political messaging to your users (whether or not they are targeted on the basis of those users’ personal data), you need to comply with Regulation 6 of PECR by:

  • providing your users with clear and comprehensive information about the purposes of the cookies you intend to use; and
  • getting their consent, which must be of the UK GDPR standard (eg you cannot rely on an implied consent approach).

Regulation 6 of PECR has two exemptions from these requirements. These are where:

  • the use of the cookie or similar technology is necessary for the transmission of a communication; or
  • the cookie or similar technology is “strictly necessary” for the provision of the online service the user requests (ie your website, in this case).

However, in the context of online advertising, tracking technologies and social media plugins, neither of these exemptions apply. This means that you need to get consent from your users for any cookie or similar technology that you use for these purposes – whether the cookie is yours, or that of a third party.

You also cannot rely on the other lawful bases from the UK GDPR for your use of cookies – for example, “public task – democratic engagement” or legitimate interests.

Further reading – ICO guidance

Read our guidance on the use of cookies in the Guide to PECR. We have also published more detailed guidance on how you can comply with PECR when using cookies and similar technologies.

 

What should we consider when using online advertising?

In order to provide individuals with advertising more relevant to their interests and behaviours, online advertising can track them in a variety of ways – across the web, across devices, or both.

In addition to ensuring that you comply with PECR’s requirements, there may be further implications if you decide to use online advertising. Whilst these apply generally, for political messaging you also need to consider the extent to which online advertising involves the processing of special categories of data.

You should also remember that even if you do obtain valid consent for PECR,  you must comply with the applicable requirements of the UK GDPR if you are also processing personal data.

Online advertising is complex and brings a number of potential issues that you need to consider if you intend to use it for political messaging. You should ensure that you are aware of all of these, including how personal data is processed throughout the entire process of advertisement selection and delivery.

For example, you can advertise online using various methods, from contextual advertising (where the content of the page that the user views determines the advert they see), up to more complex types of targeted advertising involving automated transactions that display adverts in the time it takes for a webpage to load.

Example

Real-time bidding (RTB) is a type of online advertising that involves open auctions, where advertisers bid for an advertising slot that a user is viewing. As the webpage loads in the user’s browser, information about the user’s device, and the user themselves, is collected through the use of cookies and similar technologies.

The information is then sent into a complex system of hundreds of different organisations – from advertisers to advertising exchanges and more – where a bidding process takes place.

In order to take part in the auction, any one of these parties must process the data collected about the user. Only one will ‘win’ the auction, and the resulting advert is then displayed in the user’s browser or mobile app.

This entire process takes place in milliseconds.

When considering the use of online advertising techniques in political campaigns, you need to statisfy yourself that:

  • you have prior consent for the use of cookies, as required under PECR;
  • any processing of special category data has the user’s explicit consent;
  • you comply with the requirements for your lawful basis for processing;
  • you undertake a DPIA to appropriately assess and mitigate the risks;
  • the privacy information you provide is clear so that individuals know what data you want to process, for what purposes, and with whom you intend to share it; and
  • you have appropriate arrangements in place where processors act on your behalf, or where you are joint controllers with another party.

Further reading – ICO update report

Read our update report into adtech and real-time bidding (PDF) for more specific information about data protection considerations for this type of online advertising.

 

What do we have to do if we use social media platforms to target messages?

Social media platforms process large amounts of personal data about their users’ behaviour and interactions. Generally, this falls into three main types which are known as:

  • provided data;
  • observed data; and
  • inferred data.

Targeting techniques can involve all of these, and social media platforms offer a number of tools to enable you to do this.

When you decide to use your social media presence to target political messaging at individuals, many different data sources are likely to be used for this purpose. The targeting can also involve profiling. You therefore need to be very clear about what data you will be using and why.

What is provided data?

This is personal data that individuals provide to an organisation. In the context of political campaigning, this can be:

  • data they provide to you; and/or
  • data they provide to any social media platform they use, whose tools you then use to target them with messaging.

For example, data provided to social media platforms generally includes things like account profile information email addresses, contact details, or certain demographic information or both.

What is observed data?

This is personal data relating to how users interact with an organisation, or in this case a particular website or service – essentially, personal data that is observed through their use of that service. For example, with social media platforms this can include:

  • data about the user’s activity on the platform (eg content they have generated);
  • information about the devices they use to access the platform;
  • personal data obtained by use of a third party application developer;
  • data collected by websites that include the platform’s plugins (such as your own);
  • data collected through other third parties the user interacts with; and
  • data collected through other services the social media platform operates.

It also includes similar information that your own service processes (eg data about user behaviour when they visit your website).

What is inferred data?

Inferred data, also known as derived data, is personal data created on the basis of provided or observed data. Both you and any social media platform you use may make inferences about individuals. For example, social media platforms do this by monitoring user behaviour over time and analysing things like pages visited and interactions on those pages. This analysis may enable the platform to infer information about the interests and characteristics of that user.

What are the considerations if we target social media users based on data we already have?

Social media platforms offer “list-based” targeting tools that allow you to send political messages to users of the platform. This list-based targeting is where you upload personal data you already have to the platform, such as a list of email addresses. It then matches this data with its own userbase. Any user that matches the uploaded list is then added into a group that you target your messaging to on the platform itself.

These tools are generally known as ‘audiences’ although the precise term can differ, depending on the platform. Examples include Facebook Custom Audiences or Linkedin Contact Targeting.

Generally, the process of uploading the list to the platform involves a technique known as “hashing”. The list is hashed when you upload it and compared to a list of hash values in the platform’s database. The audience is built on any matching hashes. Whilst this provides a level of assurance about the security of the processing, this does not include all the data protection considerations and is not an anonymisation technique.

If you use list-based tools, you also need to:

  • assess whether special category data can be inferred from the list you provide. Although your creation of a list for uploading to the platform may not by itself represent the processing of special category data, the further use of the list by you and the platform to target political messaging may be (eg if the platform subsequently infers political opinions);
  • clearly and prominently inform individuals and be transparent about this processing so that they fully understand you use their personal data in this way. For example, telling them upfront that you want to use their email addresses to match them on social media for the purposes of showing them political messaging; and
  • take into account any objections. If an individual has objected to you using their personal data for direct marketing purposes you cannot use their data to target them on social media. You also cannot process their data to help you find similar people to target, because using their data in this way is still for direct marketing purposes.

In practice, you need to be very clear and upfront about this processing. Information about any list-based tools you use on social media should not be buried within your privacy information. If it is, then individuals are unlikely to expect that this processing will take place. If you do not make this clear to individuals, you risk non-compliance with the purpose limitation principle and the right to be informed.

What are the considerations if we target similar individuals on social media?

Social media platforms also offer you the ability to build other audiences based on the characteristics of an original audience that you’ve created using a list-based tool. These are commonly known as “lookalike” audiences, although again the terminology may change depending on the platform.

These targeted groups generally comprise individuals that you have not previously engaged with, but who ‘look like’ your original list-based audience  (ie they are individuals with similar interests, behaviours or characteristics to the kinds of people you want to target).

Additionally, the widespread use of social media plugins and tracking pixels on other websites are another means to add users into this sort of audience. You therefore need to be aware that this can take place and ensure that you have considered the data protection implications when including plugins into your own website.

These implications can be complex. Although the social media platform may undertake the majority of the processing activities, you are the organisation that instigated this processing and provided the platform with the initial dataset (ie your original list-based audience). Both you and the platform are joint controllers for the resulting targeting activity.

At the same time, you may not have any direct relationship with the individuals that are being added to this type of audience. You therefore need to be satisfied that the social media platform has taken all necessary steps to provide the appropriate information to individuals. This is particularly the case because this type of audience can change according to people’s behaviour or interests.

You also need to ensure you appropriately inform individuals who have provided information to you that you will process their data to create these other audiences. As mentioned above, if individuals have objected to the use of their personal data for marketing purposes, you also need to ensure that you do not use their data for the creation of a “lookalike” audience.

Are we joint controllers with social media platforms for the targeting activities we undertake?

When using a third party like a social media platform for the purposes of targeting political messaging to individuals, in most circumstancesyou and that third party are jointly responsible for the processing. This is because you are both deciding the purposes and the means. For example, when using social media:

  • you decide to have a presence on the social media platform;
  • the platform in turn decides to provide a number of tools and techniques that you can use to target messaging at its users, both on and off the platform, including making available particular targeting criteria;
  • you create ‘audiences’ on the basis of the tools and personal data available and decide which criteria the platform uses to target those users; and
  • both you and the platform jointly benefit from the processing activities you undertake.

Joint controllership also exists in cases where:

  • you are just using the platform’s tools to generate aggregate data about how your users interact with your social media presence;
  • you include plugins from the platform on your website, and these plugins collect your visitors’ personal data and transmit it to the platform; and
  • you or the platform or both use provided data, observed data and inferred data for targeting purposes.

In joint controller relationships, both you and your fellow controller have responsibility for complying with the UK GDPR’s requirements. However, this does not mean you have the same responsibility for all aspects of the processing. However, you do need to agree and fully understand who is responsible for what, as well as recognising and ensuring that individuals can exercise their rights with either party. This means you need to work with any third party you use to make sure there are no gaps in compliance.

Article 26 of the UK GDPR specifies the requirements for joint controller situations. These are no different when you decide to use a social media platform to target political messaging. See our guidance on controllers and processors for further information on these requirements.

In some cases, the social media platform may make available a “standard” joint controller arrangement. These may be appropriate for the requirements of Article 26, but you need to ensure this is the case. For example, the key is what happens in practice rather than what any document may say.

Making these arrangements can be complicated, particularly where large platforms offer a number of targeting tools or have particular technical expertise or both, as well as a significant user base and market presence. You may also be presented with ‘take it or leave it’ conditions and pre-defined arrangements. However, this doesn’t exempt either you or the platform from your data protection obligations. The ICO recognises this issue is not specifc to political campaigns and may issue futher guidance should this be necessary to address evidence that emerges from future audits or other regulatory activity the ICO undertakes.

Further reading – ICO guidance

Read our guidance on controllers and processors and contracts and liabilities in the Guide to the UK GDPR.

 

What should we consider when using specialist campaigning platforms or other third party tools?

You can also use a variety of third-party digital campaigning platforms to host data and enable political engagement. They can also provide tools for this engagement, such as emails, fundraising and links to social media.

Using these platforms can be a way of managing a political campaign, and the personal data involved, without needing to build your own infrastructure. However, you need to ensure that your arrangements with these platforms are clear and transparent. For example, if the campaigning platform acts as your processor, it must only act on your instructions.

This is crucial because in some cases the platform’s service offerings may essentially determine what techniques are used for your campaign. For example:

  • a basic service level could include the creation of a database of individuals, a website for your campaign, electronic mail marketing, and payment services (eg if you accept donations); and
  • a higher service level could include the above, plus additional marketing and engagement tools (eg SMS messaging along with email or other more advanced features), campaign dashboards, membership and ticketing functionalities, and data analytics services.

Many of these platforms will also create customised service packages depending on the specifics of your campaign.

Your use of these platforms must comply with data protection and e-privacy laws, so it is vital that you know:

  • what data you are going to use (and provide to the platform);
  • how you are going to comply with legal requirements when using the platform’s tools to target individuals with political messages; and
  • where the platform hosts the data (ie, will data about your campaign or your supporters be stored outside the EEA), and if so, what steps have you taken to ensure compliance.

Additionally, these platforms can be used by different political campaigning organisations across many election periods, including in multiple countries. They can therefore process a large amount of personal data from multiple political campaigns, and you need to establish how the platform holds not just your data, but that from any other organisation. For example, considerations may include whether and how data is segregated, and what (if any) data the platform seeks to use for purposes such as service improvement.

Depending on the available services, campaigning platforms can also undertake certain types of processing on your behalf. For example:

  • they may match the data you provide with data available publicly (eg on social media profiles), which may occur without the individuals being aware;
  • they could use other techniques such as “web scraping”. This is an automated process whereby content, which can include personal data, is “scraped” from a web page and stored for further processing; and
  • they are likely to offer a ‘suite’ of tools to enable online direct marketing.

In the case of data matching and web scraping, data protection law does not stop you processing publicly available personal data, but you must do it in compliance with the law. For example, if you “scrape” publicly-available personal data from social media profiles, you become the controller for that data. You therefore need to ensure you comply with data protection requirements including having a lawful basis for processing and providing privacy information to individuals..

If you intend to use campaigning platforms or other third party tools, then you need to incorporate this into your campaign’s DPIA and ensure that you provide all relevant information to individuals as part of your transparency obligations. If the platform is your processor, it can assist you in doing this.

Further reading

For general guidance on PECR, see our Guide to Privacy and Electronic Communications Regulations.

For general guidance on key data protection concepts, see our Canllaw i Ddiogelu Data .