Facebook offers a variety of advertising services - one of these services is the Website Custom Audience which business owners are able to use to set up retargeting.

Retargeting (also known as remarketing) can be a great way to advertise your products and services, however it does mean you will be subject to some extra compliance requirements.

If your business engages in Facebook retargeting you need to have a Privacy Policy which informs users that your website or app uses Facebook Pixel to collect data and show them targeted adverts.

If your business already has a Privacy Policy, you will simply need to update it by adding in a section explaining retargeting. If you are yet to create a Privacy Policy, you will need to draft one and include a section about retargeting.


Why You Need a Privacy Policy if You Use Retargeting

A Privacy Policy is a legal requirement whenever a business collects personal data from users. The policy must state what, how and why personal data is collected, as well as informing users of their rights regarding their data.

Retargeting collects personal data for the purposes of tracking users across the internet and displaying targeted adverts to them. For this reason, a Privacy Policy is a legal requirement.

Let's break down these legal requirements further.

Laws around the world require businesses that collect personal data to have a Privacy Policy, and this includes informing users if your website or app uses any retargeting services - such as Facebook Pixel.

The California Online Privacy Protection Act (CalOPPA)

There is no federal law governing Privacy Policies and data collection In the United States.

However, CalOPPA is one of the strictest privacy laws in the world and applies to any website or app that is available to residents of California - even if the business has no physical presence in California.

CalOPPA requires businesses to have an easily accessible Privacy Policy which informs users of the type of personal data collected and if the data is shared with third parties. This law also grants users the right to review the data that a company holds about them.

Other Country's Laws

If you have users based within the following countries you will need to comply with their respective laws:

  • Canada - The Personal Information Protection and Electronics Documents Act (PIPEDA)
  • Australia - The Privacy Act
  • UK - Data Protection Act (DPA)

In addition, if any of your user's are based within the EU, you will need to comply with the strict GDPR.

EU Cookies Directive

Another important law that you should be aware of is the EU Cookies Directive.

According to this Directive, any website or app that uses cookies is required to have a Privacy Policy which explains the company's use of cookies.

Alternatively, business owners can display a separate Cookie Policy advising of the same.

Since retargeting uses cookies to follow users around the internet, this Directive will be triggered providing any of your users are based within the EU.

Using retargeting means that your website or app will place cookies on the devices of EU Citizens. In light of this, the Directive requires you to advise users that your business uses cookies for the purposes of retargeting.

One of the biggest criteria to note is that the Directive requires you to obtain the user's consent prior to using the cookies.

If your Privacy Policy does not have a section about cookies, you can add a clause that explains what they are and why they are used e.g. for remarketing.

Retailer Henry's House of Coffee includes a clause about Cookies in the shop's Privacy Policy. The clause explains that cookies are used to track activity on their website and that users have the ability to refuse cookies:

Henrys House of Coffee Privacy Policy: Tracking Cookies Data clause

Conversely, gas retailer Shell has a separate Cookies Policy as opposed to including a cookie clause in the company's Privacy Policy.

The Cookies Policy advises that Shell uses retargeted advertising by explaining that cookies are used to 'serve you specific content' and 'serve you with targeted advertisements on third party website(s) in an effort to re-market our products and services to you':

Shell Cookie Policy: Why do we use cookies clause intro

Facebook Requirements

If you use Facebook Pixel, you must agree to the Facebook Business Tool Terms. These terms specify that any website or app using Facebook for pixels or SDK's must provide notice to users about the collection, sharing and usage of their data, as well as information about opting out of this:

Facebook Business Tools Terms: Special Provisions Concerning the Use of Facebook Pixels and SDKs clause

Websites need to state where Facebook Pixel are used on each page.

In addition, users must be told that third parties (including Facebook) can use cookies and other storage technologies to collect and receive information from the business's website. Users must be informed that any information collected can be used for targeting advertising.

Websites must also advise users that they have the right to opt-out of the collection and use of their personal data for targeting advertising. You must also make sure that you explain how users are able to opt-out:

If you are an app developer, the terms state that your app settings or Privacy Policy must contain a 'clear and prominent link' to an explanation regarding remarketing.

In particular, the explanation must state that third parties are able to collect and receive information from your app and use that information for the purpose of providing targeted advertising to the user.

When you agree to the terms you are stating that you will ensure that your website or app's users have given their consent before you activate any Facebook Business Tools which enable cookies to be stored on the user's device.

This is only applicable to jurisdictions that require informed consent for the storing and accessing of cookies.

For example, the EU makes it clear in the EU Cookie's Directive that consent must be sought from EU citizens.

You can get consent from your users by placing a pop-up banner on your website which states that your website uses cookies and asks users to agree to their use.

Superdrug's website displays a pop-up banner which informs users that by using the site they are agreeing to the use of cookies:

Superdrug cookie consent notice

There is also an 'I consent to cookies' button for users to press, alongside links to the retailer's Privacy Policy and a more detailed explanation of cookies.

What Should You Include in Your Privacy Policy?

What Should You Include in Your Privacy Policy?

It is essential to add a clause about retargeting to your existing Privacy Policy in order to comply with legal requirements and with Facebook's requirements.

The clause should:

  • Explain that your business uses Facebook retargeting with Facebook Pixel
  • Advise users what retargeting is and how it is used
  • Inform users that third parties, such as Facebook, display your adverts on their website or app
  • Make it clear that third parties may use cookies to track user behavior and will show adverts based on their use of your website or app
  • Advise users that they have the right to object to retargeting and to opt-out of cookies. Make sure you inform users how they can do so.

Let's look at a few examples of how other companies have included retargeting in their Privacy Policies.

Bandzoogle has a Privacy Policy which contains a clause about the site's use of Facebook Pixel.

The clause explains that Facebook Pixel 'allows user behavior to be tracked after they have been redirected to the provider's website by clicking on a Facebook ad.' The company also advise that this data is stored by Facebook:

Bandzoogle Privacy Policy: Use of Facebook Pixel clause

UK-based business Creative Conservatories offer an introduction at the start of its Privacy Policy which advises that 'some third parties, like Facebook and Google, may know you visited this website':

Creative Conservatories Privacy Policy: Short Version section

The retailer's Privacy Policy then goes into more depth about the third party remarketing services they use, including a clause dedicated to Facebook Remarketing. The clause advises that Facebook may use cookies, web beacons and other storage technologies to collect or receive information from the company's website and elsewhere on the internet to provide targeted adverts.

The clause explains in simple terms that the company's adverts may appear on the user's Facebook page after they have visited the company's website and this is known as retargeting.

The retailer also explains that Facebook uses a Custom Audience Pixel to do this and places a cookie in the user's browser whenever they land on a webpage:

Creative Conservatories UK Privacy Policy: Facebook Remarketing clause

Retailer Pai Skincare has a clause disclosing that its website uses Facebook Pixel and briefly explain what this means:

Pai Skincare UK Privacy Policy: Facebook Ads Conversion Tracking Pixel clause

Henry's House of Coffee informs users that the retailer utilizes retargeting services to display targeted advertisements to users on third party websites after users have visited the retailer's website. The clause also explains that cookies are used to provide adverts, based on user's previous visits to the store:

Henrys House of Coffee Privacy Policy: Behavioral Remarketing clause

The clause goes on to advise which third party services are used for remarketing. The retailer uses Facebook retargeting and provides a link for users to explore should they wish to learn more about interest-based advertising from Facebook.

Importantly, the clause also explains that users have the ability to opt-out of Facebook's retargeting and provide a link to instructions on how to do the same. The company also provides a link to Facebook's data policy:

Henrys House of Coffee Privacy Policy: Facebook clause

Finally, Nice Label provides a thorough and clear explanation about Facebook retargeting in its Privacy Policy.

The clause builds trust with users by making it clear that the company only uses the Facebook Pixel to display Facebook adverts to users who have shown an interest in the company's website.

The retailer says it doesn't want its adverts to be a nuisance to users, and thus works with Facebook Pixel to ensure that the adverts are inline with a user's interests:

Nice Label Privacy Policy: Facebook, Custom Audiences and Facebook Marketing Services clause excerpt

The clause also provides links to Facebook's policies and advises users how they can object to the collection of data by the Facebook Pixel and the use of the data for the purposes of targeted advertising. A link to Facebook's instructions regarding how to do the same is also provided:

Nice Label Privacy Policy: Facebook, Custom Audiences and Facebook Marketing Services clause - Object to excerpt

Summary

If your business is using Facebook retargeting you need to update your Privacy Policy, or create a Privacy Policy, to inform users of this.

Informing users about retargeting is a legal requirement since retargeting uses cookies to collect data and track users across the internet.

The vast majority of third party retargeters require users to be informed about retargeting as part of their service agreements. Facebook is no exception. Its terms state that users must be informed about retargeting.

While there isn't a set way of advising users about retargeting in your Privacy Policy, there are some important points to include to ensure your business is compliant with Facebook's Terms as well as with various privacy laws.

In particular, make sure you tell users that third parties (including Facebook) may collect data using cookies or other storage technologies. Further advise that third parties are able to provide targeted advertising to the user by utilizing this information.

Lastly, It's crucial to inform users that they have the right to opt-out of data collection for the purposes of targeted advertising. You should tell users how they can do this by providing an explanation, or a link to an explanation within your Privacy Policy.