This is a core feature of every ad platform I've seen and is absolutely not a violation of the GPDR since users are giving consent when they signup.
I think we'll see regulators take a different view when they get around to challenging this practice, and the businesses who get made into examples might find it an expensive lesson. Handing over personal details to big data hoarders for remarketing purposes is the epitome of behaviour the GDPR was intended to curtail. You can't just mutter the word "consent" and claim some small print on a Ts & Cs page no-one reads protects you, and regulators have shown very little sympathy so far for data controllers who have tried to weasel their way out of GDPR obligations with this kind of strategy.
Those regulators are still under-resourced and it will presumably take some time for them to get around to dealing with this issue. Right now they're still going after serious leaks and the like. But they're already handing out 9-figure fines to big name businesses for those breaches, and by default those fines go back into central government coffers. Given the current economic climate, how long do you think it will be before their governments realise that this is potentially a very lucrative revenue stream that the public is unlikely to mind, and so start pushing the funding for those regulators up? The ICO (the UK's regulator) has already significantly increased its budget and headcount since the GDPR came into effect, and is reportedly looking at ways to ringfence some of the fines to cover the litigation costs when it inevitably has to defend the big penalties it will hand down from time to time.
When the Cambridge Analytica scandal happened here in the UK, the ICO fined Facebook £500,000. That was the largest fine they could legally impose at the time. As they observed themselves, in what might charitably be considered a thinly veiled threat, under the GDPR that could have been well over £1B instead. Even an organisation the size of Facebook is going to feel that, particularly since there is nothing that says it can't be repeatedly fined on that scale if it misbehaves in multiple different ways.
A couple of potentially important issues have, as far as I know, not yet been resolved in this area.
Firstly, what happens if processing in violation of the GDPR is widespread, the businesses you give your address to are the data controllers, but you still have the likes of Facebook hoovering up huge amounts of personal data inappropriately but possibly only in a capacity of data processor? No doubt there will be some interesting legal arguments about where liability is going to be placed if Facebook was actively soliciting that sort of activity as part of its business model.
Secondly, what happens after the UK has fully separated from the EU at the end of this year, if as the government has stated we retain the GDPR in our national law? Until Brexit was relevant, the GDPR was an EU-wide measure, and typically one member state's regulator would take the lead role in any given case. Anyone breaking the GDPR's rules could be duly investigated and penalised, but only once, not in the same way by every regulator in every member state where there was offending behaviour. If the UK is no longer to be a part of that scheme, will regulators still co-ordinate in this way, or will the businesses sharing data with Facebook face a kind of double jeopardy where both the UK and a lead regulator from an EU member state can potentially fine them for the same behaviour, effectively doubling the maximum penalty they could receive?
If both of those issues were resolved in ways unfavourable to the marketing platforms like Facebook, they could be looking at huge fines for promoting this sort of scheme on the scale that they do, potentially enough to make whole strategies based on selective targeting unviable.
I think we'll see regulators take a different view when they get around to challenging this practice, and the businesses who get made into examples might find it an expensive lesson. Handing over personal details to big data hoarders for remarketing purposes is the epitome of behaviour the GDPR was intended to curtail. You can't just mutter the word "consent" and claim some small print on a Ts & Cs page no-one reads protects you, and regulators have shown very little sympathy so far for data controllers who have tried to weasel their way out of GDPR obligations with this kind of strategy.
Those regulators are still under-resourced and it will presumably take some time for them to get around to dealing with this issue. Right now they're still going after serious leaks and the like. But they're already handing out 9-figure fines to big name businesses for those breaches, and by default those fines go back into central government coffers. Given the current economic climate, how long do you think it will be before their governments realise that this is potentially a very lucrative revenue stream that the public is unlikely to mind, and so start pushing the funding for those regulators up? The ICO (the UK's regulator) has already significantly increased its budget and headcount since the GDPR came into effect, and is reportedly looking at ways to ringfence some of the fines to cover the litigation costs when it inevitably has to defend the big penalties it will hand down from time to time.
When the Cambridge Analytica scandal happened here in the UK, the ICO fined Facebook £500,000. That was the largest fine they could legally impose at the time. As they observed themselves, in what might charitably be considered a thinly veiled threat, under the GDPR that could have been well over £1B instead. Even an organisation the size of Facebook is going to feel that, particularly since there is nothing that says it can't be repeatedly fined on that scale if it misbehaves in multiple different ways.
A couple of potentially important issues have, as far as I know, not yet been resolved in this area.
Firstly, what happens if processing in violation of the GDPR is widespread, the businesses you give your address to are the data controllers, but you still have the likes of Facebook hoovering up huge amounts of personal data inappropriately but possibly only in a capacity of data processor? No doubt there will be some interesting legal arguments about where liability is going to be placed if Facebook was actively soliciting that sort of activity as part of its business model.
Secondly, what happens after the UK has fully separated from the EU at the end of this year, if as the government has stated we retain the GDPR in our national law? Until Brexit was relevant, the GDPR was an EU-wide measure, and typically one member state's regulator would take the lead role in any given case. Anyone breaking the GDPR's rules could be duly investigated and penalised, but only once, not in the same way by every regulator in every member state where there was offending behaviour. If the UK is no longer to be a part of that scheme, will regulators still co-ordinate in this way, or will the businesses sharing data with Facebook face a kind of double jeopardy where both the UK and a lead regulator from an EU member state can potentially fine them for the same behaviour, effectively doubling the maximum penalty they could receive?
If both of those issues were resolved in ways unfavourable to the marketing platforms like Facebook, they could be looking at huge fines for promoting this sort of scheme on the scale that they do, potentially enough to make whole strategies based on selective targeting unviable.