At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
- 2.1. Your Contact Details
- 2.2. Personal Information You Collect
- 2.3. How You Use Personal Information
- 2.4. How You Share Personal Information
- 3. If You Have Customers In the UK or EU
- 3.1. Your Obligations Under Facebook's Page Insights Controller Addendum
- 3.2. Your Legal Basis and Legitimate Interests
- 3.3. Responsible Data Controller and Data Protection Officer
- 5. Summary
Here are some activities that might qualify as "collecting personal information":
- Recording the names or email addresses of your customers
- Taking payments via a payment processor such as PayPal or Stripe
- Using Facebook's Page Insights product
- European Union: The General Data Protection Regulation (GDPR) places very strict data protection requirements on all businesses.
- United Kingdom: EU privacy law still applies in the UK, so if you have UK customers you must also comply with the GDPR
Take a look at this section of Facebook's Pages, Groups and Events Policies:
Your Contact Details
You should include full contact details for your business, including its legal name, business address, and email address.
Here's an example from Product Hunt:
Note that Product Hunt refers to itself as "the Controller." This is only relevant if you have customers in the EU and have to comply with the GDPR. We'll discuss this in more detail below.
Personal Information You Collect
Whether you're running a physical store, an ecommerce store, or online services business, you'll need to collect basic personal information such as customers' names and contact details.
Here's an example from Bando:
If you have a broader online presence extending beyond your Facebook Page, you'll also need to explain the other ways in which you collect personal information.
Here's an example from Microsoft:
How You Use Personal Information
You must explain your purposes for collecting personal information, i.e. how you use it.
For example, you can use your Facebook Page to enable customers to book appointments or make orders. Or you might use Facebook Messenger to engage with customers and receive inquiries.
You should have a clear business purpose for using any personal information you collect. If you collect email addresses, names, and shipping addresses, you must explain why you do this.
Here's an example from catering business Chrissie Cakes and Supplies:
How You Share Personal Information
Here's an example from ecommerce business Jasmin Studio Crafts:
Note that you don't necessarily need to name the businesses with whom you share personal information: you can just identify the types of businesses.
If You Have Customers In the UK or EU
If you've ever visited a company's Facebook Page from within the UK or the EU (or the wider European Economic Area), you might have noticed a link reading "Information about Page Insights data."
Clicking this link leads to a page explaining that Facebook and Facebook Page Admins are "joint controllers" under the GDPR.
A German court required Facebook to create this policy based on how its "Insights" product works. Here's where to find Insights:
The Insights tool automatically collects data about who visits your Page. As a Page Admin, you would never be able to actually use this data to determine whether a particular individual had visited your page.
However, according to the EU, this data is personal information. And under the GDPR, you and Facebook are jointly responsible for processing it.
Your Obligations Under Facebook's Page Insights Controller Addendum
As a Facebook Page Admin, you're held jointly responsible for Insights data. Facebook's Page Insights Controller Addendum sets the rules about how you and Facebook should meet your legal obligations.
The GDPR allows joint controllers to decide among themselves how they will fulfill their legal obligations. Fortunately, Facebook has allocated almost all of the GDPR's duties to itself, and there's not much left for Page Admins to do.
Here are Page Admins' duties under the Addendum:
- Your legal basis for processing Page Insights data and the "legitimate interests" you are pursuing by using this data
- The identity of your responsible data controller and their contact details
- The identity of your Data Protection Officer (if you have one)
Facebook doesn't explain what any of this means or how you can communicate it to your customers. That's where we come in.
Your Legal Basis and Legitimate Interests
Facebook requires you to identify your legal basis for processing Page Insights data.
The concept of the "legal basis" (or "lawful basis") is very important under the GDPR.
We won't go into detail about the legal bases here. Essentially, there are six legal bases, and every time you collect personal information, you need to identify a legal basis for doing so.
See our article Lawful Basis for Processing Under the GDPR for more information.
So, what's your legal basis for receiving personal information from Page Insights? Well, Facebook suggests that it might be in your "legitimate interests," which is one of the six legal bases.
"Legitimate interests" can be a suitable legal basis when you process personal information in a way that benefits your business without causing any significant privacy risks. You should carry out a Legitimate Interests Assessment if you plan on relying on this legal basis.
Here's an example of a clause that addresses this:
The clause explains how Insights works and then identifies its legitimate interests in receiving Insights data: the ability to recognize user preferences and locations and to adapt and improve its offer accordingly.
Responsible Data Controller and Data Protection Officer
Facebook requires that you provide a name and contact details for the "responsible data controller."
The responsible data controller is your company. Your company is a data controller under the GDPR because it decides why and how to process personal information.
Facebook also requires that you provide contact details for your Data Protection Officer. However, unless your business has over 250 employees, or it regularly processes sensitive personal information, it's unlikely you'll need to appoint a Data Protection Officer.
First, go to your Facebook Page dashboard and select "Edit Page Info" in the top right-hand corner.
- Who you are, and how your customers can contact you
- What personal information you collect
- How you use personal information
- How you share personal information
If you have customers in the UK or EU, you also need to comply with Facebook's Page Insights Joint Controller Addendum.