Now that the hype wave has gone, it is maybe time to dive a bit deeper into the real consequences of such regulation. In particular, we focus here on social profiling, i.e., the practise of profiling users based on their social media activities. Often without users knowing (or noticing..) it. While this practise has always been in a (very!) grey zone from the legal perspective, many companies are still doing it. When we say ‘grey zone’ we mean both from the point of view of existing (pre-GDPR) privacy regulation as well as T&Cs of social network platforms.
Just to make it clear through an example, it has never been legal to profile people based on what they tweet. You may think that as tweets are publicly accessible you can do whatever you want with it, but that’s not the case. That data indeed is not yours, but it is owned by the user who wrote it, who by publishing it on Twitter provides Twitter (not you) a a “worldwide, non-exclusive, royalty-free license (with the right to sublicense) to use, copy, reproduce, process, adapt, modify, publish, transmit, display and distribute such Content in any and all media or distribution methods” (see the ToS here). So the fact that you can read my tweets basically gives you no right to use them, even more for profiling me. GDPR just clarified that (all least for EU citizens) this is not allowed in the absence of an explicit consent of the user.
So is this kind of a catch 22 for social profiling? Is it a dead-end street?
Not really. And a handy tool for doing things right is social login.
Social login is the process through which users can sign up to an online service by using their social media account, without the need to create yet another user/password pair. The social media platform works in this case as a broker, ‘certifying’ the identity of the user to the service provider and replacing tradition login credentials. This process has benefits for both sides. On the user’s one, no need to remember yet-another-password. And a handy way to control access to your data (see the screenshot on how on Facebook our CEO could check which apps have access to his data).
On the service provider’ side, it saves the costs (and time) related to the management of digital identities. And – and that’s the whole point here – it provides a handy way to explicitly ask for user’s consent to access data, thereby helping companies comply with GDPR (in particular with Art. 12 and Art. 13). Of course it is not sufficient to just ask users for access to their posts/likes/etc. through the social login process, as to comply with GDPR you must:
- explain them which kind of data you are collecting, for what purpose, and inform about potential transfer of such data to third countries;
- explain them how long you will keep the data and remind them of their rights in terms of access to/modify/erase the data you collected (including a description of the procedure for withdrawal of consent);
- inform them about any automated decision-taking carried out based on their personal data, or other profiling activities;
- ask them to explicitly grant permission.
If you want to have a chat on how to implement social login and social profiling for your online service, drop us a line at firstname.lastname@example.org
This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 739783 (DataSci4Tapoi). The information and views set out in this article are those of the author(s) and do not necessarily reflect the official opinion of the European Union. Neither the European Union institutions and bodies nor any person acting on their behalf may be held responsible for the use which may be made of the information contained therein.