Meta Custom Audiences and Data Protection – What Belongs in the Privacy Policy

If a website operator uses Meta Custom Audiences, they process click paths, conversion events, device data and – depending on the variant – contact-related identifiers such as hashed e-mail addresses for the purpose of targeted advertising in Meta's ad network, regularly based on a marketing consent under Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG. This page explains which data Meta Custom Audiences processes, what website operators use it for and which mandatory information regarding Meta Custom Audiences belongs in the website's privacy policy – including the specifics of joint controllership with Meta.

A. Purpose and Functionality of Meta Custom Audiences

Meta Custom Audiences is a function within the Meta Business Tools (Facebook, Instagram, Messenger) that allows advertisers to build their own audiences for advertisements in Meta's ad network. It is based on data points that the advertiser themselves contributes: website interactions via the Meta Pixel and/or the Conversions API (CAPI), app activities, customer lists (e.g. hashed e-mail addresses or phone numbers) or engagement data from the Meta platforms themselves.

According to the provider, Custom Audiences enables the creation of audiences – such as visitors of a specific product page, people who abandoned a shopping cart or existing customers – as well as their extension to lookalike audiences (statistically similar profiles). This page focuses on the integration function: the capture of website events via the Meta Pixel and the CAPI with subsequent audience building in Meta Business Manager. Audiences from pure customer-list uploads without website tracking are not addressed in depth here.

B. Mandatory Information in the Privacy Policy When Using Meta Custom Audiences

Beyond general information about the controller, data subject rights and the supervisory authority, the GDPR requires a number of specific items of mandatory information in connection with tools such as Meta Custom Audiences: the purposes of processing (Art. 13(1)(c) GDPR), the legal bases (Art. 13(1)(c) GDPR) and – where processing is based on legitimate interests (Art. 6(1)(f) GDPR) – the specific legitimate interests pursued (Art. 13(1)(d) GDPR).

Further mandatory information concerns recipients or categories of recipients (Art. 13(1)(e) GDPR), transfers to unsafe third countries and their legal basis (Art. 13(1)(f) GDPR), the storage period or its determination criteria (Art. 13(2)(a) GDPR) and – where data is not collected directly from the data subject – the categories of data (Art. 14(1)(d) GDPR). Particularly relevant for Meta Custom Audiences is the joint controllership under Art. 26 GDPR; the essence of the corresponding agreement must also be made available pursuant to Art. 26(2) GDPR.

It is not necessary to list every tool – including Meta Custom Audiences – with its own text module and named reference in the privacy policy. The "text-module-per-tool" approach has become a bad habit: it produces long, repetitive lawyer-drafted texts, makes the privacy policy difficult to maintain and barely readable. A topic-oriented approach is more appropriate: it describes processing operations collectively (server operation, newsletter, tracking, marketing …) and lists only the specific recipients used – including Meta – in an appendix. The matterius generator follows precisely this methodology.

C. Provider of Meta Custom Audiences

According to the provider's publicly available information, the contracting partner for German website operators is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. The parent company Meta Platforms, Inc. is based in the USA. The provider points to intra-group data flows to Meta Platforms, Inc. According to public information, Meta Platforms, Inc. is certified under the EU-US Data Privacy Framework; the status can be verified at https://www.dataprivacyframework.gov/s/participant-search.

Meta's privacy notice is available at https://www.facebook.com/privacy/policy; the Terms for Meta Business Tools are available at https://www.facebook.com/legal/terms/businesstools. The Joint Controller Agreement (Controller Addendum) is published at https://www.facebook.com/legal/controller_addendum.

D. Data Processing by Meta Custom Audiences – Step by Step

1. Collection: When a website with the embedded Meta Pixel is loaded, the pixel script and possibly cookies (e.g. _fbp, _fbc) are loaded in the visitor's browser; the pixel sends standard and custom events (e.g. PageView, ViewContent, AddToCart, Purchase) to Meta. In addition, the website operator can transmit events to Meta server-side via the Conversions API. With customer-list uploads, hashed identifiers (e-mail, phone) are passed directly from the advertiser's backend to Meta.
2. Storage: The transmitted events are stored in Meta's advertising infrastructure. According to the provider, the primary processing is carried out by Meta Platforms Ireland Limited; intra-group transfers to Meta Platforms, Inc. in the USA are possible.
3. Use: Meta uses the events to build Custom Audiences, calculate lookalike audiences, optimise ad delivery and create conversion reports.
4. Disclosure: Within the Meta group (Facebook, Instagram, Messenger platforms), the data is forwarded for ad delivery. Meta uses its own sub-processors and infrastructure providers.
5. Deletion: Custom Audiences are stored according to the provider's policies and the configuration by the advertiser; Custom Audiences that are not updated automatically expire according to the provider's information. Website visitors can object to use for personalised advertising in Meta's ad settings.

E. Data Collected by Meta Custom Audiences

In the integration function via Meta Pixel and CAPI, the following are processed in particular: IP address, user agent, cookie IDs (_fbp, _fbc), click paths, URLs called up, conversion events (e.g. purchase, lead) and – where Advanced Matching or CAPI is enabled – hashed identifiers (e.g. SHA-256 of e-mail address, phone number, name).

These data can be classified into the following standardised data-type classes:

• Server log data: IP address, date, time, user agent, referrer at the pixel request.
• Click paths: pages called up, clicks on buttons and products, sequence of page views.
• Conversion events: registration, shopping-cart creation, product purchase, lead form, view of a thank-you page – the core data type of Custom Audiences.
• Device data: device type, operating system, screen resolution.
• Browser information: browser name, browser version, language settings.
• Coarse location data: location at city/municipality level derived from the IP address.
• User profiles: where linked to the Meta account, interest, preference and segment assignments are added on Meta's side.

For customer-list Custom Audiences, hashed contact data (e-mail, phone number) are additionally transmitted; even if hashed client-side, this remains personal data.

F. Purposes of Use When Deploying Meta Custom Audiences

Website operators typically deploy Meta Custom Audiences to reach website visitors with appropriate ads in Meta's ad network, to re-engage cart abandoners, to address similar profiles (lookalike audiences) for new-customer acquisition and to measure the success of ad campaigns.

These purposes can be classified into the following standardised purpose classes:

• General marketing: alignment and adjustment of advertising campaigns overall, success measurement of campaigns, evaluation of communication channels.
• User-profile creation: assignment to segments or target groups, identification of demographic characteristics.
• User-individual marketing: targeting of advertising in Meta's ad network based on individual interests and prior usage behaviour (remarketing).
• User-individual product improvement: display of interest-based content on the website itself, where Custom-Audience data is fed back.

G. Legal Bases for Using Meta Custom Audiences

According to the publicly available functional descriptions, Meta Custom Audiences falls primarily into the tool category of tracking (marketing) / remarketing.

A marketing consent under Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG is regularly to be considered, since the Meta Pixel and CAPI typically rely on cookies or equivalent identifiers and process behavioural data for advertising purposes. German supervisory authorities and the CJEU (in particular judgment of 5 June 2018, C-210/16 – Wirtschaftsakademie Schleswig-Holstein) assume a consent requirement for comparable constellations.

Between the website operator and Meta Platforms Ireland Limited, joint controllership under Art. 26 GDPR exists for certain processing operations around the Meta Business Tools according to the provider's terms; the relevant Controller Addendum is published at https://www.facebook.com/legal/controller_addendum.

Reliance on legitimate interests under Art. 6(1)(f) GDPR is regularly not sustainable for advertising and profiling tracking procedures because of Section 25 TDDDG and the depth of the processing. The choice of legal basis depends on the individual case and must be reviewed by the website operator.

H. Specific Considerations and Notes on Meta Custom Audiences

• Joint Controller Agreement: For the collection and transfer of event data via the Meta Business Tools, joint controllership under Art. 26 GDPR exists. Meta's Controller Addendum at https://www.facebook.com/legal/controller_addendum regulates the obligations between the parties; the essence must be made available to data subjects pursuant to Art. 26(2) GDPR. Meta therein assumes, among other things, the fulfilment of certain data subject rights and the information requirements under Art. 13/14 GDPR for the jointly controlled phase.
• Pixel and CAPI: Website operators should review which events are transmitted client-side via the pixel and which server-side via the Conversions API; CAPI transfers occur without setting cookies but do not replace the consent requirement where behavioural data is collected for advertising purposes.
• EU hosting / Schrems II: According to its own information, Meta processes data within the EU and intra-group in the USA. According to public information, Meta Platforms, Inc. is certified under the EU-US Data Privacy Framework; if the DPF were to lapse, the Standard Contractual Clauses (SCC) apply. Schrems II risks (in particular access by US authorities) remain subject to critical discussion under the DPF as well.
• Third-country transfer: A transfer to Meta Platforms, Inc. in the USA is regularly to be assumed.
• Opt-out: Meta's advertising settings are available at https://www.facebook.com/help/109378269482053/; affected users can object there to use for personalised advertising.
• DPA and Joint Controller Agreement: For components in which Meta acts as a processor (e.g. custom-file-upload components), a Data Processing Agreement is concluded; for the jointly controlled phase, the Controller Addendum applies.
• Settings for the website operator: Activate the pixel only after consent, enable Limited Data Use options, reduce event parameters, hash identifiers when uploading customer lists, regularly review configured Custom Audiences.

I. FAQ on Meta Custom Audiences and Data Protection

J. Conclusion and Call to Action regarding Meta Custom Audiences

Meta Custom Audiences is a powerful advertising-audience tool that operates in a complex constellation of processing and joint controllership. When using it, website operators should ensure effective marketing consent via a consent banner, provide the essence of the Controller Addendum, configure the pixel/CAPI cleanly and critically assess the third-country transfer.

For website operators, it usually makes little sense to include a separate text module in the privacy policy for every tool – including Meta Custom Audiences. This makes the privacy policy long, unclear, hard to maintain and conflicts with the transparency requirement of Art. 12(1) GDPR. A structured, topic-oriented approach that explains marketing tracking collectively and lists Meta as a recipient in an appendix is more appropriate. The matterius generator supports precisely this methodology.

K. Curator