Over the past few weeks, we all got our inbox clogged with emails about changes in privacy policy, requests to reconnect and confirm our personal data with cheesy “Your privacy is important to us” (really??) subject lines etc. This was all due to the entry into force (on May 25th, 2018) of the new EU regulation on the collection and management of personal data (formally General Data Protection Regulation, 2016/679 or, in short, GDPR, see this awesome guide if you need to understand what’s all about). All this of course also exacerbated by the onset of the Cambridge Analytica affair , which led everybody to a kind of ‘privacy rush’.

Now that the hype wave has gone, it is maybe time to dive a bit deeper into the real consequences of such regulation. In particular, we focus here on social profiling, i.e., the practise of profiling users based on their social media activities. Often without users knowing (or noticing..) it. While this practise has always been in a (very!) grey zone from the legal perspective, many companies are still doing it. When we say ‘grey zone’ we mean both from the point of view of existing (pre-GDPR) privacy regulation as well as T&Cs of social network platforms.

Profile of our CEO, Daniele Miorandi , as computed by social profiling Tapoi tool based on his social media activities.

Just to make it clear through an example, it has never been legal to profile people based on what they tweet. You may think that as tweets are publicly accessible you can do whatever you want with it, but that’s not the case. That data indeed is not yours, but it is owned by the user who wrote it, who by publishing it on Twitter provides Twitter (not you) a a “worldwide, non-exclusive, royalty-free license (with the right to sublicense) to use, copy, reproduce, process, adapt, modify, publish, transmit, display and distribute such Content in any and all media or distribution methods” (see the ToS here ). So the fact that you can read my tweets basically gives you no right to use them, even more for profiling me. GDPR just clarified that (all least for EU citizens) this is not allowed in the absence of an explicit consent of the user.

So is this kind of a catch 22 for social profiling? Is it a dead-end street?

Not really. And a handy tool for doing things right is social login.

Social login is the process through which users can sign up to an online service by using their social media account, without the need to create yet another user/password pair. The social media platform works in this case as a broker, ‘certifying’ the identity of the user to the service provider and replacing tradition login credentials. This process has benefits for both sides. On the user’s one, no need to remember yet-another-password. And a handy way to control access to your data (see the screenshot on how on Facebook our CEO could check which apps have access to his data).

On the service provider' side, it saves the costs (and time) related to the management of digital identities. And - and that’s the whole point here - it provides a handy way to explicitly ask for user’s consent to access data, thereby helping companies comply with GDPR (in particular with Art. 12 and Art. 13). Of course it is not sufficient to just ask users for access to their posts/likes/etc. through the social login process, as to comply with GDPR you must:

1. explain them which kind of data you are collecting, for what purpose, and inform about potential transfer of such data to third countries;
2. explain them how long you will keep the data and remind them of their rights in terms of access to/modify/erase the data you collected (including a description of the procedure for withdrawal of consent);
3. inform them about any automated decision-taking carried out based on their personal data, or other profiling activities;
4. ask them to explicitly grant permission.

For doing so, technically you can safely use the redirect URL provided by social login providers ( here an example for Facebook) to take users to a purposeful informed consent landing page, on which you can provide the details in points 1-3 above and ask for consent (point 4). While you’ll probably need to consult with your legal department/advisor to make sure your informed consent form and privacy policy comply with GDPR (you can also consult some good guides here ), social login provides you with the mechanics to implement a fully GDPR compliant social profiling process (and therefore avoid hefty fines).

If you want to have a chat on how to implement social login and social profiling for your online service, drop us a line at info@u-hopper.com .

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 739783 (DataSci4Tapoi). The information and views set out in this article are those of the author(s) and do not necessarily reflect the official opinion of the European Union. Neither the European Union institutions and bodies nor any person acting on their behalf may be held responsible for the use which may be made of the information contained therein.