GDPR and Social Media: What Data Protection and Privacy Mean for Social Media Marketers

Do you collect identifying information about your followers? If you have tracking pixels or opt-ins on your site or social media, the answer is “yes.” So, how many of them are EU citizens? If the answer is “one or more,” you need to make sure that you’re complying with GDPR laws—and you have to be able to prove it.

Even though GDPR has been in effect for a couple of years now, many businesses are still not in full compliance, a serious risk to your business since non-compliance with GDPR can cost you up to €20 million in fines or 4% of your company’s global annual turnover of the previous financial year—whichever is higher.

Can you afford that? And, even if you can, why would you want to pay it?

The GDPR was put in place to protect the privacy of consumers, which is a great thing. But with businesses around the world using social media more and more, you may not be in compliance even if you think you are.

We’ve put together this article to help you better understand how GDPR and social media work together and what consumer data protection and privacy mean for social media marketers. If you’re not as familiar with GDPR and social media and want to get up to speed, this is the article for you. Please understand, though, that this article isn’t a substitute for legal advice nor should it be represented as such. This is just a general resource on GDPR and social media. Be sure to consult an attorney for further legal advice!

In this article, we’re going to cover all things GDPR and social media, but first...

GDPR and Social Media: What Data Protection and Privacy Mean for Social Media Marketers:

What Is GDPR?

The General Data Protection Regulation (GDPR) is a data privacy regulation intended to give EU citizens control over how and when their personal data is collected and shared. This, in turn, impacts how businesses can find new clients and use their personal information. And this extends to social media.

GDPR applies to any company worldwide that handles the personal information of any EU resident. That means, even if you run a business based in the United States, you’re still accountable to the laws of GDPR for your prospects, leads, and customers in the EU.

When considering GDPR compliance related to social media, there are several things you need to consider:

Data Protection and Privacy

You must use privacy policy statements on your websites and social media that let visitors know you intend to collect their data before you do so.

Employee Rights on Social Media

You must review your workplace social media policies to make sure they don’t conflict with privacy laws.

Governance and Oversight

You must develop strong internal controls and procedures to make sure you’re effectively managing social media risks.

Information Archiving and Retention

You must implement a record-keeping system to capture social media history and save it in a valid archive.

It feels like a lot because it is. GDPR was primarily put into place to protect consumers. However, don’t assume that means it doesn’t help your business.

How GDPR Benefits Businesses

While GDPR does require a lot of effort on your part to be compliant, here are just a few of the advantages:

Inspire Confidence

Prospects and existing customers know that their data is going to be handled with care, building trust and confidence in your business.

Market to an Engaged Audience

Requiring consumers to explicitly opt-in to receiving promotional materials from your business means that you’ll be marketing to people who are actually interested in what you have to sell.

Improve User Experience

Since you’ll need to approach marketing and advertising more creatively, this provides your business the opportunity to improve the experience of your end-user.

How GDPR Protects Consumers

As we mentioned, the primary purpose of GDPR is to offer more protection to consumers. It does that in a few ways like:

Better Privacy

Businesses can only capture, store, and use personal data for the specific purpose they have disclosed and must take measures to safeguard the data.

Authority Over Personal Data

Consumers have better control over who gets access to their data and how they can use it.

Control Over Internet Experience

Consumers decide if they want to get marketing emails from businesses or have their behavior tracked for analytics and advertising.

What Is “Personal Data?”

So, we’ve mentioned “personal data” a few times, but what counts as personal data? With the GDPR, personal data is anything that can be used to identify a specific consumer. This starts with a name, address, and phone number, but also includes:

  • Bank information and any numbers attached to financial accounts
  • Photos
  • Medical information
  • Information associated with social media posts, advertising, and chat tools
  • MAC or IP address
  • Cookies used for analytics

GDPR and Social Media: The Impact on Social Media Marketing

The connection between GDPR and social media isn’t an easy one to see clearly. It primarily impacts paid social media advertising and reporting efforts. Here are three key ways GDPR affects social media marketers.

Social Media and Remarketing Ads

Just about every social media advertising platform offers remarketing or retargeting ads. These are ads that follow visitors from your website to the different social media platforms (or the other way around). They’re very effective and help advertisers create highly targeted and relevant offers. But not all consumers likely these ads. And, to be sure, retargeting and remarketing ads as they existed before GDPR ignore the consent required for such usage of consumer data.

With GDPR, serving remarketing or retargeting ads to EU consumers requires those consumers to have agreed to such usage of their data. This involves adding extra steps to your campaigns and sales funnels, which gives consumers more chances to drop out. Plus, this makes it a bit more difficult to market via social media to those who are most likely to be interested in what you have to offer, like those who have already visited your website.

If you’re targeting EU consumers, you must be clear where you’re using consumer data and how you track and disclose your compliance with GDPR at each step of your marketing funnel.

Social Media Traffic and Your Privacy Policy

Do you have a social media landing page encouraging visitors to opt-in to your email newsletter or to get a free tool or download? With GDPR, your visitors will have to opt-in twice—once to accept your privacy terms before opting into your offer and again to opt-in to your offer.

Many websites have started adding popup messages requiring visitors to accept cookies and privacy policies as soon as they land on the site. It seems like a small thing, but it’s another step your site’s visitors need to take before you can get them to opt-in to your actual offer.

When you think about the volume of your social media traffic that comes from mobile devices, this requirement of visitors to scroll through or accept your privacy terms is disruptive to user experience before visitors even get to your offer. Of course, over the past couple of years, these notifications have become so common that website visitors are used to them, making it almost a thoughtless gesture to accept privacy terms and disclosures.

Limited Behavior Tracking

Google Analytics and other social media analytics tools give marketers the information they need to know if they’re getting a good ROI from their social media marketing efforts. But what happens when you can’t monitor social traffic’s behavior or attribute visitors to social media? While this isn’t a huge issue for most businesses, it could easily result in a lack of understanding of your social media visitors. Fortunately, Google has taken steps to be compliant with GDPR so Analytics can still provide insight. For those who accept your privacy terms, at least.

If you’ve noticed changes to your traffic as a result of GDPR, like drop-offs or regional data lagging, you may need to test your cookie opt-in to make sure that more of your social traffic accepts the terms.

What Social Media Marketers Can Do to Stay Compliant

By now, you’re probably wondering what you can do to stay compliant with GDPR as a social media marketer. In this section, we’ll cover six areas you’ll want to address and show you how to do it.

Active Opt-Ins

If you are responsible for collecting, storing, or analyzing data for marketing, you can get started on the right path toward GDPR compliance by offering opt-ins for people who are engaging with your social content. The opt-ins should be mobile-friendly.

The opt-ins that you use for GDPR are going to be a bit more involved than pre-GDPR opt-ins. Specifically, you’ll need to include privacy and compliance notices which could mean more than one checkbox on your opt-in forms to ensure that you explicitly gain permission for the types of data you’re collecting.

Explicit Privacy Notices

Social media marketers should include clear privacy notices on all marketing campaigns to ensure that consumers understand how their data will be used. Not only should the process be documented, but opt-ins and permissions also need to be tracked so you can prove compliance if needed.

Social Media Policy

It’s important for social media marketers to create detailed documentation for their social media policy. This should serve to educate your users as well as those working within social media for your business and needs to include the rules around GDPR and social media as well as what your business is doing to keep user data safe.


It’s your brand’s responsibility to inspire confidence in your business and take steps to build trust with your users. If your leads and customers don’t trust you, you’re going to have a really hard time getting them to opt-in to your privacy policy or offers. Here are a few things you can do to build trust:

  • Giving away valuable content. You can’t sell all the time or your users will get fatigued. Make sure that you’re providing valuable content to your users for free. This could be guides, how-tos, or fun content.
  • Show real people in your social marketing. People trust people. A really easy way to inspire trust is by including your employees or customers in your social media marketing. You can do this through user-generated content, employee and customer highlights, or “behind the scenes” content.
  • Cultivate a good online reputation. Your online reputation matters. Pay attention to social media and address questions, concerns, and comments from users to instill confidence in your brand.
  • Engage in social listening. Social media listening goes beyond monitoring your mentions and can give you a better understanding of sentiment about your brand.


Data breaches are a real concern when dealing with social media. You can minimize the possibility of data and privacy breaches by using only a few social media platforms (ideally the ones where your target audience hangs out). You can increase safety on your social media accounts by setting up two-factor authentication whenever possible.

Remember, you want to avoid data breaches. Working your way back into the hearts and trust of consumers is a lot harder after one happens.


You probably already know how important it is for brands to build and nurture relationships with prospects and customers, but it’s so important we still need to include it here.

Building relationships on social media is easy to do. It involves reaching out, commenting, replying to comments, and just generally engaging with your followers. While social media isn’t the only way to build relationships, you can use social media to add touchpoints. And more touchpoints mean more chances to inspire prospects to act. Plus, it’s a lot easier for prospects to opt-in to a privacy policy or for an offer if they feel they have an existing relationship with a brand.

What Are Social Media Networks Doing Differently for GDPR?

Not all social media platforms are the same and, as such, their responses to GDPR differ, too. What is clear, though, is that every major social media player with users in the EU has to be compliant with GDPR and they’re all taking it seriously. Here’s how the top four social media platforms are handling it.

Facebook and Instagram

If you’re using Facebook advertising to collect leads, you’ve probably noticed that Facebook is now requiring businesses to accept lead ads-specific terms before running those ads. Facebook is doing this to ensure that businesses know what they’re required to do before they get too far into the process of creating their campaign. They also help businesses create GDPR-compliant ads with disclaimers and consent checkboxes.

Instagram is owned by Facebook and follows the same GDPR protocols.


Twitter has engaged a third-party business to process their data for users outside of the United States. Like Facebook, Twitter also makes sure that users consent before advertisers get access to any protected data.


Like Facebook, LinkedIn requires users to update lead generation forms to ensure compliance with GDPR. Many companies are simply adding a link to their privacy policies along with text that explains how they’ll use the data they collect.

Stick to GDPR and Social Media Best Practices

GDPR has changed the way brands with EU audiences handle personal data, and fines of up to €20 million for failure to comply encourage brands to implement GDPR policies. If you’re concerned about GDPR compliance, you’ll want to seek legal advice.

While GDPR makes it a bit more complicated for brands to collect and use users’ private information, it’s important to remember that GDPR isn’t intended to keep brands from marketing to or communicating with prospects and customers. In fact, GDPR has forced businesses to create better, more targeted marketing campaigns that have, in turn, led to an increase in data quality. This is good news for businesses since better data tends to mean a more engaged prospect list.

And, despite the legalese used in GDPR laws, the rules are pretty simple:

  1. Don’t contact people unless they ask to be contacted
  2. Don’t assume people want to hear from you
  3. Don’t cold contact people
  4. Don’t send irrelevant information
  5. Keep track of the data and permission you’ve received

If you’re doing those five things, you’re well on your way to GDPR compliance.

About the Author
The Influencer Marketing Hub Team brings together a diverse group of experts with a passion for influencer marketing, digital trends, and social media strategies. Each piece of content crafted by this team is researched and written to provide valuable insights, tips, and updates for our readers. Our authors are dedicated to delivering high-quality, informative, and engaging articles that help businesses and influencers thrive in this rapidly changing digital world.