Facebook has been using “shadow data” to target ad campaigns, and this may represent a GDPR violation. When users set up two-factor authentication (2FA) for their Facebook account, the number or means of communication that they use is used by Facebook to target ads. This is also true if someone with your contact information allows Facebook to use their contact list to find friends on Facebook; put simply, if anyone who knows you allows Facebook to help them find friends via their address book then Facebook has your contact details as well and uses them for ad targeting. This use of data is not obvious, clear, or in anyway told to the user which means that Facebook may be facing another GDPR fine for the practice.
Targeting someone requires that you know part of their contact information already, but it is possible to target specific individuals through information they’ve never provided to Facebook by uploading criteria. GDPR requires that any use of data be clearly demonstrated to the data subject and that they have to opt-in to the specific uses of their data. Facebook initially denied that they used data in this way, but later admitted to the practice when a Gizmodo reporter demonstrated how she had targeted a number that Facebook was never given permission to use. If the European Union pushes Facebook on this, it could lead to a massive fine for the social media giant.
