William John Gauthier

Facebook’s Custom Audience Tool

Posted on July 8, 2024  •  6 minutes  • 1171 words
Table of contents

Earlier this year, I discovered Facebook’s Custom Audience service, which is a tool that makes it possible for advertisers to target ads to Facebook’s users based on demographic characteristics, such as age, gender, language, or existing customer relationships. I found the latter particularly interesting, as I later learned that many companies willingly share their customers’ contact information, often without their consent, with Facebook’s advertising service to exclude or target ads to them.

In practical terms, companies upload a hashed list of email addresses (or other contact information) to the Custom Audience service, which Facebook then matches against existing profiles. The companies can then decide if their ads should be excluded from or targeted to these profiles. Facebook also stores the hashed values of email addresses they were unable to match to any existing profiles in case they are used to sign up for a profile in the future. These profiles are called shadow profiles and were discussed during a hearing before the House Energy and Commerce Committee in 2018.

The fact that companies share the hashed values of their customers’ email addresses with Facebook might not sound bad, given that Facebook most likely already has the email address of most of these customers anyway. However, the problem is that these companies effectively help Facebook build a much more detailed profile of their user base by sharing information about which services they use and where they shop. This sharing could potentially also divulge a more sensitive class of personal information, for example, if a union or religious organization shared its member database. So, companies should not blindly disclose their customers’ information, especially not without consent.

Who Are These Companies?

Facebook, on its Ad Preferences page , has made it possible to see which companies have uploaded and shared your contact details, such as your email address or phone number, with its Custom Audience service. Surprisingly, I found that more than 25 companies, some of which I don’t even recognize, had shared my information with Facebook. On the list of companies are telecommunication providers, financial institutions, charities, retailers and other places where I have done online shopping.

I picked two companies from the list to find out why they had shared my information, with the goal of filing a complaint with the Danish Data Protection Agency to challenge the legality of the processing. The two companies I picked were Telenor, one of the biggest telecommunication providers in Scandinavia, and Danske Spil, the national lottery in Denmark.

Direct Marketing and the Legitimate Interest Clause

In February and early March this year, I filed subject access requests under the GDPR with Telenor and Danske Spil. I asked why they had disclosed my email address to Facebook and what lawful basis under the GDPR they had used. I also objected to the processing and asked them to delete the information.

Telenor and Danske Spil complied with my objection and request to have my email address deleted from Facebook’s service. Both companies stated that they had disclosed my email address for the purpose of direct marketing and that they used the legitimate interests clause of the GDPR as their legal basis for this.

As it turns out, the processing of personal information for the purpose of direct marketing is actually an overriding legitimate interest under the GDPR, but it does require a “careful assessment” of whether a data subject can reasonably expect the processing for that purpose to take place (recital 47 of the GDPR ).

National law in Denmark provides even stronger protections against direct marketing than what the GDPR does. The Central Population Registry office, under the Ministry of Interior and Health, maintains a Robinson list of residents that do not wish to receive marketing transmissions, which companies are legally required to query under the Marketing Practices Act (§ 10 of the Act ). The Danish Ministry of Justice has also promulgated a supplementary regulation to the GDPR, which requires companies that use or disclose personal information for the purpose of direct marketing to query the Robinson list (§ 13 of the supplementary regulation to the GDPR ).


In April, I filed two complaints with the Danish Data Protection Agency (Datatilsynet). I argued that my interests and fundamental rights override Telenor and Danske Spil’s interests in direct marketing and that both companies had failed to query the Robinson list before disclosing my email address, contrary to the supplementary regulation to the GDPR and the Marketing Practices Act. Datatilsynet informed me that it had conducted a limited investigation into my complaints and that I should instead contact the companies myself to make them aware of my complaint.

Later in April, Datatilsynet formally decided on a similar complaint submitted by another complainant about a telecommunication provider’s disclosure of his information to Facebook’s Audience Based Advertising service. Datatilsynet found that a disclosure under the legitimate interests clause could take place, but that a registrant should be made explicitly aware and given the option to opt out of direct marketing transmissions. Datatilsynet found the processing in this specific context unlawful, but did not, as in many other cases , issue any fines.

Following Datatilsynet’s decision, I contacted Telenor and Danske Spil and made them aware of my complaint to Datatilsynet. Telenor replied that it had decided to discontinue its use of Facebook’s Audience Based Advertising, based in particular on Datatilsynet’s recent decision. Danske Spil replied that they have changed the way they disclose information to Facebook and that they will no longer disclose information of customers that are on the Robinson list.

What’s Next?

There are a few things you can do to better protect yourself against direct marketing. Proton makes it possible to create “hide-my-email aliases ”, and some email providers, such as Google’s Gmail, provide a service called “plus addressing”, which allows users to create different variations of their email addresses by adding a plus sign(+) after the local part of the address. For example, example@gmail.com and example+telenor@gmail.com are effectively the same email address, but they look different and produce different hash values, which makes it impossible for Facebook (or other direct marketing services) to match them to existing profiles. They also make it easier to filter emails based on where they originated.

Signing up for the Robinson list in Denmark should also, at least in theory, provide better protections against direct marketing, but it only applies to businesses engaged in marketing activities in Denmark.

Lastly, the Danish Data Protection Agency’s recent decision is a small win, as it will now require companies to make their customers explicitly aware of the fact that their information can be disclosed for direct marketing purposes and give them the option to opt-out of this. However, things will only change if the GDPR is actually enforced and the DPA is made aware of violations. Therefore, check the list of companies on your ad preferences page on Facebook and file complaints with the DPA, use email aliasing tools, and consider signing up for the Robinson list if you reside in Denmark.