Skip links
personal data collection on social media

Social Media Data Collection and Privacy: Key Action Items


🦘Jump to:


In our digital age, social media platforms have become a crucial tool for businesses to connect with their audience. However, the introduction of comprehensive privacy laws such as the General Data Protection Regulation (GDPR) has necessitated a re-evaluation of how businesses collect and handle personal data on these platforms. Here are some key action items extracted from the DMA’s guide on social media, GDPR, and data and the ICO Direct Marketing Guidance.

1. Collecting Personal Data via Lead Generation

When collecting personal data, it’s crucial to explain to visitors the purposes for collecting the information. The GDPR stipulates that personal data must be collected for “specified, explicit and legitimate purposes.” Therefore, when personal data is collected, platform owners must first explain to users how it will be used and provide them with information about their rights.

Secondly, they must ensure the different purposes for processing personal data are separated out. The platform owner must specify in what way the personal data collected will be used. This notice needs to be clear and not ambiguous. For example, instead of saying “marketing purposes,” use wording such as “information and deals on new and current products.


2. Community Management

Personal data exchanged in public messages on social media platforms isn’t owned by the brand or the agencies acting on behalf of brands; it is owned by the individual who uses social media platforms.

Brands must set out how they will use such personal data in their privacy notices. When running a competition on a social media platform and collecting personal data for this purpose, competition entry terms and conditions must explain how the collected data will be used.

Suppose a brand or an agency acting on behalf of a brand is moderating social media channels. In that case, the staff members of the brand or agency working on behalf of the brand must carry out the moderation in line with the brand’s social media policy.

3. Using Social Media Data to Create Lookalike Audiences

Facebook’s Custom Audiences Tool requires advertisers to obtain consent before uploading personal data to Facebook to create Custom Audiences. If a platform user responds to a lookalike advertisement, once the user returns to the advertiser’s website, the advertiser is responsible for compliance with the GDPR. In particular, the advertiser must make sure that it complies with the right to be informed under Article 13 of the GDPR.

4. Viral Marketing

Organizations must avoid escaping their obligations by asking existing contacts to provide their friends and family contact details. Organizations must still act fairly and lawfully and cannot assume that the contact will act in the other person’s best interests – especially if there are incentives for providing the information.

In fact, the ICO advises against this type of viral marketing, as it will be difficult to be sure there is the necessary consent to comply with obligations [Id_highlight] under The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and The Data Protection Act 1998 (the DPA).

5. Collecting Personal Data on Other Social Media Platforms

These general principles and guidelines for handling personal data on social media platforms under the GDPR would apply to LinkedIn and other platforms as well. Each social media platform may have its own specific policies and guidelines for data collection and usage, which should be reviewed and adhered to in addition to the general GDPR guidelines.


The GDPR and other more recent privacy laws have brought about significant changes in the way businesses need to handle personal data. However, by being aware of and adhering to the obligations and requirements set out in such laws, businesses can ensure they are in line with privacy laws, continue respecting the personal data of their users, and still effectively leverage social media data for their marketing efforts.

Noa Kahalon
COO at hoggo

Noa is a certified CIPM, CIPP/E, and a Fellow of Information Privacy (FIP) from the IAPP. Her background consists of marketing, project management, operations, and law. She is the co-founder and COO of hoggo, which builds transparency around data privacy practices.