What GDPR Means for Your Ongoing Instagram Strategies

Richard LeCount

This article was written by Richard LeCount - the DPO and managing director of usbmakers.com, a company specialising in top of the line USBs and power banks.

The sanctions for a company that fails to comply with the EU’s General Data Protection Regulation may be costly:

“Organisations found in breach of GDPR can be fined up to 4% of annual turnover or €20 million (whichever is greater) – EUGDPR.ORG

With such huge fines awaiting any company that fails to adhere to the law, the fact remains that a third of all European businesses still fail to comply with GDPR standards. 

However, although businesses will have to change the way they market to customers via social media, there are many benefits for both businesses and their consumers when it comes to taking steps to become GDPR compliant. 

In this article, we’re covering some of the major benefits of GDPR and how to ensure that your Instagram marketing is entirely GDPR compliant.

What is GDPR?

If you’ve ever used an app or website that requires you to sign up to create an account, then you know all about the long and arduous terms and conditions, and in almost every case there’s a good chance you don’t read through them before ticking that ‘I Agree’ box. 

By ticking the box, it means you’ve essentially given the company the ability to accumulate and hoard your personal data. Even more than this, it means you have given your consent for companies to make financial gain using this information.

This is how businesses such as Facebook – who don’t charge you to use their service – make a good portion of annual revenue, which topped $40 billion in 2017. 

While Facebook is not exactly selling your information, they do use it to determine which advertisements are likely to be targeted to you. This information is usually simple things that we take for granted, such as your name, age, religion and generally any information which will help to produce adverts that are likely to appeal to you.

Sometimes, as we saw with the Facebook Cambridge Analytica controversy, data is mishandled on a huge scale. This data breach meant that third-party applications were able to unduly access the personal data on 146 million Facebook users, 87 million of which had not given their permission for this information to be used.

The GDPR directive is designed to push companies to improve their data handling practices and empower consumers to take back control of their data with a greater understanding of how it is being used and why.

What Does GDPR Mean for Social Media Users?

As we’ve already explored, GDPR is greatly beneficial for users of social media, in a few different ways. All social media users are entitled to more:


Since businesses like yours now need to gain explicit consent to stockpile any data which is necessary for a specific reason that they will tell you about from the beginning, users have a lot more privacy, since they can choose to withhold certain information if they wish to.


With GDPR in place, supervision around the collection and processing of data is far more robust. In theory, the rollout of GDPR will lead to fewer data breaches, like the example we mentioned above.

Control Over Online Shopping 

Consumers now have the ability to decide from the outset if they want their personal information and surfing habits to be tracked for personalised marketing and analytical purposes. This affords them a greater level of control over their social media feeds and whether or not they wish to receive advertising emails.

What Does GDPR Mean for My Business? 

If your business is based in the EU or deals with any EU citizen – even if it’s just a single customer – then it applies to you.

As a company, you’ll need to be very clear about how you collect consumer data and also you will need to obtain an explicit consent from each individual to process and store it.

As with any form of marketing, GDPR will affect how you can use social media to market to your consumers. 

There are some essential requirements you need to fulfil under GDPR, which include:

  • Using plain and concise language throughout your privacy policies, as well as explanations of how you handle consumer data 
  • Obtaining explicit consent to collect and use data; making it easy for consumers to opt-out immediately or down the line, if they change their mind
  • Users must be informed if your database has been breached within 72 hours of detection
  • Users must be given the ‘right to be forgotten’, which basically means all of their data must be erased upon request
  • Users must be given the right to opt out of targeted advertising which uses their personal data
  • Safeguards should be put in place to protect information which relates to race, health or any religious or political beliefs

There are six grounds which can give you a lawful basis under GDPR to process someone’s data:

  • Contract
  • Consent 
  • Legal Obligation
  • Vital Interest
  • Public Interest 
  • Legitimate Interest

The ones that pertain to social media are consent and legitimate interest.

What does GDPR Mean for Your Overall Social Marketing Efforts?

If your business leans on social media as an important marketing outlet, then you really should be GDPR compliant by now.

However, perhaps you’re concerned that GDPR, could seriously hamper your overall social media marketing strategies?

GDPR broadly impacts social media marketing in two ways – social media advertising targeting and lead generation. 

Changes to Social Media Advertising

Since today GDPR is in full swing, it makes it more difficult for you to track customer behavioural data for automated targeting or audience profiling – unless you have explicit opt-in consent from that customer. 

For instance, if you use social media to target current or potential customers to inform them of a sale using their email addresses, you will now need a specific consent to process their data for this purpose.

Specific consent means you need to have ticked the following boxes:

  • It is voluntarily given: Consumers must have been given a genuine option to accept or to reject the terms, which includes the opportunity to withdraw consent later down the line if they wish so;
  • Specifying what the data is for: You will need to state very clearly which data will be collected and what it will be used for;
  • No Ambiguity: You’re clear about your intentions about acquiring consent written in a simple, everyday language;
  • No pre-ticked boxes: Pre-ticked consent boxes are not permitted. Users need to be given a chance to make an effort to tick the box.

Changes to Lead Generation

Lead form ads are an awesome way to generate new business, but there are a few things that have changed since GDPR. 

Since lead form ads are a means of collecting consumer data, you will need to explain to the user how this data will be utilised and justify legal grounds for processing their data. 

What does GDPR Mean for Instagram Social Marketing Efforts?

With over 1 billion active users, Instagram is a leading social platform which has grown to become a hugely diverse online community with boundless marketing promise.

Instagram is a fantastic platform if you’re looking to create eye-catching, highly visceral content. Marketing on Instagram is just another way for your business to make contact with potential customers and achieve the following:

  • Directing traffic to your website
  • Increasing product conversions
  • Increasing brand reach and engagement

However, as with any form of social media marketing, Instagram paid advertising has changed post-GDPR.

Facebook Pixel

As an Instagram marketer, you will most likely already know that using a Facebook pixel on your website gives your users an improved experience and gives you valuable information about the kinds of products and services that they might be interested in seeing. 

The stumbling block here is the fact that GDPR will have an influence on how you use a Facebook pixel. 

Using a Facebook pixel to advertise on Instagram, will require you to comply to GDPR if you are any of the following:

  • An ecommerce website that uses cookies to gather data about the kind of products that people are viewing on the site to create personalised ads based on their browsing behaviour
  • A blog that uses a third-party analytics provider who uses cookies to collect demographic data about its visitors
  • A website that uses an ad server to display adverts, and uses cookies to collect data on who views the ads
  • An Instagram or Facebook advertiser who uses a pixel to measure ad conversions or retarget adverts on Instagram or Facebook

If your organisation falls into any of these four categories, then you will need to gain consent from your users. You could do this by displaying a ‘cookie banner’ when visitors land on the page for the first time, to inform them how to opt-in. 

You could also obtain consent when a consumer is signing up for your offer.

Instagram Custom Audiences

Custom audiences are those which you acquire from your email list and can use in Facebook ads to target Instagram users directly.

However, GDPR also affects Instagram custom audiences too. 

Uploading an email or contact list into the Instagram custom audience means that you become the data controller. And, as per GDPR guidelines, the role of data controller means that you must ensure your subscribers have already given their consent for you to market to them. 

If you’ve obtained any of this contact information from any of the following sources, then you need to delete it, as GDPR states you cannot market to them unless you’ve been given specific consent:

  • Contacts through other social media platforms, i.e. LinkedIn
  • Email addresses from business cards
  • Purchased email lists 
  • Scraped email lists
  • Shared pixel information from third party sources

Also, speaking of compliance, you must ensure that your custom audience list is updated often so you can pick out subscribers that have withdrawn consent. 

Instagram Lookalike Audiences

Fortunately, GDPR and Instagram lookalike audiences remain as they were. 

This is because lookalike audiences use a ‘seed’ audience from one of your custom audiences to search for new people to add to the lookalike audience. You won’t need consent to advertise to these people – however, you should update your Instagram privacy policy to include this. 

By doing this, you’ll be informing your audience about how you’ll be using their data and adding it to your landing page means that you are completely honest about how information is handled. 

It’s also important to add a link to your updated privacy policy on each page of your website – including pages with email opt-ins. 

For example, if you’re pushing traffic from an Instagram lead ad, you need to remember to include a cookie consent banner, a GDPR compliant email opt-in and a prominent link to your privacy policy.


You might think that just because you’re not a big corporation that GDPR laws don’t apply to you, but if an advertising on Instagram doesn’t comply with GDPR laws, anyone could run into a tricky legal territory.