Facebook Updates Custom Audiences TOS: No Scraping UIDs

Facebook Custom Audiences TOS Scraping UIDs

[AUDIO VERSION: I also recorded an audio version of this blog post. Click below to listen. Let me know if this is something you find helpful!]

Advertising on Facebook is incredibly powerful because of the ability to target your ideal customer. You can even target those on your email list, used your app or visited your website, making ads more relevant.

But with great power comes great responsibility…

Unfortunately, many advertisers took advantage of some of this power and targeted in ways that weren’t allowed by Facebook. But there was so much confusion about what advertisers could and couldn’t do that not all were knowingly breaking the rules.

Facebook just updated their Custom Audiences Terms of Service to help clarify what advertisers can and can’t do.

[Tweet “Facebook has updated their Custom Audiences TOS to clarify: You can’t scrape UIDs! Details here…”]

What Custom Audiences Are

I assume you know what Custom Audiences are, but that may be a mistake. So a quick overview.

You can create ads that target users who are closely connected to you via any of the following:

  • Email Addresses
  • Phone Numbers
  • Website Visitors
  • Facebook App UIDs
  • Mobile App Users

This is done within the Audiences area of Ads Manager or Power Editor.

Facebook Create Audience

How Advertisers Were Using Custom Audiences

This created some pretty powerful opportunities for advertisers.

They uploaded their customer lists (email or phone numbers) and created ads targeting them.

They placed pixels on their websites to remarket to those who have read particular articles.

They uploaded User ID lists of those who used their Facebook apps.

The things above are all allowed.

But they were also using email lists of people who weren’t customers — bought lists or otherwise. They were scraping UIDs from Facebook pages and groups as a way to better target those connected to these things.

This is against the rules. Some advertisers knew this and did it anyway. Others broke the rules unknowingly because those rules were not clear.

The Rules for Custom Audiences

I say the rules weren’t clear, but I think most of this was willful ignorance. I wrote a post about how advertisers broke these rules nearly a year ago, so this is nothing new.

If you create Custom Audiences, you need to read the Terms of Service. The bottom line is that you can’t create Custom Audiences unless you have rights to the data.

So if you have an email list that includes people who have not willingly opted onto that list, you can’t target them.

If you are using scraping tools to build Facebook UID lists of people (even if they are your fans or in your group), you can’t target them.

If you are manually finding users and building a Facebook UID list for a Custom Audience, you can’t target them.

The Changes to Custom Audience Terms of Service

Facebook announced some Custom Audiences TOS language changes within the PMD News group. The changes don’t impact the rules in any way, but they should help clarify what advertisers can and can’t do.

Posted by Abha Maheshwari on September 9:

Our goal with this recent change is to provide more clarity around Custom Audiences for our valued advertisers. There are no material changes to the product, however we have clarified the language to make it clear that we will not use an advertiser’s Custom Audiences for any purpose not authorized by the client.

Following are the changes and clarifications Maheshwari highlighted (direct quote):

  • “If you are using a Facebook identifier to create a Custom Audience, you must have obtained the identifier directly from the data subject in compliance with these terms.” This means that Custom Audiences using the Facebook user ID must be composed of users who have accepted or engaged with their app. Scraping UIDs is prohibited.
  • “Facebook will not give access to or information about your custom audience to third parties or other advertisers, use your custom audience to append to the information we have about our users or build interest-based profiles, or use your custom audience {REMOVED “in any way associated with your brand”} except to provide services to you, unless we have your permission or are required to do so by law.” This means that Facebook will not use Custom Audiences in any way without the advertiser’s permission.
  • “If you are providing Hashed Data on behalf of a third party, you may only use that third party’s own data to create custom audiences on its behalf and may not augment or supplement that data with other data. You may not sell or transfer custom audiences, or authorize any third party to sell or transfer Custom Audiences.” This means that Custom Audiences cannot be sold or transferred, and third parties may not use their data to create custom audiences on behalf of an advertiser; they can only use the advertiser’s data. These terms come from our existing platform policies.

Maheshwari clearly states that “scraping UIDs is prohibited.” Of course, it doesn’t explicitly say that, though it is implied.

However, note 3.2 of Facebook’s main TOS:

You will not collect users’ content or information, or otherwise access Facebook, using automated means (such as harvesting bots, robots, spiders, or scrapers) without our prior permission.

That is pretty darn clear!

While the focus of this post is on scraping, note Maheshwari’s third point as well about sharing data. If you have many clients, you can only use the customer data for the particular client. You can’t share it between similar clients in the same field, for example.

The Changes to Custom Audience Creation

Knowing that most advertisers will never read the TOS (those terms you say you’ve read when you create your Custom Audience), Facebook updated the creation of Custom Audiences to make the rules a bit clearer, particularly when it comes to UIDs.

According to an announcement from Maheshwari in the PMD News group on September 11, advertisers must now specify an app they are uploading UIDs from:

Starting today, advertisers will need to specify one or many App IDs when creating Custom Audiences based on the Facebook user ID or app-scoped user ID in all self-serve interfaces (Ads Create Tool and Power Editor). This requirement will be enforced within the interfaces, and API enhancements will be announced separately at the end of October as part of the breaking change announcements.

By requiring an App ID, Facebook is ensuring that Custom Audiences created only include IDs associated with people who have actually logged in or engaged with an advertiser’s app.

Here is what the flow now looks like when attempting to create a Custom Audience from a UID list:

Create Facebook Custom Audience UID

Notice that you are now required to provide an app ID.

Will You Still Break the Rules?

It’s unclear what impact this will have on those who willingly break the rules. If an advertiser has an app, I haven’t heard whether there’s a check to be sure that the UIDs being uploaded are from users of that app.

First, use the smell test. If it smells wrong, it probably is. I find it pretty easy to stay within the rules if you have a strong ethical foundation.

Second, you don’t want to get on Facebook’s bad side. It could mean shutting down your advertising account. It could mean a lot of things. You may get away with breaking the rules for a while, but the cheaters always seem to get burned eventually.

Cheaters are gonna cheat. And cheaters are gonna get burned. And cheaters will continue to try and manipulate the system for short-term gain while ignoring the long-term impact.

But this should help the many advertisers who innocently followed others, thinking this was accepted practice.

Your Turn

What do you think of these updates? Do they impact how you use Custom Audiences?

Let me know in the comments below!