How to Create a Privacy Policy for Facebook Page

Most businesses these days have a Facebook business page where they post content, advertise their products, and engage with their audience. And it’s no surprise as it’s an amazing marketing platform and a great way of reaching new customers worldwide.

Having a Facebook page however is not that different from having a website and thus, some of the same legal requirements apply.

One of these restrictions includes having a valid privacy policy for your Facebook page. Given how privacy-related concerns are increasingly common these days, it’s rather expected.

To avoid having your Facebook page shut down for non-compliance, you should definitely take care of the privacy policy if you haven’t done so already.

PRO TIP: Take the hassle of writing your own privacy policy away with our privacy policy generator trusted by over 200,000 businesses. It’ll save you hours of work and possible costly legal mistakes.

Do You Need a Privacy Policy for a Facebook Page?

As a general rule, a privacy policy serves to inform your users that you are collecting personal information. It should also state how their data will be stored, what you will be doing with it, and specify that you will not be sharing your users’ personal information with third parties without their express consent.

A good example of an activity that is typically governed by a privacy policy is digital marketing. Having a big email list of potential and existing customers is very valuable for businesses and allows them to better remarket their audience.

However, in order to get that data, companies often place cookies on their website to track user activity or have a contact form where customers input their email addresses in exchange for a free eBook, newsletter, or some other incentive.

But personal information does not only refer to email addresses. It could also include information such as names, addresses, phone numbers, ID card numbers, social security numbers, or web data (such as IP addresses). In other words, any kind of information that could be used to identify a person.

Any business that processes personal information should have a privacy policy.

This privacy policy should be kept up to date as, in addition to being penalized for not having one, there could be consequences if you collect more data than specified or if you use it in a way that is not explicitly mentioned in the policy.

Most countries have privacy laws in place that require anyone that collects personal information to have a privacy policy. By ignoring these legal requirements you are exposing yourself to consequences, including steep fines. Seeing as websites and Facebook pages attract people from all over the globe, you must make sure that you comply with these as much as you can.

The strictest privacy law in the world would probably be the General Data Protection Regulation (GDPR) which came into effect in May 2018. Its goal is to give users more control over their personal information, streamline privacy laws through the European Union, and punish companies that don’t comply with the requirements.

Articles 12 to 14 of the GDPR suggests that any business that operates in Europe or that processes the data of European users must have a concise, transparent, intelligible, and easily accessible privacy notice in place and request express consent from its users before collecting any personal information (if collecting their information on that basis).

Seeing as you could well attract European users to your website or Facebook page and thus process their data without having express knowledge of it, you will want to have a compliant privacy policy in place.

Indeed, the fines that can be imposed under the GDPR are costly. The higher of €20 million or 4% of the global revenue of the organization for serious violations and/or a minimum fine of 2% of the company’s global turnover or €10 million (whichever is higher) for smaller offenses.

What Are Facebook’s Requirements for Privacy Policy?

Facebook itself requires any page that collects personal information to have a privacy policy in place and inform its users, just as a website would.

Here is how this requirement is set out in Facebook’s Pages, Groups, and Events Policies:

Collection of Data clause in Facebook's Pages, Groups, and Events Policies on a white background

You will note from the above that there is an addendum specifically aimed at businesses that have customers located in the European Economic Area (EEA) which includes the following countries:

List of countries located in the European Economic Area (EEA) in Facebook's Pages, Groups, and Events Policies Addendum on a white background

This addendum sets out the respective obligations and responsibilities of both Facebook and the Page Admin. Anyone managing a Facebook Page from any of these countries or that processes data from people located in these countries is subject to this addendum, which forms an integral part of the Pages, Groups, and Events Policy.

That’s because Page Insights, which provides Page Admins with general information about the people that visit or like their page, are generated by cookies placed by Facebook.

Here is an extract of Facebook’s Cookies Policy:

Cookies policy clause in Facebook's website on a white background

Facebook also uses cookies when it comes to advertising on its platform, whether it be to determine which ad should be shown and to whom or to measure the performance of a campaign.

While you, as Page Admin, do not have access to the detailed data gathered by Facebook, you do benefit from aggregated Page Insights, which could potentially allow you to identify an individual based on their actions and their “likes” (depending on what they have made public on their profile), especially if you have a small audience.

Through Page Insights, the page owner can notably see the demographics (gender and age), location (countries and cities), and languages used by their fan base.

For that reason, the people that like your Page need to know how their data is collected and used.

Is Facebook Responsible for Maintaining Personal Data?

In June 2018, soon after the GDPR entered into force, the Court of Justice of the European Union (CJEU) issued a long-awaited decision in the Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH case, which provided some clarity in regards to the responsibilities of data processors when it comes to respecting individual privacy rights.

Facebook’s Page Insights Controller Addendum (mentioned in the previous section) was drafted in response to this decision and a statement made by the German Data Protection Authorities (German DPAs) on September 5, 2018, that declared that operating a fan page as offered by Facebook at that time was illegal.

The court, in the decision mentioned above, stated that Facebook Pages Admins and Facebook are considered joint controllers under article 26 of the GDPR and are both responsible for ensuring that the collection and processing of data from page visitors comply with the GDPR. The two parties must decide between themselves how they will share that responsibility and be transparent with their users.

Here is how this shared responsibility is mentioned in Facebook’s Page Insights Controller Addendum:

Page Insights Controller Addendum clause in Facebook's website on a white background

Facebook does assume most of the responsibility when it comes to Page Insights and compliance with the GDPR:

Facebook Ireland Page Insights clause in Facebook's website on a white background

But you, as a Page Admin, also have a role to play:

Page admins Policies clause in Facebook's website on a white background

This means that to comply with the GDPR, you will need to identify in the About section of your Page the data controller (your company) and provide its contact details along with those of your Data Protection Officer, if applicable.

You should also state on which legal basis you are processing Insights Data.

There are only 6 lawful reasons for processing data under article 6 of the GDPR:

  1. The data subject has consented to the processing of their personal data for a specific purpose
  2. It is contractually necessary
  3. It is necessary in order to comply with a legal obligation
  4. It is necessary to protect the vital interests of the data subject or another person
  5. It is necessary for the performance of a task carried out in the public interest or under official authority
  6. It is necessary for the purposes of legitimate interests pursued by the data controller or by a third party

When it comes to tracking actions that your users are performing on your Page using cookies, the legal basis upon which you are collecting data could potentially be consent (which is currently the subject of debate as there is currently no option to add an opt-in on a Facebook page) or legitimate interests (which you would have to elaborate on).

In addition to the above, as a general rule and at a minimum, a privacy policy notice should include the following:

  • Business name and contact details
  • Contact details of your data protection officer (if applicable)
  • Type of information that will be collected from website users
  • Legal basis for processing data (as mentioned above)
  • If you are using cookies – how to opt-out and what effect this might have on the user’s experience
  • How the information will be collected and by whom
  • How the information will be used and if it will be shared with third parties
  • How you are protecting the information collected from misuse or unauthorized access, how long it will be stored, and if the data will be transferred internationally
  • The rights of your users in regards to their data

What Are the Rights of Those Who Liked Your Page?

The people that like your Facebook Page have the right to have control over their personal information and, under the GDPR, can ask Facebook to access, rectify, port, delete and object to and restrict processing of their data.

Facebook has taken on the major responsibility of making this data available upon request; your users should simply follow the links above to request access to their personal information.

Should you, as Page Admin, receive a data request from an individual or supervising authority in regards to the processing of Insights data, you must forward it to Facebook and cooperate with them in order to fulfill your obligations as joint controllers under article 26(3) of the GDPR, as the data subject can exercise their rights against the controller of their choice, regardless of the arrangement that was made between both parties.

Page Insights Policies clause in Facebook's website on a white background

Note that you do need to have processes in place to manage the data that you collect other than through Page Insights, as this addendum and joint responsibility exclusively refer to the latter.

How to Add a Privacy Policy to a Facebook Page?

Now that we have seen why you should have a privacy policy in place on your Facebook page and what it should include, here are step-by-step instructions that you can follow to add it to your Facebook Page:

1. Log in to your Facebook Business Account and navigate to your Business Page.

2. Click on “Edit Page Info” in the left-hand side menu and you will be taken to a new screen.

"Edit Page Info" link in Facebook Business Account side menu options on a white background

3. Scroll down to the “Privacy Policy URL” and add a link to the privacy policy on your website in the designated text box.

Privacy Policy text field with website policy URL located under Page Info on a white background

If you’ve created a privacy policy using our privacy policy generator, you may link directly to the public URL of your privacy policy.

How to Create a Privacy Policy for a Facebook Page?

Creating a compliant privacy policy for your Facebook page may seem daunting. You need to make sure that you include all elements required both by the platform and under the law to protect your business against any claims and hefty fines.

Copying a privacy policy from someone else’s Facebook page is not enough as it needs to be tailored to your own activities. It may actually be pretty as it may include clauses that go completely against how you operate yourself. Indeed some websites, such as e-commerce stores, will need to include additional clauses.

To make things easier and much more reliable, you may use our privacy policy generator to create a custom-tailored privacy policy for your Facebook Page.

Olivia Adams
CIPP/E, CIPM, CIPT
Olivia is an experienced data privacy compliance consultant with years of experience. Throughout her career, she helped hundreds of small to mid-size businesses with comprehensive advice on compliance with privacy laws.