GDPR for Social Media Managers: Client Data, Audience Insights, and Advertising Compliance
If you manage social media accounts on behalf of clients, you are almost certainly processing personal data — and that makes GDPR your problem, not just your clients' problem. From custom audiences and retargeting pixels to DMs from unhappy customers, the day-to-day work of a social media manager or agency sits squarely within the scope of European data protection law.
This guide breaks down the key GDPR obligations that apply specifically to social media management work, whether you are a freelancer handling a handful of accounts or an agency running campaigns across dozens of brands.
You Are a Data Processor — Act Like One
When you manage a client's social media accounts, you are typically acting as a data processor under GDPR. Your client is the data controller — they determine the purposes and means of processing — and you carry out that processing on their behalf.
This distinction matters enormously. As a processor, you must:
- Only process personal data on documented instructions from the controller (your client)
- Enter into a formal Data Processing Agreement (DPA) with every client before you access their accounts or handle their audience data
- Implement appropriate technical and organisational security measures
- Assist clients in responding to data subject rights requests
- Not engage sub-processors without the client's prior written authorisation
Many social media agencies operate for years without a single DPA in place. If you are one of them, this is your most urgent compliance gap to close. A DPA does not need to be lengthy, but it must cover the scope of processing, the categories of data, retention periods, and the rights of data subjects.
Meta Business Manager and LinkedIn Campaign Manager: Who Is the Controller?
Platform access complicates the controller/processor picture. When you use Meta Business Manager to run ads for a client, the legal relationship involves three parties: your client, you, and Meta.
Meta acts as an independent controller for its own purposes (targeting, platform improvement, fraud prevention). Your client is a controller for their advertising goals. You, as the agency, may be acting as a processor on the client's behalf — or, if you have significant discretion over how campaigns are run, potentially a joint controller.
The key question is: who decides why the data is being processed? If you are simply executing the client's brief, you are a processor. If you independently decide to retarget a particular audience segment or build a lookalike list without specific client instruction, you may be acting as a joint controller with all the responsibilities that entails.
Practically speaking:
- Ensure your client has accepted Meta's or LinkedIn's own controller terms
- Document the instructions you receive from clients for each campaign
- Do not use audience data from one client's account to benefit another
Custom Audiences and GDPR Consent Requirements
Facebook and Instagram Custom Audiences allow advertisers to upload customer lists — email addresses, phone numbers, or device identifiers — that Meta matches against its user base. This is powerful but legally sensitive.
Under GDPR, uploading a customer list to create a Custom Audience is a processing activity. The data controller (your client) must have a lawful basis for that processing. In most cases, that means consent — and not just any consent, but consent that specifically covers the use of personal data for social media advertising.
If your client collected email addresses for a newsletter, that consent almost certainly does not extend to uploading those addresses to Facebook for ad targeting. Before you create any Custom Audience from a client's CRM data, you should:
- Ask the client to confirm the lawful basis for that data
- Verify that their privacy notice disclosed this type of use
- Ensure any consent collected was granular, specific, and freely given
- Keep a record of this confirmation
Running Custom Audiences without these checks exposes your client — and potentially you — to enforcement risk.
Retargeting Pixels on Client Websites and PECR Rules
If your role includes setting up or managing the Meta Pixel, LinkedIn Insight Tag, TikTok Pixel, or similar tracking code on a client's website, you are operating in territory governed by both GDPR and, in the UK, the Privacy and Electronic Communications Regulations (PECR).
PECR requires that non-essential cookies — including advertising pixels — can only be placed on a user's device with prior informed consent. This means:
- The pixel must not fire until a user actively accepts cookies
- The consent mechanism must meet GDPR standards (freely given, specific, informed, unambiguous)
- Implied consent or pre-ticked boxes are not valid
Many retargeting campaigns are running on pixels that fire unconditionally on page load, in violation of PECR. If you are managing a client's ad account and you set up or maintain their pixel, you share responsibility for ensuring it is implemented compliantly.
Use Custodia to scan your clients' websites and identify pixels that fire without valid consent — it takes seconds and gives you a compliance snapshot you can share directly with clients to demonstrate your diligence.
Social Media Monitoring and Collecting User Data
If you use social media monitoring tools to track brand mentions, sentiment, or competitor activity, you are collecting personal data every time a real person's post, comment, or profile appears in your results. Comments and posts by identifiable individuals are personal data under GDPR.
Key considerations:
- Ensure any monitoring tool you use has GDPR-compliant data handling and does not transfer data to third countries without appropriate safeguards
- Do not store or analyse individuals' posts beyond what is necessary for your business purpose
- Be particularly careful with sensitive categories of data (health, political opinions, religion) that may appear in user-generated content
Responding to Customer Complaints via DMs
When you handle customer service interactions on a brand's social channels — responding to complaints, resolving issues via DM — you are processing personal data. The individual's name, contact information, complaint details, and any sensitive information they share (order history, medical conditions, financial details) all need to be handled appropriately.
This means:
- Only the people who need access to those DMs should have it
- Complaint records should be retained for no longer than necessary (define this in your DPA with the client)
- If a customer makes a Subject Access Request (SAR), DM conversations may be in scope
Agencies should have a clear process for escalating SARs to clients and for identifying which DM data is held where.
Influencer Contracts and Personal Data
Influencer marketing involves significant personal data exchange. When you engage an influencer on a client's behalf, you typically collect and process:
- Contact details and bank/payment information
- Content deliverables (images, videos featuring the influencer)
- Audience analytics shared by the influencer
Influencers are individuals, and their personal data is subject to GDPR. Ensure your influencer contracts include a data processing clause explaining what data you collect, how it is used, how long it is retained, and the influencer's rights.
Running Competitions and Giveaways
Social media competitions require participants to submit personal data — at minimum their name and a way to contact them if they win. Often you also collect email addresses for marketing purposes.
If you are adding competition entrants to a marketing list, this requires separate, explicit consent. Bundling "enter to win" with "join our mailing list" without a clear opt-in mechanism is not compliant. Your competition terms and conditions should include:
- A privacy notice explaining how entrant data will be used
- How long data will be retained (typically no longer than needed to administer the prize)
- Contact details for data protection queries
Community Management and Sensitive User Comments
Community managers regularly encounter sensitive content — users disclosing health conditions, financial struggles, or experiences of abuse in comment threads. Under GDPR, this constitutes special category data, which requires heightened protection.
Train your team to:
- Avoid screenshotting or sharing sensitive comments unnecessarily
- Handle moderation decisions involving sensitive disclosures through a defined escalation process
- Not store sensitive user comments in team communication tools like Slack or Teams beyond what is immediately necessary
Scheduling Tools as Sub-Processors
If you use scheduling tools — Hootsuite, Buffer, Sprout Social, Later, or similar — these platforms process personal data on your behalf. They are your sub-processors.
Under GDPR, you need your clients' authorisation to engage sub-processors, and you must ensure those sub-processors provide sufficient guarantees about their data protection practices. In practice, this means:
- Listing your scheduling tools in your DPA with clients as authorised sub-processors
- Reviewing each tool's GDPR compliance documentation and Data Processing Addendum
- Ensuring any international data transfers are covered by Standard Contractual Clauses or equivalent safeguards
Analytics Data from Platform Insights
Platform analytics — Facebook Insights, Instagram Analytics, LinkedIn Page Analytics — provide aggregated data about your audience. This data is generally anonymised and aggregated by the platforms, meaning it typically falls outside GDPR's scope.
However, if you export or further process this data in ways that could re-identify individuals (for example, combining very granular audience segments with other data sets), different rules may apply. Treat platform analytics data with care and document your retention periods for any exported reports.
Repurposing User-Generated Content
Reposting a customer's photo or video to your client's brand account is common practice — but it involves the personal data of the individual who created it. Their image, voice, or likeness may constitute personal data.
Best practice:
- Always obtain explicit permission from the content creator before repurposing their content commercially
- Document that permission (a DM reply saying "yes you can share this" is a start, but a written consent process is better)
- Do not assume that a public post is fair game for brand use
Data Retention After Client Contracts End
When a client relationship ends, what happens to all the data you processed on their behalf? This is one of the most overlooked areas of agency compliance.
Your DPA should specify:
- How long you retain client data after termination
- Whether you return or delete the data (and in what format)
- Which staff members' access is revoked and when
As a rule, you should delete or return all client audience data, creative assets containing personal data, and any CRM uploads within a defined period after contract termination — typically 30 to 90 days. Document that deletion.
Getting Your Agency Compliant
GDPR compliance for social media agencies is not optional, and enforcement is increasing across Europe. The good news is that the fundamentals — DPAs, consent checks, sub-processor lists, and retention policies — are manageable once you have a clear process in place.
A practical starting point: scan every client's website with Custodia to identify tracking pixels, third-party scripts, and cookie compliance gaps before you start a campaign. It takes less than a minute and immediately surfaces the compliance issues most likely to attract regulatory attention.
Custodia also helps agencies demonstrate their data protection due diligence to clients — a genuine differentiator in a market where most competitors have not thought seriously about GDPR at all.
Ready to check your clients' compliance posture? Run a free scan at https://app.custodia-privacy.com/scan and get an instant report on privacy risks, tracking issues, and missing consent mechanisms.
Top comments (0)