For years, Facebook Custom Audiences has been a critical tool for retargeting Facebook users who interacted with your brand or website. But as the business world–and regulators– shift focus towards data privacy, the landscape for Facebook Custom Audiences has changed dramatically and lost much of its effectiveness. Not least of Facebook Custom Audiences’ troubles are the new privacy features released by Apple this year.
In this blog, we’ll explore how iOS 14 affects Facebook Custom Audiences, and how you can regain lost effectiveness with Facebook Conversion API and server-side tagging (SST). To learn more about integrating Meta’s CAPI with SST, check out our on-demand webinar, The Power of Meta’s Conversions API and Server-Side Tagging, where experts from Meta and CHEQ demonstrate how to improve the targeting, effectiveness, and data security of your Meta campaigns by leveraging the Conversions API (CAPI) and server-side tagging.
How iOS 14 Affects Facebook Custom Audiences
Ad blockers have always been an issue for Facebook Custom Audiences, but usually, this has only affected a small percentage of non-mobile traffic. With the release of Apple iOS 14 in September 2021, the problem skyrocketed. With iOS 14, apple essentially mainstreamed adblockers with its new App Tracking Transparency Framework, which gives all iOS users the ability to highly restrict or opt-out entirely of app tracking on Apple mobile devices.
Over 25% of all internet traffic comes from an iOS device and Apple has announced that over 90% of iOS devices are now on iOS 14, so it’s no shock that Facebook is now getting a lot less information (or even no information) around users you want to retarget, and therefore decreasing your target audiences. Furthermore, Facebook expects all major browsers and operating systems to block or significantly impact third-party cookies (and therefore Facebook Custom Audiences) by 2022. Even Google has announced plans to phase out third-party cookies by 2023.
To solve for iOS 14 and future browser privacy restrictions, Facebook is highly recommending their clients move to deploy the Facebook Conversion API (CAPI) either as a standalone API or alongside the Facebook Custom Audiences tag.
What is the Facebook Conversion API
The Conversions API is a server-side tool designed to create a direct and reliable connection between marketing from a server to Facebook. This marketing data helps power ad personalization, optimization, and measurement on Facebook so that your ads are shown to people who are more likely to be interested in them.
As the Facebook Conversion API is a server-side tool, it cannot be deployed via a traditional tag management tool like how Facebook Custom Audiences was deployed. That’s where CHEQ Server-Side Tagging comes in.
How does CHEQ Server-Side Tagging solve the problem?
Quite simply, CHEQ’s Server-Side Tagging is the future of tag management. CHEQ SST removes the need to deploy tags to a website and, instead, deploys your tags in a server-side environment that is triggered by a beacon that can come from any device connected to the internet – not just a website. Through this beacon, you can have your tags (including Facebook’s Conversion API) execute on CHEQ’s servers instead of on a website visitor’s web browser.
CHEQ started working with Facebook and a few of our clients months ago on the Conversion API and was one of the first vendors to get a Facebook-approved integration. However, the problem doesn’t stop with Facebook. Many other vendors have had their data partly or fully removed due to browser or operating restrictions. This is why CHEQ has already partnered with many other vendors and created server-side solutions for them using the same CHEQ Server-Side Tagging tool. Additionally, if we don’t have an integration for a vendor, you can either create your own tag template or request one to be created for you.
Facebook parent company and social media giant Meta, has been hit with a 265 million euro ($277 million) fine for failing to comply with the EU’s General Data Privacy Regulation (GDPR). The fine is the largest ever imposed on Meta and the second-largest GDPR fine to date.
On November 28th, Ireland’s data privacy regulator, the Data Protection Commission (DPC), issued a decision stemming from an inquiry regarding the web scraping of Facebook user data which, alongside the multi-million euro fine also required a range of corrective measures from the company.
The DPC is responsible for regulating several high-profile tech companies such as Meta, Apple, Google, and TikTok due to the location of their EU headquarters in Ireland. Meta has been hit with four fines from the DPC, totaling nearly $1 billion euros. The DPC currently has 40 open inquiries into GDPR violations, including 12 more involving Meta.
Why Facebook is Being Fined
This penalty resulted from an investigation that started back in April 2021 after media reports that a dataset of more than 530 million Facebook users’ personal data had been made available on a hacking forum. The dataset exposed the personally identifiable information (PII) of Facebook users from 106 countries, with over 32 million records belonging to users from the US, 11 million from the UK, and 1.3 million Irish Facebook users. Data exposed included email addresses, phone numbers, full names, birthdays, and other PII.
Facebook responded to news of the leak by claiming that the data had been scraped from Facebook profiles by bad actors who abused a contact importer feature offered by the company in September 2019, which was subsequently updated to prevent abuse
The DPC’s inquiry examined several Facebook, Messenger, and Instagram contact importer and search tools offered by Facebook between the date of the implementation of the GDPR and the discovery of the leaked data, and determined that Facebook had failed to build its products in a way to stop scraping attacks from happening, and had failed to meet the GDPR requirement for Data Protection by Design and Default set forth in article 25 of the law.
“The material issues in this inquiry concerned questions of compliance with the GDPR obligation for Data Protection by Design and Default,” it added, specifying that it had examined the implementation of “technical and organizational” measures relevant to Article 25 GDPR (which deals with data protection by design and default).
Specifically, the DPC identified “infringement of Articles 25(1) and 25(2) GDPR,” which require “appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed,” and that the same obligation “applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.”
The DPC said that it is also imposing corrective measures on Facebook, writing: “The decision imposed a reprimand and an order requiring MPIL [Meta Platforms Ireland Limited] to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe.”
Facebook has been given a three-month period from the issue of the decision to comply.
Struggling with consent management and compliance? CHEQ can help. Schedule a demo today.
What is Web Scraping?
Web scraping is the process of pulling content and data from a website, typically with automated bots programmed to recognize and extract certain data from a website. Search engines, price comparison tools, and market research companies often use web scrapers for legitimate purposes, but they’re also popular with bad actors who use the tools to build datasets to sell or leverage in other attacks.
Scraper bots can be programmed to extract data from a website’s HTML or from connected APIs and databases, but they can also be programmed to interact with a website in the manner that a real user would in order to fool site owners and thwart detection efforts.
Meta’s Ongoing Fight Against Web Scrapers
Automated data collection without permission is a violation of Facebook’s terms of service, and the company has made frequent attempts to crack down on the practice.
Meta has taken extensive legal action against ‘legal’ web scraping companies. In October 2020, the company sued two web scraping firms, which settled for a “significant sum” in 2022. Meta also took legal action against two more scraping-for-hire firms in July 2022.
Facebook also claims to have implemented significant security measures to fight data scraping. The company says it has stood up an External Data Misuse (EDM) team made up of more than 100 people and has applied rate and data limits and data limits to make scraping more difficult. These controls limit the speed and frequency of interactions with Facebook products to block automated tools from quickly gathering large quantities of information. Facebook analysts also examine traffic and behavior patterns to detect and block automated activity.
These measures may not be enough, though, as stolen datasets from Meta properties continue to appear on the dark web. On November 16th, an ad posted on a popular hacking forum offered a 2022 database of 487 million WhatsApp user mobile numbers for sale.
According to the ad, the dataset contains user data from 84 countries, including 32 million US user records, 35 million Italian user records, and 20 million French user records.
Mounting Fines Raise Privacy Pressure on Big Tech
This fine is just the latest in a string of large fines levied against Meta and other leading tech companies since the implementation of the GDPR in 2018.
In the last year alone, the DPC has hit Meta with nearly $1 billion euros in fines. The regulator first sanctioned WhatsApp 225 million euros ($267 million) for giving users inadequate information regarding the processing of personal data in September 2021, then followed up with a 17 million euro ($18.6 million) fine against Facebook for poor handling of data breach notifications.
And in September 2022, the DPC issued 405 million euro fine against Instagram for violating children’s data protection fine against Meta’s Instagram concerning the lawfulness of processing data as well as “public-by-default” processing of data from users aged 13-17.
Other EU enforcement authorities have also targeted Facebook. In January 2022, France’s CNIL fined Facebook, Google, and YouTube a combined $210 million euros because their French websites failed to give visitors the option to easily decline tracking, despite offering them a one-button option to ‘accept all’ cookies–a violation of the EU’s ePrivacy Directive.
But Facebook is not the only one feeling the pressure. Regulators have handed out an average of 50 fines have been every month, with a total of 1345 as of November 2022, and have hit companies like Amazon and Google with massive fines. Amazon, for example, was fined $887 million in July 2021 for the improper gathering of user consent, the largest GDPR fine to date.
And while high-profile, multinational companies like Amazon, Google, and Facebook have faced much larger fines, enforcement actions against small and mid-sized businesses have also been increasing.
This article was originally published July 28th, 2020, it was last updated September 16th, 2022.
Marketing spend on social media platforms is projected to reach $226 billion in 2022. Of all the social media platforms, Facebook is the big beast, with marketing spend on the social media giant reaching $70 billion each year from 8 million advertisers. Despite the rise in spending on paid social media – now third behind TV and paid search, the scale of invalid traffic and bot activity on platforms has been largely hidden. Though there have been long-held concerns about clicks on campaigns and the draining of ad budgets, the social media platforms themselves have been relied upon to detect fraudulent clicks and overall invalid activity. It has been their role to credit marketers with losses they may have suffered through the automated, bot, or fake account activity.
And while we trust that these platforms do their best to combat invalid traffic, it’s always best to get a second opinion, so let’s take a look at the issue of invalid clicks on Facebook and examine a few ways that marketers can mitigate invalid traffic and bots from Facebook.
What is Invalid Traffic on Facebook?
Invalid traffic is generally defined as traffic that cannot convert or take meaningful action on your website: think bots, web crawlers, and proxy users. For social media, the Media Rating Council defines invalid traffic as “traffic that does not meet certain ad serving quality or completeness criteria, or otherwise does not represent legitimate ad traffic that should be included in measurement counts.” Traffic may be considered invalid either because it is a result of “non-human traffic, such as spiders, bots, etc., generally known as General Invalid Traffic (GIVT) or because it is “designed to produce fraudulent traffic,” a category typically known as Sophisticated Invalid Traffic (SIVT).
What are Facebook’s policies on click fraud?
Facebook has taken serious proactive approaches to combat click fraud. There are two kinds of clicks that Facebook identifies as invalid:
-
Clicks from people who don’t “indicate a genuine interest in the ad or show signs of ad testing.” Such as repetitive or accidental clicks and visits.
-
Clicks generated through means prohibited by Facebook’s terms of service, like fake accounts, bots, scrapers, and browser add-ons.
Facebook will not charge advertisers for clicks that are determined to be invalid and has some automated means of click fraud prevention, though they have not been made public, but for the most part, the social media giant puts the onus on individual advertisers to discover and call out click fraud. Once click fraud has been reported, Facebook will conduct a manual review of the traffic in question and take appropriate actions.
Common sources of invalid traffic on Facebook
Not uncommon with other paid social media platforms, there are a mixture of reasons for invalid clicks occurring on Facebook.
1. Fake accounts, data centers and bots
The largest source of invalid clicks based on what we see through clients protecting their Facebook spend using CHEQ for PPC, is “data center traffic”. This is consistent with fake and automated bot account activity. The digital advertising industry regulator, the MRC, notes that known data center traffic is “determined to be a consistent source of non-human traffic; not including routing artifacts of legitimate users or virtual machine legitimate browsing.”
Then there are fake accounts. Facebook understands and has taken action against fake accounts, however according to Facebook, 5% of its worldwide monthly active users (MAU) during Q4 2019 and Q1 2020 are not real, according to the company’s Transparency Report 2020. In 2020, for instance, the MRC asked Facebook for more information about Facebook’s efforts to monitor fake accounts on the platform and data about ad impressions served to “invalid accounts.”
This particular issue of fake accounts emerges in notorious cases, such as When pro-Putin Russian trolls pushed divisive issues on Facebook ahead of the 2016 US election, they created accounts that pretended to express the views of concerned Americans. In more recent revelations, for instance, Roger Stone, a longtime friend and former top adviser to Donald Trump, bought more than 200 fake Facebook accounts according to FBI search warrants.
2. User agent spoofing
Sophisticated fraud also involves user agent spoofing. This involves a mismatch between declared user agent, such as a web browser, and the actual user agent being used to interact with online content.
3. Retargeting
There is also often cases of marketers using Facebook’s look-alike audiences further retargeting of bots. Facebook lookalike audiences let you reach a large number of people who share the same characteristics as your existing customers. In fact 33% of marketers use retargeting to win customers. However, in many cases, the retargeting efforts merely involved putting good money after bad bots that had engaged with Facebook ads – and which in many cases have indeed clicked or interacted with your Facebook ad post. This requires segmentation to prevent bots being targeted.
4. Click farms and inflated engagement
Click farms are a large and growing problem. This involves individuals with real accounts on Facebook paid to manually like specific pages. In developed countries, this can involve paying $1 per 1000 likes. In setting out their opposition to fake likes, Facebook says, “People behind these fraudulent activities are rational actors with clear financial motivations. They make their profit by promising and generating Page likes to admins around the world who typically don’t understand the negative implications of purchasing these likes.” For instance, sites such as Boost Likes openly advertise 1000 likes for your page for $75. Or for 100,000 likes, the price is $4,200. Boost Likes says it aims to reach English-speaking audiences who can understand posts in English, but this “cannot be guaranteed.” The site admits: “We cannot control what kind of people want to like your page with this worldwide audience.”
5. Facebook’s Audience Network
Facebook’s Audience Network, which advertisers use to extend their Facebook campaigns to third-party sites and apps, can be a conduit for ad fraud. LionMobi and JediMobi, for instance, were banned from the Audience Network by Facebook, which refunded impacted advertisers in March 2019. These frauds often use click injection, where fraudulent developers get their apps installed on as many phones as possible – in this case, both developers peddled their apps in the Google Play store – and insert ad network SDKs into the apps. From there, they generate fake traffic, users, activity, ad viewing, and clicks in their apps, collecting money for ad views from ad networks such as Audience Network. Outside sites can increase their own ad revenue by buying traffic, that is, bots that repeatedly load pages to manufacture ad impressions out of thin air.
Facebook clicks: In context
Since its inception, Facebook has faced challenges from invalid clicks and deploys a dedicated and talented team of engineers and legal personnel to fight the problem. This has kept the platform above many other comparable advertising ecosystems. Facebook’s Director of Product Management Rob Leathern says the challenge in tackling the problem is the sheer number of fraud attempts combined with the multiple forms it can take.
“You have to defend a variety of different channels, whereas [attackers] can always focus their efforts into one particular area,” Leathern said. “And many of these adversaries are well-funded and persistent.”
Facebook’s invalid clicks may be far lower than many parts of the online ecosystem, in particular display advertising, though hundreds of enterprise clients have begun using CHEQ for PPC given the instant savings through further reducing invalid clicks, avoiding bots and reaching only real customers. It also provides a similar service for other paid social media networks such as Instagram, Twitter, and LinkedIn as well as fast-rising Pinterest ad campaigns. In launching CHEQ for PPC, CHEQ CEO Guy Tytunovich, said “Google, Facebook and other PPC platforms do a good job in fighting fraud, and yet, there’s still an issue there, because there’s an inherent problem with solving it when you’re the biggest sitting duck on the internet.”
What enforcement actions has Facebook taken against fake clicks?
Like all social media platforms, Facebook has a fake traffic problem, but unlike some others, Meta has been very aggressive in combating click farms and other sources of invalid traffic. Below are just a few of the enforcement actions taken by Facebook in recent years:
2016: Fake Facebook accounts pushed divisive issues ahead of the 2016 election through the creation of accounts purporting to express the views of concerned Americans.
August 7 2019: Facebook files lawsuits against two app developers accused of generating fraudulent revenue, LionMobi — based in Hong Kong, and JediMobi — based in Singapore — generated “unearned payouts” from Facebook advertising.
October 2019: Facebook agrees a $40 million settlement with Facebook advertisers for the inflated video metrics which they incorrectly provided (between 2015 and 2016)
December 5 2019: Facebook takes action against iLike Ad Media which deceived people into installing malware compromising people’s Facebook accounts. This involved running deceptive ads through “cloaking”, disguising the destination of the link in ads by displaying one version of an ad’s landing page to Facebook’s systems and a different version to Facebook users.
April 9, 2020, Facebook court action against Leadcloak, Basant Gajjar, for software and services running deceptive ads, including scams related to COVID-19 and cryptocurrency.
How can You Block bots from Facebook?
Trying to combat fake traffic on your own can be a difficult proposition, but there are some best practices for manual bot mitigation. First of all, it’s important to consider your targeting parameters and to keep them as narrow as possible to limit exposure to fake traffic. Likewise, consider limiting ad runtimes only to hours you know your buyers will be active during. Monitoring your site traffic for unusual Facebook referrals will also provide insight. Fraudulent traffic usually takes certain patterns–large numbers of clicks with low conversions, rapid clicks from one IP address, etc.– that can give it away. Once you’ve identified suspicious traffic, an investigation into packet headers can provide corroborating details. Finally, report your findings to Facebook and wait for a manual investigation.
Of course, that level of work isn’t exactly scalable, especially when all of your hard work and investigation is essentially hinging on Facebook’s terms for bot mitigation. For a more effective solution, consider a comprehensive go-to-market security platform that can help automatically detect and block invalid traffic in real-time, whether the source is social media, organic traffic, or direct.
CHEQ leverages thousands of security challenges to evaluate site traffic in real-time, determine whether a visitor is legitimate, suspicious, or invalid, and take appropriate action in blocking or redirecting that user. For paid traffic, CHEQ automatically updates IP exclusion lists to reflect the constantly changing threat landscape, saving you valuable time and ad spend.
Book a demo today to see how CHEQ can help you lower your CPA and protect your go-to-market efforts.