“Facebook will reveal who uploaded your contact info for ad targeting,” Josh Constine, Techcrunch


This is one of the wilder aspects of Facebook Ads in practice, and I’m not sure if the general public is familiar with how bad the process is for everyone involved.

Basically, here’s how i’ve experienced it from the perspective of a nonprofit marketing person. Please note that I am not a power user of Facebook ads. I know how to use the product, build an audience, format media and write copy, debug, build/analyze campaign reports etc but it’s never been my primary focus. (I have been not-so-subtly trying to flee digital marketing for about 7 years, so I have only learned what I needed to remain employed.)

Anway. Let’s say it’s Giving Tuesday.

  1. Nonprofit A wants to do a campaign for donations
  2. A hires Agency B and gives some worker on the agency side total access to all systems that hold supporter information (CRM like Salesforce’s “Nonprofit Starter Pack” assuming they have prior donor info there, email newsletter platform like Mailchimp, social media platforms like Facebook, web analytics platforms like Google Analytics, plus any psychographic info on prior donors). Just a note here that things have already gone terribly wrong. My personal information is now in an Excel file on the desktop of someone, probably in their mid 20s, who has never been trained to handle sensitive data and has zero clue what their legal obligations may be.
  3. A and B decide who to “target” for the campaign* and construct queries to put together “the list” or “the lists” containing the contact info of people they have enough data on to group. Lots of people are usually in every group so you dedupe it a million times; it’s just a brilliant process really
  4. The final list for Facebook is exported as a .csv on someone’s desktop, formatted according to FB’s instructions (sample file: https://www.facebook.com/images/ads/signals/example_files/example_audience_file.csv )
  5. Someone from B with a great deal of privileges on A’s Facebook page logs into using their personal profile (there’s no such thing as a “company account” so you have to use your personal FB if you ‘work in social media’ and it’s hilariously bad; I still have access to several former clients’ FB admin areas)
  6. The file gets uploaded and, if you didn’t use their template, you quickly map the fields (mindless work)
  7. The rest is just following FB’s instructions. It can be tricky just like any other hideous product built for enterprise audiences but it’s not very hard to give Facebook ALL your people’s data.
  8. Anyone who used an email address to sign up for Nonprofit A’s newsletter and/or donate to Nonprofit A, who also used that same email address with their Facebook account, is now fair game for the ad. For a small nonprofit, particularly one without a lot of supporters on FB, sometimes you’re not looking at a lot of people. So FB lets you dip into their data. Sure, all I know about this one woman is that she wrote a check for $500 in 2017. But Facebook knows everything about her whole life. So it can go get me 2,000 more users exactly like her. A “lookalike” audience to try to get money from, based on who gave in the past. Perfect!

Nobody ever deletes anything, so The File is not just telling FB about the prospective donors (so it can match email addresses and target those users with this nonprofit’s Giving Tuesday ad), it’s on a stranger’s desktop and maybe already auto-backed-up to B’s Google Drive.

I think a big part of this is bad data handling hygiene. People are not being trained, because their boomer and old gen X bosses see this as wizard magic and don’t realize basic information that would apply to a csv just as well as a manila folder needs to be passed down. Food safety handing and that whole certification process looks like being trained for a Moon landing compared to the training marketers and other workers in that industry receive. Fair enough, I guess we have decided as a society that salmonella is more frightening than spam and identity theft etc.

But part of it, in my scenario anyway, is also a mishmash of unethical decisions made by Facebook, Agency B, and Nonprofit A.

Nobody should be doing any of this, in my opinion. But they do, because FB ads are more effective than email campaigns, and take less work. Nonprofits structurally have no good choices because their whole premise is flawed. Having your entire continued existence dependent on your ability to cozy up to rich old capitalists and their heirs, or extracting money from bleeding hearts, is screwy. I guess I’ll save that particular rant for another morning.