Facebook have put out this great article on how custom audience targeting works. It’s a fantastic option for people who have a large customer database and are no longer getting results through eDM’s.
Custom Audiences is a targeting tool that allows advertisers to reach specific customers at scale. By matching customer lists against Facebook users (through email addresses or telephone numbers), it enables businesses to reach people cost effectively where they’re highly engaged.
With typical email match rates greater than 60%, it’s one of our most effective targeting tools. But we also know that some advertisers are eager to hear more about how Custom Audiences complies with privacy and transparency regulations. Below we answer some of the most frequently asked questions.
How does Custom Audiences work?
It’s easiest to understand Custom Audiences in seven stages:
An advertiser uploads into their browser a list of email addresses or phone numbers belonging to individuals that they want to target with ads. The advertiser’s browser then hashes all of the uploaded email addresses/phone numbers locally on their computer. Plain-text email addresses and phone numbers are not sent to Facebook.
The browser then connects over SSL to the customer’s Facebook ad account, authenticates using Facebook account credentials, and passes the list of hashed values to our ads API.
On the Facebook side, we have pre-computed the hashed values for every Facebook user. We take the customer’s list of hashed values and compare it with our own list of hashed values.
For matching hashes, we add the Facebook users to a Custom Audience stored within the customer’s ad account. If a hash does not match, we simply ignore it. Once the matching process completes,
we delete all of the hashes – both matching and non-matching.
The end result is that the customer ends up with a ‘custom audience’ that they can target with ads. This Custom Audience is stored in the customer’s ad account – only authorised account admins can target it. The customer cannot see the specific individuals who are contained in this Custom Audience; they just see the approximate number of people that this audience contains.
What is hashing?
A hashing algorithm is a one-way mathematical function that turns an original piece of data (like an email address) into a ‘fingerprint’ made from a fixed-length piece of text. That fingerprint doesn’t actually contain the original data, and there’s no way to reverse it back again.
What data is shared with Facebook?
Only the hashes are sent to Facebook, which are used to identify matching Facebook users.
How does the matching process work?
Facebook pre-computes the ‘hash’ values for every Facebook user. When your data is sent to our servers, your list of hashes is compared with our pre-computed hashes. If a matching hash is found, that Facebook user is placed into a custom audience, which is stored in your ads account. If no match is found for a given hash, we simply ignore it.
What happens to the hashed data once matching is complete?
After the matching process, all of the matching and non-matching hashes are deleted from Facebook’s servers. The matching process can take up to two days to complete. No further processing of the hashed values is performed beyond the match process.
Can other advertisers access my Custom Audiences?
No. Only your ad account has access to your Custom Audiences. Your Custom Audience is not targetable by other advertisers without your explicit consent. Facebook does not share personally identifiable information with advertisers.
Has the security of Custom Audiences been audited by a third party?
Yes. The major components of the Custom Audiences process have been audited by a third party audit firm. The details of the confidential audit are available upon request. In addition to the Custom Audiences audit, our security and privacy practices are audited regularly by privacy regulators in the EU to ensure that we are providing industry leading levels of protection. We regularly audit our infrastructure for application and network vulnerabilities, and utilise a bug bounty programme for encouraging responsible disclosure of security issues from security researchers.