Let us first answer the most frustrating question - “Who is responsible for obtaining consent?”. Simply put, this is based on where the data owner provides/submits their data. In the case of Facebook advertising, this relates to data received through the Facebook pixel, SDK or directly based on information that Facebook acquires from users on their platforms. In the case of the advertiser/marketer, this applies to data acquired from custom audiences or uploads of other personal information using Facebook’s services.
Summary: You need consent for any data that you collect yourself - so if you are using custom audiences, you need to have consent from your users so that you can use their data outside of your website.
However, be careful - we conducted a few experiments and found that confirmation pop-ups with the simple option YES or NO can decrease your remarketing audience by 90%! Therefore you have to be more creative.
Part of the power of Facebook remarketing is based on Facebook pixels. Facebook is the data controller in this sense as you can find in the FAQ about GDPR on Facebook's website. For companies operating in the EU, you must process data under laws applying to cookies, obtaining prior informed consent for the storing of and access to cookies or other information on a person's device.
Facebook has kindly offered a consent guide to help users frame the request for consent. You can also delay the firing of pixels until after you get consent by using these instructions.
We use easycookie.io that shows this banner:
People can decide to uncheck which cookies they do not want to store or give us consent if they continue to use our website (for instance scroll down, click on OK, or other elements).
There are many opinions about what marketers can do to become GDPR compliant. For instance, according to Czech Personal Data Protection Authorities that are responsible for negotiating how cookies are implemented, under the GDPR, it is not necessary to use "cookie consent banners". The actual translation reads, “this is something covered under different legislation called ePrivacy and that legislation has not come into full effect yet. Moreover, users agree/disagree with using cookies with the setting of their browsers.” What this illustrates is just how much a mess the GDPR regulations have made for marketers.
A few months ago everyone was worried about cookies and pixels so much so that some clients wholly removed pixels from their site. Removing pixels, of course, makes it nearly impossible for marketers to reach their target audience effectively. However, just a few days before the regulation takes effect, it would seem that there is nothing to be concerned about, about cookies at least. The lesson we have learned from this is that the authorities seem to be just as at a loss as the marketing community. Instead of making rash decisions that could affect your bottom line, it might be better to wait and collect complete answers as they reveal themselves in the upcoming months.