BackMeta’s targeted ad model faces restrictions in Europe
EU privacy regulators say Facebook and Instagram shouldn’t use their terms of service to require users to accept ads based on their digital activity.
PremiumEuropean Union privacy regulators have ruled that Meta Platforms Inc. shouldn’t require users to agree to personalized ads based on their online activity, according to people familiar with the decision, a ruling that could limit the data that Meta can access to sell such ads.
A board representing all EU privacy regulators on Monday approved a series of decisions ruling that EU privacy law doesn’t allow Meta platforms, such as Instagram and Facebook, to use their terms of service as a justification for allowing such advertising, the people said.
The new EU decisions can be appealed, which could lead to their being suspended pending potentially lengthy litigation. If upheld, though, they could make it harder for Meta and other platforms to show users ads based on what they tap and watch within those platforms’ own apps. Meta has for years allowed users to opt out of personalizing ads based on data from other websites and apps. But it hasn’t given any such option for ads based on data about user activity on its own platforms—such as which videos an Instagram user watches.
If any significant portion of its users opts out of such targeting, Facebook and Instagram would end up with less information with which to build audiences for the personalized ads that analysts and people close to the company say make up the bulk of its revenue.
The board’s rulings Monday, which haven’t yet been disclosed publicly, don’t directly order Meta to change practices, but rather call for Ireland’s Data Protection Commission to issue public orders that reflect its decisions, along with significant fines, the people added. Ireland is Meta’s main privacy regulator in the bloc because that is where Meta’s European headquarters is based.
Meta will also be able to appeal the Irish decision, as well as the EU decision.
“This is not the final decision and it is too early to speculate," said a Meta spokesman, adding that EU law could allow for other legal justifications for targeting its ads. “We’ve engaged fully with the DPC on their inquiries and will continue to engage with them as they finalize their decision.“
The company has previously argued that tailoring the ads it sells based on data it has about users’ online behavior is a necessary part of the personalized service it offers. It has also said it has options for users to control how it uses their data.
A spokesman for Ireland’s Data Protection Commission said it would be inappropriate to comment on the content of the decisions. A spokeswoman for the European Data Protection Board, the body representing all EU privacy regulators, confirmed that the board made decisions on Monday, but declined to comment on their substance.
An eventual decision from the Irish Data Protection Commission likely wouldn’t specify how Meta has to comply. But if the ruling is upheld, it could lead Meta to seek consent from users for targeted ads, or to offer them an opt-out. The company declined to say what it might do.
Any impact of the decision would come on top of the revenue hit Meta took when Apple Inc. last year required iPhone app developers to ask users whether they want their usage to be tracked. Many iPhone users declined that tracking, cutting off Meta from a significant source of data it used to target ads. The company said the change reduced its revenue by 8% in 2021, and the company is still grappling with its impact.
The EU decisions showcase what privacy lawyers describe as a growing willingness by the bloc’s regulators to rein in what is often called “behavioral advertising." That business, worth tens of billions of dollars a year, entails showing users digital ads that are targeted based on profiles and inferences drawn from those users’ digital activity on apps and websites.
A new privacy law in California also allows users to opt out of what it calls cross-contextual behavioral advertising, said Dominique Shelton Leipzig, partner for cybersecurity and data privacy at Mayer Brown. “What we’re seeing now is a more sharpened approach from regulators toward behavioral tracking," Ms. Shelton Leipzig said last month.
The EU’s General Data Protection Regulation started being enforceable in 2018, and enforcement has ramped up in the past year and a half. Amazon.com Inc. was fined about $786 million last year in Luxembourg for violations related to its advertising, a decision it is appealing.
Ireland, for its part, has fined Meta more than $900 million in four other cases in the last 15 months, and currently has 10 additional inquiries into the company. Meta is still appealing two of those decisions and considering an appeal in the most recent. The company’s Irish subsidiary had as of Dec. 31, 2021, allotted nearly 3 billion euros, or about $3.15 billion, for privacy fines in the EU, up by €1.97 billion from a year earlier, according to recent Irish corporate filing.
At issue in the Meta decisions is a concept called contractual necessity. The GDPR mostly prohibits companies from forcing users to turn over personal information to use their services. One exception is when that information is necessary to execute a contract: A food-delivery app needs your home address to deliver the pizza you ordered.
Meta decided to rely on that contractual provision of the GDPR when it went into effect in 2018, leading to complaints from Austrian privacy activist Max Schrems. The Irish privacy regulator initially agreed with Meta that the company can use that provision of the GDPR, according to a copy of one of its draft decisions that was leaked last year.
But at least 10 EU privacy regulators had objections to its decisions. Their disputes ended up before the EDPB, of which all EU privacy regulators are members. The board overruled Ireland’s position on behavioral advertising and ordered it to issue dissuasive fines, the people familiar with the decisions said.
The EDPB has overruled decisions, including from Ireland before, and is emerging as its own force in European privacy enforcement. The board, which has a staff that helps research and write its decisions, has recently said it needs more resources.
Some lawyers who represent companies say that the EU’s privacy enforcement through the EDPB may be going too far. “The direction of travel seems to be a more absolutist and draconian interpretation of GDPR," said Ross McKean, a privacy attorney at DLA Piper, speaking before the EU decisions.
This story has been published from a wire agency feed without modifications to the text
Unlock a world of Benefits! From insightful newsletters to real-time stock tracking, breaking news and a personalized newsfeed – it's all here, just a click away! Login Now!
