Meta suffered a major failure on Wednesday that could severely cripple its Facebook and Instagram advertising businesses after EU regulators found it illegally forced users to effectively accept personalized ads.
The decision, which includes a 390 million euro ($414 million) fine, could require Meta to make costly changes to its advertising business in the European Union, one of its largest markets.
The ruling is one of the most significant since the Group of 27 nations, with a population of about 450 million, enacted landmark data privacy laws aimed at limiting the ability of Facebook and other companies to collect information on users without their prior consent. ability. The law came into force in 2018.
The case hinges on how Meta obtained legal permission from users to collect their data for personalized advertising. The company has included language in its terms of service agreement, a very lengthy statement that users must accept before accessing services like Facebook, Instagram and WhatsApp, that effectively means users must allow their data to be used to personalize ads or Stop using Meta’s social media services altogether.
Ireland’s Data Privacy Commission, Meta’s main regulator in the EU because the company’s European headquarters is in Dublin, said EU authorities determined that incorporating legal consent into the terms of service essentially forced users to accept personalized advertising, a violation of the law. European law known as the General Data Protection Regulation, or GDPR
Meta has three months to outline how it will comply with the ruling. The decision didn’t specify what the company would have to do, but it could lead to Meta allowing users to choose whether they want their data used for such targeted promotions.
If large numbers of users choose not to share their data, it cuts off one of the most valuable parts of Meta’s business. Information about a user’s digital history — such as which videos on Instagram prompt users to stop scrolling, or what types of links people click while browsing their Facebook feed — is used by marketers to place ads in front of users who are most likely to appear purchase.These practices help Meta in 2021.
The verdict puts 5% to 7% of Meta’s overall ad revenue at risk, according to Wedbush Securities analyst Dan Ives. “It could be a major blow,” he said.
The penalty contrasts sharply with regulations in the U.S., where there is no federal data privacy law and only a handful of states, such as California, have taken steps to create rules similar to those in the EU, but any changes Meta makes as a result of the ruling could affect U.S. users; Many tech companies apply EU rules globally because it is easier to enforce than restricting them to Europe.
The EU ruling is the latest business headwind for Meta, which is already grappling with a sharp drop in ad revenue after Apple made a change in 2021 to give iPhone users the ability to choose whether advertisers can track them. Meta said last year that Apple’s changes would cost it about $10 billion in 2022, and consumer surveys showed the vast majority of users had blocked tracking.
Meta’s woes come as it tries to diversify its business from social media into a virtual reality world called the Metaverse. The company’s stock price has plunged more than 60% in the past year and it has laid off thousands of employees.
Wednesday’s announcement relates to two complaints filed against Meta in 2018. Meta said it would appeal the decision, which could spark a protracted legal battle to test the power of the GDPR and how aggressively regulators can use the law to force companies to change their business practices.
“We strongly believe our practices respect the GDPR, so we are disappointed by these decisions,” Facebook said in a statement.
The result was hailed by privacy groups as an overdue response to companies gobbling up as much online user data as possible to serve personalized ads. But the decision, which took more than four years, was also seen by critics as a sign of weak and slow enforcement of the GDPR.
“European law enforcement has yet to deliver on the promise of GDPR,” said Johnny Ryan, a senior fellow at the Irish Civil Liberties Commission and privacy activist. The judgment suggests that “big tech companies may have a bumpier ride.”
Within the EU, there is disagreement over how to implement the GDPR. Irish authorities said they initially ruled that Meta’s use of the terms of service for a license was legally sufficient to comply with the law, but they were overruled by a committee made up of representatives from all EU countries.
“In the absence of regulatory clarity on this issue, there has been ongoing debate between regulators and policymakers over which legal basis is most appropriate in a given situation,” Meta said in its statement.
Helen Dixon, head of Ireland’s Data Protection Commission, said the regulator must be an “honest broker” and not bow to the demands of privacy advocates who are pushing for rulings that cannot withstand legal challenges.
“We’re not going to get results by simply rewriting the GDPR the way we want to see it,” Ms Dixon said in an interview.
There are some signs that the European Union is stepping up its crackdown on the world’s largest technology companies. New EU laws were passed last year aimed at curbing anti-competitive behavior in the tech industry and forcing social media companies to more aggressively police user-generated content on their platforms. Last month, Amazon agreed to make major changes to how it sells products on its platform as part of a settlement with European Union regulators to avoid antitrust charges.
In November, Meta was fined about $275 million by Irish authorities over a data breach discovered last year that left the personal information of more than 500 million Facebook users online.
In 2023, the EU’s highest court, the European Court of Justice, is also expected to rule on cases that could lead to more changes in Meta data collection practices.
However, many believe that enforcement is at odds with EU policymakers’ rhetoric about greater regulation of technology. Austrian data protection activist Max Schrems, whose nonprofit NOYB filed the complaints that led to Wednesday’s announcement in 2018, said there were still thousands of data protection complaints to be resolved.
“In theory you have all these rights, but in practice they are not enforced,” he said.