Meta suffered a major failure on Wednesday that could severely cripple its Facebook and Instagram advertising businesses after EU regulators found it illegally forced users to effectively accept personalized ads.
The decision, which includes a 390 million euro ($414 million) fine, could require Meta to make costly changes to its advertising business in the European Union, one of its largest markets.
The ruling is one of the most significant since the Group of 27 nations, with a population of about 450 million, enacted landmark data privacy laws aimed at limiting the ability of Facebook and other companies to collect information on users without their prior consent. ability. The law came into force in 2018.
The case hinges on how Meta obtained legal permission from users to collect their data for personalized advertising. The company has included language in its terms of service agreement, a very lengthy statement that users must accept before accessing services like Facebook, Instagram and WhatsApp, that effectively means users must allow their data to be used to personalize ads or Stop using Meta’s social media services altogether.
Ireland’s Data Privacy Commission, Meta’s main regulator in the EU because the company’s European headquarters is in Dublin, said EU authorities determined that incorporating legal consent into the terms of service essentially forced users to accept personalized advertising, a violation of the law. European law known as the General Data Protection Regulation, or GDPR
The decision didn’t specify how companies would have to comply with the ruling, but it could lead to Meta allowing users to choose whether they want their data used for such targeted promotions.
If large numbers of users choose not to share their data, it cuts off one of the most valuable parts of Meta’s business. Information about a user’s digital history — such as which videos on Instagram prompt users to stop scrolling, or what types of links people click while browsing their Facebook feed — is used by marketers to place ads in front of users who are most likely to appear purchase.These practices help Meta in 2021.
The penalties on Meta stand in stark contrast to regulations in the U.S., which has no federal data privacy laws and only a handful of states, such as California, have taken steps to create rules similar to those in the European Union, but Meta’s ruling could affect users in the U.S.; many tech Companies apply EU rules globally because it is easier to enforce than restricting them to Europe.
The EU ruling is the latest business headwind for Meta, which is already grappling with a sharp drop in ad revenue after Apple made a change in 2021 to give iPhone users the ability to choose whether advertisers can track them. Consumer surveys show that the vast majority of users block tracking.
Meta’s woes come as it tries to diversify its business from social media into a virtual reality world called the Metaverse. The company’s stock price has plunged more than 60% in the past year and it has laid off thousands of employees.
Wednesday’s announcement relates to two complaints filed against Meta in 2018. Meta said it would appeal the decision, which could spark a protracted legal battle to test the power of the GDPR and how aggressively regulators can use the law to force companies to change their business practices.
“We strongly believe our practices respect the GDPR, so we are disappointed by these decisions,” Facebook said in a statement.
The result was hailed by privacy groups as an overdue response to companies gobbling up as much online user data as possible to serve personalized ads. But the decision, which took more than four years, was also seen by critics as a sign of weak and slow enforcement of the GDPR.
“European law enforcement has yet to deliver on the promise of GDPR,” said Johnny Ryan, a senior fellow at the Irish Civil Liberties Commission and privacy activist. The judgment suggests that “big tech companies may have a bumpier ride.”
Within the EU, there is disagreement over how to implement the GDPR. Irish authorities said they initially ruled that Meta’s use of the terms of service for a license was legally sufficient to comply with the law, but they were overruled by a committee made up of representatives from all EU countries.
“In the absence of regulatory clarity on this issue, there has been ongoing debate between regulators and policymakers over which legal basis is most appropriate in a given situation,” Meta said in its statement.
There are some signs that the European Union is stepping up its crackdown on the world’s largest technology companies. New EU laws were passed last year aimed at curbing anti-competitive behavior in the tech industry and forcing social media companies to more aggressively police user-generated content on their platforms. Last month, Amazon agreed to make major changes to how it sells products on its platform as part of a settlement with European Union regulators to avoid antitrust charges.
In November, Meta was fined about $275 million by Irish authorities over a data breach discovered last year that left the personal information of more than 500 million Facebook users online.
In 2023, the EU’s highest court, the European Court of Justice, is also expected to rule on cases that could lead to more changes in Meta data collection practices. However, many believe that enforcement is at odds with EU policymakers’ rhetoric about greater regulation of technology. Austrian data protection activist Max Schrems, whose nonprofit NOYB filed the complaints that led to Wednesday’s announcement in 2018, said there were still thousands of data protection complaints to be resolved.
“In theory you have all these rights, but in practice they are not enforced,” he said.
