Since the General Data Protection Regulation (GDPR) went into effect in 2018, Meta has done nearly everything possible to claim legal exceptions to the requirements to obtain user consent for collecting personal information for targeted ads.
The company appears to have finally reached the end of its rope in this area, though a recently announced changeover to a consent basis will only apply to EU and European Economic Area (EEA) countries along with Switzerland.
Meta’s “legitimate interest” campaign runs out of steam, user consent model announced
Meta has labored under the weight of repeated fines and lawsuits in the EU for half a decade now, the majority centered on its targeted ads program and its attempts to be excepted from user consent rules. Facebook first attempted to claim that its “contractual” relationship with users exempted it from GDPR requirements; complaints finally caught up to them when the European Data Protection Board (EDPB) issued a final ruling against the practice in December of last year.
The company, at this point called Meta, switched to attempting to claim a “legitimate interest” exception predicated on the practice being absolutely necessary to the basic function of its platforms. The complaint-and-rejection process was much faster this time, as assorted EU data protection authorities have already heard similar cases as pertains to targeted ads (against the likes of TikTok and the Interactive Advertising Bureau Europe) and rejected the argument.
There are only six possible GDPR exemptions of this sort that can be claimed, and Meta has tried the two that had the best possible chance of working for a targeted advertising business. This time it appeared to be a July ruling from the Court of Justice of the European Union (CJEU) that prompted the company’s current change of direction, as it was found to be out of compliance with GDPR standards; it has also been facing increasing pressure from the usually friendly Irish DPC, and had its targeted advertising business banned entirely in Norway a few weeks ago. Meta now appears to be turning to asking for user consent after exhausting all of its possible alternative avenues under the law.
However, the privacy group noyb (architects of most of the complaints that have hounded Meta) believes that the company’s games may not yet be at an end. It notes that Meta’s statement says that it is only switching to user consent for “certain data for behavioral advertising.” This could mean that Meta plans to exclude data points that are not strictly tied to a behavior, like a person’s physical location or age. noyb has indicated that it will file further complaints if Meta attempts to claim such exceptions that involve protected forms of personal data.
Despite VR moves, Meta still strongly tied to targeted ads
Meta’s name change signaled a shift by the company to a future focused on virtual reality, but for the moment it is still very firmly living in a world of targeted ads. 97% of the company’s revenue in 2022, or a total of about $117 billion, came from advertising. Meta says that EU countries are responsible for at least 10% of its revenue, and it is likely a chunk of that will disappear if a true user consent model is implemented. There isn’t yet a firm timeline for the changeover, but it could happen as early as October of this year.
The company does currently have an opt-out process for targeted ads, implemented in April after the Irish DPC signaled that the company could be heading for serious trouble. Users must find and fill out a form in its web of help pages, and the action only applies to “highly personalized” ads that use particular categories of sensitive personal data. It is unclear if the user consent changes will extend that to all targeted ads, but it will at least provide an opt-in process that users are prompted about.
Meta has faced a string of recent troubles involving GDPR violations, the largest of which was a $1.3 billion fine for its continued EU-US data transfers in the wake of the Schrems II decision (another area in which the company tried various legal workarounds before running out of rope with regulators). Targeted ads also bought the company a €390 million fine early this year, as the European Commission determined that Facebook and Instagram user consent processes for collecting personal data were not adequate. Meta was also hit with a €265 million fine in late 2022 for failure to prevent a massive Facebook data scraping attack that took place earlier that year, and a fine of €405 million for failure to have adequate child protections in place at Instagram.