Meta logo in mobile phone showing Irish DPC fine to Meta for consent over targeted advertising

Irish DPC Orders €390 Million Fine to Meta Over Targeted Advertising, Orders Implementation of Ability To Opt Out

Ireland’s Data Protection Commission has handed down a €390 million fine to Meta over its targeted advertising practices on Facebook and Instagram. The fine stems from a long legal battle over Meta’s claim that users enter into an implicit contract agreeing to receive personalized ads when they accept the terms of service.

A recent ruling by the European Data Protection Board (EDPB) has formally invalidated that argument, and Meta will likely now be forced to provide users with a means of opting out of targeted advertising that comports with General Data Protection Regulation (GDPR) requirements.

Facebook and Instagram targeted advertising may be in line for big changes

The complaints against Meta were initiated by privacy crusader Max Schrems in 2018, not long after the GDPR had gone into effect. Meta has long contended that it does not have to follow certain GDPR consent requirements for targeted advertising as they are implicitly covered by the terms of service in place on Facebook and Instagram, and that it is a special exception because the personal data it gathers is vital to fulfilling those terms.

This argument was obviously on loose legal ground, and the EDPB formally did away with it in a December ruling. While the fine is of the sort that tech companies of Meta’s size regularly absorb, the Irish DPC’s decision looks to force Meta to allow users to opt out of the company’s internal targeted advertising systems. The decision gives Meta three months to bring Facebook and Instagram into GDPR compliance.

Contractual necessity exemptions limited by decision

The GDPR does provide for some degree of “contractual necessity” of the type that Meta attempted to invoke as a legal defense, and the Irish DPC had previously shown signs of supporting the argument. The agency submitted a draft decision in October 2021 that would have fined the company between €28 and €36 million, but also would have established that collecting data for targeted advertising is a “core element” of its service. The Irish DPC had argued that it is “widely understood” that Facebook’s revenue comes from personalized advertising and that any “reasonable user” would understand that it was the essential cost of using the otherwise “free” service.

Several other EU regulatory bodies disputed this draft decision, eventually sending it to the EDPB for final judgment (which seats representatives from throughout the bloc). Among other elements, the board came down on the side of the counterarguments that this consent process was coercive in forbidding the user from accessing the service if they do not agree to the terms (a violation of another GDPR rule) and that users were not adequately informed of the scope of the targeted advertising practices they were implicitly agreeing to.

Meta has not been given a direct order as to how to return to GDPR compliance, but the expectation is that users will have to be more clearly notified of targeted advertising practices and asked to opt in to them. Early estimates by some analysts are that Meta could lose around 5% of its ad revenue if this is the case; the total cost would depend to some degree on whether Meta attempts to restrict this change to users that it identifies as being within the EU or simply rolls it out globally. However, Meta does have the option to appeal the decision and is widely expected to, which means the process could potentially stretch on for much more than three months.

Prior decisions have cut off other routes to targeted advertising revenue without fully informed consent. TikTok was quickly taken to task by EU regulators in mid-2022 when it attempted to change its privacy policy to a “legitimate interests” model that would have short-circuited the user consent process. That argument has not been tested in court yet, but TikTok voluntarily shelved it after it was warned of future trouble by Italy’s data privacy regulator.

Meta weathered an expensive year in the EU in 2022 as it racked up a total of over €740 million in fines for various breaches of the GDPR and national privacy laws: €405 million for failing to adequately protect the privacy of minors on Instagram, €265 million for a Facebook data scraping incident, and €60 million for cookie consent issues related to targeted advertising, in addition to some smaller penalties. The company is also facing an expected 2023 ruling from the European Court of Justice on antitrust issues that could bring even more penalties and restrictions. All of this comes as the company struggles with plunging stock prices amidst the sharp decline in popularity of Facebook among young adults and a risky long-term pivot away from social media to virtual reality services.