As of August 4, Meta and its associated brands will no longer be able to use its standard process of targeted advertising in Norway. The country’s data protection agency has issued a “temporary” 90-day ban that begins on that date, intended to give Meta a period in which it would have to radically transform its business model to be within compliance.
For every day that it remains out of compliance during this period, Meta will be assessed the equivalent of $100,000. The fine period would run until the end of October, and should Meta be out of compliance for the full duration it would end up paying a total of $9 million.
Unusual fine structure seeks to limit targeted advertising to publicly disclosed information
Norway’s DPA has not banned the Meta companies from using targeted advertising. But to come into compliance, the companies would have to restrict the system to using whatever public information that users disclose in their accounts, for example in the “About” section of Facebook profiles. The DPA based this ruling on the likelihood of users being profiled by behavior-based ads, and potentially stereotyped and discriminated against.
Needless to say, this would involve radical changes to the system that would not likely be feasible to geographically limit to Norway. The country is also a significant market for Meta, with an estimated 82% of its adult population (over three million people) on Facebook and 65% on Instagram. Given that there is only about a week until the fine period starts, and that the total fine would be well below one percent of its annual revenue, Meta is quite likely to eat the full amount and continue doing business as usual in the region. A statement from Meta said that the company was “analyzing the decision” and that it would have no “immediate effect” on its services.
It remains to be seen what would happen after that, however. The DPA’s statement indicated that behavioral advertising is now banned entirely in Norway, a move that could have implications for many other companies. Any personalized advertising in the country will likely have to be limited to information that users volunteer in a public bio of some sort. The DPA seems to have reached its statutory limits in imposing the 90-day ban, but it has already made contact with the European Data Protection Board (EDPB) to extend the decision.
Norway’s decision predicated on prior GDPR ruling
The Norway DPA decision also uses recent actions by Ireland’s DPC and the Court of Justice of the European Union (CJEU) as a foundation. In December of last year, the Irish DPC found that Meta’s behavioral advertising violated the terms of the General Data Protection Regulation and issued a fine equivalent to $438 million. It was also ordered to bring its operations into compliance by the end of March of this year. Meta did make changes in an attempt to comply with the order, but a review by CJEU published in early July found that the changes were inadequate and that Meta remains in breach of regulations.
The Meta family of companies has long collected a broad variety of user information to feed its targeted advertising program: geolocation for phone users, a history of the type of content users “like,” the contents of any posts they make, what they browse and how long they spend on it, what they search for, and so on. A recent study found that while TikTok is by far the most expansive app in terms of personal data collection, Meta has three entrants in the top 10: Instagram, WhatsApp and the Facebook mobile app.
The Norwegian DPA did clear the path for Meta (and other companies) to freely use contextual advertising, or that which draws only on what the user is looking at during the present moment or in their recent browsing history. So if the end user is browsing a page for houses to rent in a certain city, it would be OK to attach real estate or ads for related regional services, so long as this algorithm is not drawing on other personal information created elsewhere. This is how targeted advertising on Twitter has worked for most of the platform’s history, though the company has encountered legal issues of its own in misdirecting users as to the purpose of some of its personal data collection.
Meta had been claiming a “legitimate interest” exception from collecting full consent for the scope of the personal data it uses for targeted advertising, something the CJEU decisively shot down. The Norwegian DPA’s decision could be the first of a flood of similar GDPR actions by other regional authorities, given that the cited CJEU decision stems from the Irish DPA’s related action against the company (which keeps its EU headquarters in Dublin).
One potential “out” for this situation would be to offer end users an alternative targeted advertising program, perhaps one that is more contextual in nature. The “legitimate interest” order requires Meta to fully inform users of the data collection and give them an option to opt into a less intrusive system, but Meta does not currently possess such an alternative; it would have to give them the option of disabling targeted advertising entirely.