Takeaways from Meta’s huge fine

January 2023

Digital advertising faces significant changes in the wake of the latest fine to be levelled at Mark Zuckerberg’s Meta.

The Data Protection Commission (DPC) for Ireland has fined Meta (Meta Platforms Ireland Limited) a huge 390 million Euros. It was ruled Meta’s reliance on contract terms as the lawful basis for personalised advertising on both Facebook and Instagram, is invalid.

On top of the fine the DPC has given Meta three months to comply with its interpretation of the EU GDPR.

What does this mean for social media advertising?

Behavioural advertising on Facebook and Instagram platforms are targeted using user-profile information. It’s based on people’s online activity and other details they share with the platform. This helps advertisers to target individuals based on location, hobbies, interests and other behaviours.

This latest ruling calls into question whether social media platforms must seek their users’ prior opt-in consent for behavioural advertising, rather than rely on the contractual terms people sign up for to use the platforms.

If social platforms switch to an opt-in consent, users will inevitably gain far more control over the adverts they see. But on the flipside, the number of individuals available for targeting by advertisers is likely to decline. This would have a big impact the marketing mix for many companies.

What’s behind the Meta ruling?

The DPC’s investigation stretches back to complaints originally raised on the very first day EU GDPR came into force, in May 2018. From the get go, it was argued Facebook’s (now Meta) processing for personalised advertising was unlawful.

Significantly prior to May 2018, Facebook Ireland updated both Facebook and Instagram’s Terms of Service. ‘Implicit consent’ had previously been used for behavioural advertising, but with consent being much more onerous to achieve under GDPR, there was a switch to relying on contract as the new lawful basis for the ads.

Users were asked to click ‘I accept’ to the updated Terms of Service and, in doing so, by default accepted behavioural advertising as part of the service package. The platforms simply would not be accessible if users declined to do so. The Irish DPC has now rejected the validity of the contract as a valid lawful basis for behavioural advertising.

This ruling follows a lot of uncertainty and disagreement between the DPC, other EU regulators and the European Data Protection Board (EDPB), over the use of contract as a legal basis for this type of advertising.

The Chair of EDPB, Andrea Jelinek: ‘The EDPB binding decisions clarify that Meta unlawfully processed personal data for behavioural advertising. Such advertising is not necessary for the performance of an alleged contract with Facebook and Instagram users. These decisions may also have an important impact on other platforms that have behavioural ads at the centre of their business model.’

This latest ruling represents a U-turn by the DPC, who have now stated their decisions ‘reflect the EDPB’s binding determinations.’

This is not Meta’s only fine. In September 2022, the DPC fined Meta €405 million for allowing minors to operate business accounts on Instagram, and there have been others. Unsurprisingly Meta plans to appeal both of the DPC’s decisions.

Key takeaways for digital advertising

  1. The burning question is ‘Can I still run ads on Facebook & Instagram?’. Technically yes – the ruling applies to Meta, not its advertisers. Meta, for its part, said; ‘These decisions do not prevent personalised advertising on our platform.’ However, using theses platforms is not without potential risks.
  2. Data protection by design is paramount for digital advertisers. There’s a regulatory expectation that the interests, rights, and freedoms of individuals are respected. Platforms need to evidence these considerations have been taken into account.
  3. Users must be given a real choice. They must be given the ability to receive adverts without tracking, profiling, or targeting based on personal data. They must be given meaningful control and the platforms must be able to demonstrate there is user choice through the data lifecycle.
  4. Accountability is key – there should be genuine transparency around how and why personal data is processed and who is responsible for that processing.

Max Schrems, privacy activist and honorary chair of Noyb: ‘People now need to be asked if they want their data to be used for ads or not. They must have a ‘yes or no’ option and can change their mind at any time. The decision also ensures a level playing field with other advertisers that also need to get opt-in consent.’

Estelle Masse, Global Data Protection Lead at Access Now, said the decisions are ‘hugely significant‘ for online companies which rely on targeted ad revenues. She said they should look at whether the way they deliver ads online is ‘legal and sustainable.’

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.