The EU issued a €390 million (about $414 million) fine against Meta Wednesday, a decision that suggests Europe may be in its final days of widespread targeted advertising. One thing is certain: EU citizens are going to see even more pop-ups asking for consent to track them online than they already do.
For years, Facebook and Instagram said in their terms of service that say people can’t visit their apps or sites without consenting to targeted ads. The Irish Data Protection Commission (DPC) ruled that agree-or-get-lost requirement is illegal and gave Meta, Facebook and Instagram’s parent, three months to bring its data empire into compliance with European law.
Meta published a blog post about its legal justification for data harvesting, and said it would appeal the DPC’s decision. But things look grim for the social media giant, which is already dealing with a stock value in freefall.
“We’re disappointed by these decisions and intend to appeal both the substance of the ruling and the fine,” said Al Tolan, a Meta spokesperson, in an emailed statement. “Meta can continue to provide personalized advertising across the EU — any suggestion otherwise is inaccurate.”
Meta and other big advertising companies like to say that people prefer “relevant” (aka targeted) ads, but when you frame the question in the context of privacy and pervasive data collection, most people aren’t on board. If Meta and the rest of the internet are forced to obtain meaningful consent for data harvesting, it could spell the death of targeted ads in the EU, one of the world’s biggest ad markets. That would turn the web’s business model on its head.
“If the law is properly enforced, we should move towards personalized ads only based on true, fairly obtained, freely given ‘opt-in’ consent for people that really want this,” said Max Schrems, an Austrian privacy advocate who filed the original complaint against Meta. Schrems said this may also shift that power away from the tech industry and towards companies that publish original content. “They would have an easier time to compete in such a model,” he said.
Under Europe’s General Data Protection Regulation, better known as GDPR, companies need to get your consent before collecting and processing your data. In some cases, the law allows business to force user consent for data processing before using a service. For example, food delivery services can say they have a legal “legitimate interest” to get your home address, and prevent you from using their apps until you hand it over.
Facebook, Instagram and WhatsApp used that same legitimate interest justification to collect data, rather than giving users permission to opt out. That was a novel legal argument at the time, but Irish regulators have declared it officially bogus.
“Advertising companies have been kicking the GDPR can down the road for years now, daring regulators to enforce against them,” said Justin Brookman, director of technology policy for Consumer Reports. “Meta’s most recent argument was silly — that ad targeting was functionally necessary to provide social networking services. I’m glad to see GDPR finally getting enforced, I just wish it hadn’t taken so long to get here.” (Disclosure: this reporter formerly worked at Consumer Reports’ journalism division, which is separate from its advocacy wing, where Brookman works.)
Tech platforms have used the legitimate interest basis to skirt the GDPR for years. But other companies didn’t get away with it. For example, if you’re reading Gizmodo in Europe, you might have noticed this website ask for consent to track you with cookies. There’s a good chance you’ll see something similar on Facebook, Instagram, and other apps in the near future.
“This basically leads to all the ‘cookie banners’ where companies use loads of dark patterns to get consent rates from 3% (according to industry studies) to at least 50+% in practice,” Schrems said. “These ‘dark patterns’ are also illegal under the GDPR, but this is another fight.”
Don’t think you’ll be seeing fewer ads, in fact, this ruling may generate even more of them. If companies can’t use your data, they can still show you “contextual” ads, which are based on the content you’re looking at (imagine an ad for Honda’s on an article about cars). But contextual advertising is cheaper than ads tailored via your personal information, and therefore less profitable for the companies selling it. If each individual ad makes less money, showing more of them is an obvious solution to bridge the revenue gap.
Meta is up for a serious legal battle, but some European regulators may be on the company’s side. To understand why, you have to deal with some more acronyms.
The Irish DPC’s move follows a binding decision in December by the European Data Protection Board (EDPB), which is a a broader regulatory body made up of all of Europe’s privacy regulators. Ireland is Europe’s tech hub, and it’s where Meta has it’s EU headquarters. As you might expect, Irish regulators are more business friendly, and in the past they’ve ruled in favor of Meta’s legal justification for data collection. The EDPB over ruled that decision, and ordered the Irish DPA to take action against Facebook and Instagram.
The DPC referenced this history in Wednesday’s announcement, but it seems Meta will have to duke it out in European courts outside Ireland, where there’s less sympathy for the company’s privacy plight.
Of course, EU law doesn’t apply outside of Europe, so Meta is welcome to continue its advertising spy games in the United States. But the walls are closing in on privacy issues. American regulators are more business-friendly than their European counterparts, but the few privacy laws in the US use the GDPR as their model. With a federal privacy law on the table for the new American Congress, it’s not impossible that the end of targeted ads in Europe could set a precedent for data rules in the US.