Using personal info for ads without consent puts Meta in EU's gunsights
Schrems strikes again
European privacy regulators have determined that Meta's use of personalized advertising in Facebook, Instagram, and WhatApp violates data protection laws.
Specifically, the European Data Protection Board (EDPB), a group of EU privacy regulators, has invalidated a prior decision by the Irish Data Protection Commission (DPC) that allowed Meta to bypass data use consent requirements through its apps' terms of service.
Under Europe's General Data Protection Regulation, which took effect in 2018, consumers must be allowed to decide whether companies can use their personal data. Shortly after the law took effect, privacy group Noyb filed a complaint against Google, Instagram, WhatsApp, and Facebook for allegedly using personal data without adequate consent.
Meta, which became Facebook's parent company last year, tried to claim its use of personal information for advertising and tracking was contractually necessary – a GDPR consent exception generally extended to required data, like street addresses when shipping goods.
Max Schrems, an Austrian privacy advocate, lawyer, and founder of Noyb, said that Meta, rather than providing app users with a yes-or-no option for personalized ads, simply moved the consent clause into its apps' terms and conditions.
"This is not just unfair but clearly illegal," said Schrems in a statement. "We are not aware of any other company that has tried to ignore the GDPR in such an arrogant way."
The long and winding road
After more than four years, the EDPB finally appears to have agreed with Schrems.
"This is a huge blow to Meta's profits in the EU," said Schrems. "People now need to be asked if they want their data to be used for ads or not. They must have a 'yes or no' answer and can change their mind at any time. The decision also ensures a level playing field with other advertisers that also need to get opt-in consent."
The decision means that the Irish DPC – which oversees Meta in the EU – is expected to issue a public ruling and potentially significant fines within a month.
According to Noyb, the EDPB decision means that Meta must alter its apps to provide a way to use them without providing personal data. It doesn't preclude the display of ads in general.
- EU Data Protection Board probes public sector use of cloud
- US commerce bosses view EU rules as threat to its clouds
- Dutch govt issues data protection report card for Microsoft
- EU and US seek 'common principles' for data governance and AI
The decision is not yet final: Meta has the option to appeal both the EDPB finding and Irish DPC ruling, whenever that appears. And the ad biz has made a habit of doing so.
Meta has been fined more than $900 million in privacy cases over the past year and a half: About $276 million in November 2022 for failing to protect user's phone numbers from online scraping; about $402 million in September 2022 for failing to protect children's data in Instagram; and about $266 million in September 2021 for WhatsApp data collection.
Meta is currently challenging the Instagram and WhatsApp decisions. The social network did not immediately respond to a request to comment on how it intends to respond to the EDPB decision. ®