The business model of Mark Zuckerberg’s Meta empire has been dealt a blow following a ruling that its legal justification for targeting users with personalised ads broke EU data laws.
Campaigners said the move could force the Facebook and Instagram owner to ask users to “opt in” to having their data used for targeted ads.
Ireland’s Data Protection Commission (DPC) has fined Meta a total of €390m (£343m), after the EU’s data authority rejected the company’s argument that users agree to receive ads based on their personal data when they enter into a “contract” with its social media platforms via the terms and conditions they sign.
A core part of the Facebook and Instagram business model is compiling profiles of users from their online activity, which enables advertisers to target people based on details such as their hobbies, consumer behaviour and location.
The DPC had initially backed Meta’s legal argument that the “contract” approach did not breach the EU’s general data protection regulation (GDPR), but it said on Wednesday it had to follow the binding recommendations of the bloc’s European Data Protection Board, which is comprised of all EU privacy regulators.
However, the DPC, which has regulatory power over Meta because the company’s EU base is in Dublin, added that it was seeking a court ruling against a further EDPB demand that it investigate all of Facebook and Instagram’s data processing operations.
The privacy campaign group Noyb, which triggered the decision after lodging complaints against Meta, said the outcome was a “huge” financial blow to the company, which relied on advertising for 98% of its $118bn (£98bn) turnover in 2021. Max Schrems, the honorary chair of Noyb, said Facebook and Instagram users in the EU would now need to be asked whether they wanted their data to be used for ads.
“This is a huge blow to Meta’s profits in the EU,” he said. “People now need to be asked if they want their data to be used for ads or not. They must have a ‘yes or no’ option and can change their mind at any time. The decision also ensures a level playing field with other advertisers that also need to get opt-in consent.”
The DPC has given Meta three months to bring its data processing operations into compliance with the decision, which imposed a fine of €210m for the Facebook GDPR breach and €180m for Instagram. It did not give details of how Meta should comply with the decision.
Meta said in a statement it would appeal against the decision and that it was “incorrect” that personalised ads could no longer be offered without users’ consent following the DPC announcement.
“These decisions do not prevent targeted or personalised advertising on our platform,” said Meta. “The decisions relate only to which legal basis Meta uses when offering certain advertising. Advertisers can continue to use our platforms to reach potential customers, grow their business and create new markets.”
Meta’s advertising-based business model is already under pressure after Apple introduced a privacy change that required app developers to seek user permission to track their online activity in order to serve them personalised ads.
The company’s shares slumped in October last year after a grim earnings report in which it flagged an advertising slowdown. It is also struggling to convince investors about its multibillion-dollar investment in the metaverse, a concept where the physical and digital worlds combine via virtual and augmented reality.