Meta Platforms was fined €390 million (approximately $414 million) by the Irish Data Protection Commission (DPC) for its handling of user data for serving personalized advertisements, which could be a major blow to its ad-driven business model.
In this regard, the privacy regulator has ordered Meta Ireland to pay two fines: €210 million ($222.5 million) for violating the E.U. General Data Protection Regulation (GDPR) about Facebook, and €180 million ($191 million) for similar violations in Instagram.
The most recent enforcement comes after concerns that the social media company used its Terms of Service to coerce users into allowing targeted advertising based on their online activity. The complaints were filed on May 25, 2018, the effective date of GDPR in the region.
It also comes one month after the European Data Protection Board (EDPB), an independent body that oversees the consistent application of GDPR in the European Union, announced that it had reached legally binding decisions on the matter.
Meta can no longer rely on contracts – i.e., acceptance of its Terms of Service – as a legal basis for processing personal data for behavioral advertising, effectively rendering the company’s advertising practices unlawful.
The DPC stated, “Meta Ireland is not entitled to rely on the ‘contract’ legal basis about the delivery of behavioral advertising as part of its Facebook and Instagram services, and that it’s the processing of users’ data to date, in purported reliance on the ‘contract’ legal basis, constitutes a breach of Article 6 of the GDPR.”
Meta has argued that customizing advertisements based on information about users’ online behavior is a necessary component of the personalized service it provides. However, the company has three months to bring its data processing practices into compliance.
“Instead of having a ‘yes/no’ option for personalized ads, they simply relocated the consent clause in the terms and conditions,” Max Schrems of NOYB, whose privacy non-profit originally filed the complaint against Meta, said. Not only is this unfair, but it is also clearly illegal.
Meta, which has already experienced a decline in ad revenue in part due to Apple’s privacy changes in iOS last year that require apps to ask permission before tracking users, stated that it was “disappointed” by the decision and that it “strongly” believes that its approach complies with GDPR. The company intends to appeal the findings of the DPC.
Importantly, these decisions do not prevent personalized advertising on our platform, the company emphasized. “The decisions pertain only to the legal basis upon which Meta offers specific advertisements,”
The tech giant characterized as “incorrect” the suggestion that it can no longer offer personalized advertisements to European users without their opt-in consent, citing a lack of regulatory clarity on the matter.
Last year, Meta was hit with a slew of privacy-related fines in Europe and the United States. Late in December 2022, the company also agreed to pay $725 million to settle a class-action lawsuit that accused it of providing unauthorized access to user data by third parties.
The class action lawsuit was initiated in 2018 after Facebook disclosed that the data of 87 million users was improperly shared with Cambridge Analytica, a British political consulting firm that used the harvested data to inform political campaigns.
CNIL issues an €8 million fine against Apple
In a related development, France’s privacy watchdog, the Commission Nationale de l’informatique et des libertés (CNIL), has fined Apple €8 million for failing to obtain iPhone users’ consent before using identifiers to display targeted advertisements in iOS 14.6, as mandated by French law.
“Additionally, the user was required to perform a large number of actions to disable this setting, as this option was not integrated into the phone’s initialization path,” the agency explained.
Apple stated that it intends to appeal the case, noting that it gives users “a clear option as to whether or not they want personalized advertisements.” Additionally, it was stated that the service utilizes only first-party data.
