Meta’s ad practices ruled illegal under GDPR: Key facts and implications of the decision 

The European Data Protection Board (EDPB) ruled that Meta could no longer use contracts as a basis for its behavioral ads. Instead, they should rely on consent as the ground for personal data processing under the EU’s general data protection regulation (GDPR). Initially, the Data Protection Commission of Ireland (DPC) had backed Meta’s legal argument that contractual necessity didn’t breach the EU’s law.

The EDPB’s application of GDPR aims to address the power imbalance between big tech and the consumer, giving people more control over their data. It is a warning to all ad-funded platforms that they must provide two versions of their product, designed for: 

1. the general, non-consenting public 
2. the opted-in users.

In this post, we explain the situation with Meta, the problem of behavioral ads, and why it’s a consequence of a broader problem with the business model behind tech companies. We also present the practical implications for companies using Meta products for advertising.

What happened

On December 5, 2022, the EDPB ruled that the way Meta receives user consent for behavioral advertising violates EU law. According to the Board, their method lacks proper legal grounds for processing millions of Europeans’ personal data for such activity.

In January 2023, the Irish DPA adopted EDPB’s decisions regarding Facebook and Instagram, which belong to Meta. A third decision against WhatsApp is coming shortly. The ruling rejects Meta’s claim of contractual necessity. Meta IE was fined €390 million and given three months to deliver a compliance plan.

The EDPB did not say that targeted advertising on social media platforms is unlawful. The Board found that Meta was profiling users illegally because they were abusing a specific legal basis under GDPR – the performance of a contract. 

Let us go into the details and the consequences of the ruling.

What does the ruling mean, and what is Meta’s position

The EDPB’s ruling is one of the most consequential judgments since the introduction of GDPR in 2018 and a significant blow to Meta’s advertising business.

Meta argues that when people sign up to Facebook, Instagram, or WhatsApp, they want a personalized service, including personalized ads. To provide that service, Meta claims that it must collect personal data to power its hyper-targeted behavioral advertising, making it a contractual necessity that, according to Meta, does not require explicit consent.

The draft decision by the DPC initially accepted this argument. However, the EDPB disagreed and ruled that Meta must receive a clear opt-in from users wishing to be tracked for advertising. Otherwise, user data cannot be used for targeted behavioral ads. This general requirement will also apply to other digital advertising platforms operating in the EU. 

Meta plans to appeal the ruling. “We strongly believe our approach respects GDPR, and we’re therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines,” Meta said in a blog post. “The decisions relate only to which legal basis Meta uses when offering certain advertising. Advertisers can continue to use our platforms to reach potential customers, grow their business, and create new markets.”

How big of a deal is this? The decision could force Meta to ask users for explicit, specific, informed and unambiguous consent to use their personal data for advertising, a practice that underpins the company’s entire business model. It is a precedent affecting the whole big tech industry.

Consequence: no personalized ads and reduced profits for Meta. Meta may have to change how a crucial part of its business works. The decision means that Meta must provide its users with a version of all apps that doesn’t use personal data for ads. The decision would still allow Meta to use contextual advertising, such as a story’s content, to personalize ads or to ask users for consent to ads via a ‘yes/no’ option. Users must be able to withdraw consent at any time, and Meta may not limit the service if users choose to do so. While this will restrict Meta’s profits dramatically in the EU, it would not entirely prohibit ads. The decision will put Meta on the same level as other websites or apps that need to provide a consent option to users.

If many users keep their data private, it will cut off one of the most profitable parts of Meta’s business. Information about a user’s digital history – such as what videos on Instagram prompt a person to stop scrolling or what types of links a person clicks when browsing Facebook feeds – is used by marketers to get ads in front of people who are the most likely to buy. The practices helped Meta generate $118 billion in revenue in 2021.

The outcome of the decision is that the platforms must introduce two product versions, one for the general, non-consenting public and another one for opted-in users. They cannot differ in terms of features and functionalities. The other solution might be a move towards a subscription-based business model.

Changing the business model, to subscriptions or two versions of the platform, will definitely impede Meta’s ability to grow on the stock exchange.

Controversies around the DPC decisions

Besides posing challenges for Meta’s business model, the DPC’s two decisions reflect growing disagreement among European data protection authorities (DPAs) on two fronts. The first relates to using contractual necessity as an appropriate legal basis under GDPR for providing behavioral advertisements. The second involves the legal authority of the EDPB to order DPAs to bring new investigations.

The DPC’s final decisions came after more than a two-year-old dispute with other EU DPAs that disagreed with its draft decision. The EDPB settled the argument by forcing the DPC to reject Meta’s claim of contractual necessity.

The DPC’s documents have already sparked complaints among privacy watchdogs. The Austrian noyb is questioning the Irish regulator’s amendments to the binding EDPB decision.

According to noyb, the DPC narrows the scope of the EDPB’s decision and limits it to processing for advertisement only. The decision doesn’t deal with other forms of personalization, such as content personalization and product improvement or the processing of sensitive personal data under Article 9 of GDPR.

Moreover, noyb is highlighting the DPC’s refusal to carry out additional investigations requested by the EDPB. The DPC said it was seeking a court ruling against an EDPB demand to investigate all of Facebook and Instagram’s data processing operations.

The Board’s binding decision directs the DPC to conduct “a fresh investigation that would span all of Facebook and Instagram’s data processing operations and examine special categories of personal data that may or may not be processed in the context of those operations.”

Such an investigation – were it to take place – could further hurt Meta’s business model in the EU, where legal experts have been warning for years that the tech giant’s consent-less tracking and profiling breaches the European law.

Data is not a commodity under GDPR

Meta is one of many big tech companies struggling with GDPR. TikTok got in trouble with the Italian DPA because of legal bases not long ago. Google Analytics is also having its fair share of problems. Several Memeber States have decided that the use of Google Analytics violates the EU’s law.

The core of the issue is that GDPR, and the EU data privacy protection framework in general, treats privacy and data protection as fundamental rights. In contrast, many tech companies have business models relying on collecting and processing personal data and are generally reluctant to diminish the amount of data they are collecting.

These perspectives are incompatible. Under GDPR, privacy and data protection are non-negotiable rights. The processing of personal data cannot be justified just because it’s part of a business model, no matter how successful.

Critics of GDPR argue that the regulation needs to be more practical and relevant to a data-driven economy. But European institutions are aware of the vital role of data. GDPR is citizen-centric and focuses on the data protection rights of individuals. 

GDPR also draws a line between a data-driven economy and a surveillance economy, and this line has been enforced against Meta.

“The EDPB binding decisions clarify that Meta unlawfully processed personal data for behavioral advertising. Such advertising is not necessary for the performance of an alleged contract with Facebook and Instagram users. These decisions may also have an important impact on other platforms that have behavioral ads at the center of their business model,” said EDPB chair Andrea Jelinek in a statement.

Other types of advertising that don’t require processing personal data, such as contextually targeted advertising, are available. Hence, Meta’s claim that intrusive tracking and profiling of individuals is a core component of its services was found illegal by the Board.

Changes that Meta will make due to the ruling can affect users in the United States and EU advertisers alike. Many tech companies apply EU rules globally because that is easier to implement than limiting them to Europe.

What is the solution?

The ruling does not mean that advertising will be banned unless there is user opt-in. It is possible to use contextual advertising to provide tailored ads without infringing on users’ privacy or building vast stores of personal data that risk being leaked.

Moving to privacy-minded platforms can play a big part in building a surveillance-free Internet. It’s a good idea to work with those that support values such as privacy by design. Following these values will help you fully control your data, and understand what kind of data you collect, store and transfer. Keep in mind that the main issue in question around Privacy Shield and GDPR is personal data.

We’re committed to building an open analytics platform that helps with compliant data collection and activation. As an open platform, Piwik PRO isn’t tied to one ad ecosystem. If you’re interested, be sure to get in touch.