Meta suffered a major defeat on Wednesday that could severely undermine its Facebook and Instagram advertising businesses after European Union regulators found it had illegally forced users to accept personalized ads, effectively.
The decision, including a 390 million euro ($414 million) fine, has the potential to require Meta to make costly changes to its ad-based business in the European Union, one of its largest markets.
The ruling is one of the most significant since the 27-nation federation of nearly 450 million people enacted a landmark data privacy law intended to limit the ability of Facebook and other companies to collect information about users without their prior consent. The law went into effect in 2018.
The case hinges on how Meta receives legal permission from users to collect their data for personalized advertising. The company’s Terms of Service agreement — the extremely lengthy statement that users must accept to access services like Facebook, Instagram, and WhatsApp — includes language that effectively means that users must either allow their data to be used for personalized ads or stop using Meta social media services altogether.
The Irish Data Privacy Council, which acts as Meta’s lead regulator in the EU because the company’s European headquarters is in Dublin, said EU authorities determined that placing legal consent within the terms of service essentially forced users to accept personalized ads, which is a breach of the European agreement. The law known as the General Data Protection Regulation or GDPR
Meta has three months to explain how she will comply with the ruling. The decision does not specify what the company must do, but it may result in Meta allowing users to choose whether they want their data to be used for such targeted promotions.
If a large number of users choose not to share their data, it will cut off one of the most valuable parts of Meta’s business. Information about a user’s digital history — such as which Instagram videos prompt a person to stop scrolling, or what types of links a person clicks on when browsing Facebook feeds — is used by marketers to get ads in front of the people most likely to buy. Practices helped Meta generate $118 billion in revenue 2021.
The ruling puts 5 to 7 percent of all Meta advertising revenue at risk, according to Dan Ives, an analyst at Wedbush Securities. “This could be a big punch in the gut,” he said.
The penalty contrasts with regulations in the United States, where there is no federal data privacy law, and only a few states such as California have taken steps to create rules similar to those in the European Union. However, any changes Meta makes as a result of the ruling may affect users in the United States; Many tech companies apply EU rules globally because that is easier to implement than restricting them to Europe.
The EU ruling is the latest head-to-head against Meta, which has already been grappling with a file Significant decrease in advertising revenue Because of a change made by Apple in 2021 that gave iPhone users the ability to choose whether advertisers could track them. Meta said last year that Apple’s changes would cost it about $10 billion in 2022, with consumer surveys indicating that a clear majority of users have blocked tracking.
Meta’s struggles come as it tries to diversify its business from social media into the world of virtual reality known as the metaverse. The company’s share price has fallen more than 60 percent in the past year, and it’s down layoffs of thousands of employees.
Wednesday’s announcement concerns two complaints filed against Meta in 2018. Meta said it will appeal the decision, leading to what could be a protracted legal battle that will test the strength of GDPR and how regulators aggressively use the law to force companies to change their businesses. practices.
“We strongly believe our approach is respectful of GDP, and therefore we are disappointed with these decisions,” Facebook said in a statement.
Privacy groups hailed the result as a long overdue response to companies gobbling up as much data as possible about people online in order to deliver personalized ads. But critics also saw the more than four years it took to reach a decision as a sign that enforcement of the GDPR is weak and slow.
“European implementation has not yet delivered on the promises of the GDPR,” said Johnny Ryan, privacy rights campaigner and senior fellow at the Irish Council for Civil Liberties. The ruling notes that “big tech companies may be on their way to a bumpier road.”
Within the EU there has been disagreement over how to enforce the GDPR Irish authorities said they initially ruled that Meta’s use of the Terms of Service for permission was legally sufficient to comply with the law, but it was overturned by a council made up of representatives from all EU countries.
“There has been a lack of regulatory clarity on this issue, and debate among regulators and decision-makers over the most appropriate legal basis in a given situation has been going on for some time,” Meta said in its statement.
Helen Dixon, chair of Ireland’s Data Protection Commission, said regulators should be an “honest broker” and not give in to demands from privacy campaigners calling for rulings that do not stand up to legal challenges.
“We will not achieve results by simply seeking to rewrite the GDPR as we would have liked to see it written,” said Ms. Dixon said in an interview.
There are some signs in the European Union of a broader and intensified effort to crack down on the world’s largest technology companies. New laws passed in the European Union last year aim to stop anti-competitive practices in the tech industry and force social media companies to more aggressively monitor user-generated content on their platforms. Last month, Amazon agreed to make major changes to how products are sold on its platform as part of a settlement with EU regulators to avoid antitrust fees.
In November, Meta was fined about $275 million by Irish authorities over a data leak discovered last year that led to personal information of more than 500 million Facebook users being released online.
In 2023, the European Union’s highest court, the European Court of Justice, is also expected to rule on cases that could lead to further changes to Meta’s data collection practices.
However, many believe the app has not matched EU policymakers’ rhetoric about strong technology regulation. Thousands of data protection complaints still need to be addressed, said Max Schrems, an Austrian data protection activist whose nonprofit organization, NOYB, filed complaints in 2018 that led to Wednesday’s announcement.
“On paper you have all of these rights, but in practice the enforcement doesn’t happen,” he said.
“Explorer. Unapologetic entrepreneur. Alcohol fanatic. Certified writer. Wannabe tv evangelist. Twitter fanatic. Student. Web scholar. Travel buff.”