General Data Protection Regulation (GDPR) , Standards, Regulations & Compliance
Europe Clamps Down on Meta Ad Personalization
Company Rolls Out a Paid Subscription for Ad-Free UseSocial media giant Meta faces a possible ban within the next 10 days across Europe on the consent-free use of personal data for ad personalization.
See Also: How Enterprise Browsers Enhance Security and Efficiency
The European Data Protection Board on Monday directed the Irish Data Protection Commissioner within the next two weeks to restrict Meta platforms Facebook and Instagram from using customer's personal data for ad personalization. Meta has its European headquarters in Dublin, giving the Irish agency Europe-wide jurisdiction over the company.
A Meta spokesperson said the company does not face a "blanket ban" on the use of personal data and will switch to a new legal basis for data processing under Europe's overarching privacy law, the General Data Protection Regulation. This week, Meta also rolled out paid subscriptions for ad-free use for Instagram and Meta users.
"To comply with evolving European regulations, we are introducing a new subscription option," the company said. "While people are subscribed, their information will not be used for ads."
The Brussels-based board said Meta cannot justify behavorial advertising under a section of the GDPR that allows companies to process personal data in order to carry out business activities such as fighting fraud or direct marketing. That grounds for processing is known as "legitimate interest."
Critics of behavioral advertising say it violates privacy unless explicitly authorized by users who have the ability to continue to use online services even if they reject web browsing tracking. Unlike contextual advertising, which matches ads to the content of web pages, behavioral advertising targets specific user profiles with ads, regardless of the context in which they appear. Meta earns nearly all its revenue from behavorial advertising. It reported nearly $34.2 billion in revenue during the three months ending Sept. 30.
The EDPB also said the social media giant can't rely on "contractual necessity" to justify using personal data to fuel advertising. Meta has previously argued that its terms of service serve as a contract between it and users, giving the company the go-ahead to use personal data for advertising.
"In December 2022, the EDPB binding decisions clarified that contract is not a suitable legal basis for the processing of personal data," EDPB Chair Anu Talus said. "It is high time for Meta to bring its processing into compliance and to stop unlawful processing."
The EDPB's order to the Irish Data Protection Commission follows a dispute between the Norwegian Data Protection Authority and Meta. The Norwegian regulator, known as Datatilsynet, in August said behavorial advertising absent explicit user consent violates the GDPR (see: Norway Threatens Meta With Fines for Ad Violations).
Meta contested the decision, but the Oslo District Court ruled in favor of the data protection agency, dismissing Meta's key argument that Datatilsynet acted disproportionately on behalf of Norwegians' privacy interests (see: Norway Court Upholds Temporary Ban of Behavioral Ads on Meta).
The Norwegian regulator also referred the case to the EDPB in a move to force Meta to change its data processing requirements across Europe.
"We are very pleased that the EDPB agrees with the Norwegian Data Protection Authority's assessments and extends our ban," Line Coll, director of the Norwegian Data Protection Authority, said about the latest EDPB decision. "The aim is that citizens across Europe will have better privacy."