Meta suffered a major defeat on Wednesday that could seriously undermine its Facebook and Instagram advertising business after European Union regulators found it had illegally forced users to effectively accept personalized ads.
The decision, which includes a fine of 390 million euros ($414 million), could potentially force Meta to make costly changes to its ad-based business in the European Union, one of its largest markets.
The ruling is one of the most sweeping rulings since the bloc of 27 countries, home to about 450 million people, issued a data privacy milestone aimed at limiting the ability of Facebook and other companies to disclose information about users. collect without their prior consent. The law came into force in 2018.
The case hinges on how Meta obtains legal permission from users to collect their data for personalized advertising. The company is including language in its terms of service, the very lengthy statement users must accept before accessing services like Facebook, Instagram, and WhatsApp, which basically means users must allow their data to be used for personalized ads or stop using Meta’s social media services all together.
Ireland’s data privacy council, which serves as Meta’s main regulator in the EU because the company’s European headquarters are in Dublin, said EU authorities have determined that placing the legal consent within the terms of service essentially harms users forced to accept personalized advertisements, in violation of European law known as the General Data Protection Regulation, or GDPR
The decision doesn’t specify how the company should comply with the ruling, but it could lead to Meta letting users choose whether to use their data for such targeted promotions.
If a large number of users choose not to share their data, it would cut off one of the most valuable parts of Meta’s business. Information about a user’s digital history, such as which videos on Instagram prompt a person to stop scrolling, or what types of links a person clicks while browsing their Facebook feeds, is used by marketers to serve ads to people who are most likely to buy. The practices helped Meta generate $118 billion in revenue by 2021.
The punishment against Meta contrasts sharply with the regulations in the United States, where there is no federal data privacy law and only a few states, such as California, have taken steps to create regulations similar to those in the EU. But any changes Meta makes as a result of the ruling could affect users in the United States; many tech companies apply EU rules globally because it is easier to implement than limiting them to Europe.
The EU ruling is the latest business headwind for Meta, which has already struggled with a major drop in ad revenue due to a change Apple made in 2021 that allowed iPhone users to choose whether advertisers could track them. Consumer surveys show that a clear majority of users have blocked tracking.
Meta’s struggles come as it tries to diversify its business from social media into the virtual reality world known as the metaverse. The company’s stock price has fallen more than 60 percent in the past year and has laid off thousands of employees.
Wednesday’s announcement relates to two complaints filed against Meta in 2018. Meta said it will appeal the decision, setting up a protracted legal battle that will test the strength of the GDPR and how aggressively regulators are using the law to force companies to change their business practices.
“We strongly believe that our approach respects GDPR and we are therefore disappointed by these decisions,” Facebook said in a statement.
The result was hailed by privacy groups as a long overdue response to companies gobbling up as much data as possible about people online to deliver personalized ads. But the more than four years it took to reach a decision was also seen by critics as a sign that GDPR enforcement is weak and slow.
“European enforcement has not yet delivered on the promise of the GDPR,” said Johnny Ryan, a privacy rights activist who is a senior fellow at the Irish Council for Civil Liberties. The verdict indicates that “Big Tech may be in for a much bumpier ride.”
There has been disagreement within the European Union about how the GDPR should be enforced. Irish authorities said they initially ruled that Meta’s use of the consent terms of service was legally sufficient to comply with the law, but they were overruled by a board of up to representatives from all EU countries.
“There is a lack of regulatory clarity on this issue, and the debate between regulators and policymakers about which legal basis is most appropriate in a given situation has been going on for some time,” Meta said in its statement.
There are some signs in the EU of a broader, stepped-up effort to crack down on the world’s biggest tech companies. New EU laws were passed last year aimed at stopping anti-competitive practices in the tech industry and forcing social media companies to more aggressively monitor user-generated content on their platforms. Last month, Amazon agreed to make significant changes to how products are sold on its platform as part of a settlement with EU regulators to avoid antitrust charges.
In November, Meta was fined about $275 million by Irish authorities for a data breach discovered last year that led to the personal information of more than 500 million Facebook users being published online.
In 2023, the highest court in the European Union, the European Court of Justice, is also expected to rule on cases that could lead to further changes in Meta’s data collection practices. Yet many believe that enforcement is inconsistent with EU policymakers’ rhetoric about strong technical regulation. Max Schrems, an Austrian data protection activist whose nonprofit organization, NOYB, filed the complaints in 2018 that led to Wednesday’s announcement, said there are thousands of data protection complaints that have yet to be addressed.
“On paper you have all these rights, but in reality the enforcement just doesn’t happen,” he said.