The US tech giant is yielding to EU pressure to comply with privacy laws, because the alternative is to pay a hefty fine.
This week Meta announced that it will allow Facebook and Instagram users in Europe to request an exemption from the platforms’ data collection system, which Meta uses to target “personalised” ads. Meta’s decision, as reported in The Wall Street Journal, comes ahead of a compliance deadline imposed on the company by Ireland’s Data Protection Commission (DPC).
The DPC charged Facebook and Instagram in January 2023 with violating the EU’s GDPR privacy laws and gave Meta 90 days to comply or else pay a fine of 390 million euros.
Tracking users’ behaviour for ad purposes
At the heart of the controversy is Meta’s system of user tracking and data collection, which the platform then uses to target highly personalised – and thus highly effective – advertisements based on a person’s online activity. These personalised ads are also extremely lucrative: Meta generated $113.64 billion (€104 billion) in advertising revenue in 2022, and 25% of that revenue is generated in Europe.
The Irish privacy regulator claimed, however, that such advertising violates the EU’s General Data Protection Regulation (GDPR).
Meta changes its “legal basis” for collecting data
Article 6 of the GDPR allows for processing personal data if a company complies with at least one of six “legal bases”. The DPC’s ruling in January nullified Meta’s claimed legal basis of “Contractual Necessity” (i.e., required as part of their Terms of Service) for tracking European users.
In a blog post this week, Meta explained how they plan to get around this ruling: “from Wednesday 5 April we are changing the legal basis that we use to process certain first-party data in Europe from ‘Contractual Necessity’ to ‘Legitimate Interests’”, they write. “First-party data” refers in this case to the data Meta collects on users while they are using one of Meta’s own platforms (Facebook and Instagram).
Users who wish to opt out of the targeted data collection process will have to submit an online form objecting to Meta’s use of their in-app activity for ads. The company will then evaluate any user’s objection before implementing the change.
Opt-ins versus Opt-outs
NOYB, the Austria-based privacy rights group, has declared that Meta is still acting illegally because the company is “claiming that their ‘legitimate interest’ to process user data would override the fundamental right to privacy”. They also object to the fact that users have to fill out a form to “opt out” of data collection, rather than having to “opt-in” to the personalised ad program.
Meta, for its part, remains defiant. It is implementing this legal fix only in Europe for the time being, as it plans to continue to fight the DPC’s rulings in court.
“We believe that our previous approach was compliant under GDPR, and our appeal on both the substance of the rulings and the fines continues”, the company wrote. “However, this change ensures that we comply with the DPC’s decision”.