TL;DR: Meta's practice of requiring users to consent to tracking via their terms is not legal according to the GDPR. Facebook, Instagram and WhatsApp must offer a Yes & No option so that users can actively give consent - or refuse. This is a huge blow to Meta's business model of surveillance-based advertising.
Lesson learnt from this: Stop waiting for Facebook, start using services that respect your right to privacy now.
Update January 2023: Meta fined 390 million Euros
The Irish Data Protection Commission (DPC) has confirmed in a press release that Meta's practice of enforced cookie agreements in Facebook and Instagram is illegal under the GDPR. The tech giant was fined € 390 million for this privacy violation - already half as much as Meta was fined in 2022 due to violations of the European GDPR, and 2023 has only just started. A final decision regarding WhatsApp is still outstanding.
This is another sign of Europe's stricter approach of handling privacy violations in regards to the GDPR.
Originally, the DPC wanted only € 28 to 36 million, about 10% of the final ruling. However, the European EDPB has overruled the DPC and insisted on massive fines for Meta - saying that Meta had intentionally violated the GDPR and people's privacy for their own profit.
Max Schrems from the NGO NOYB, who sued Meta for their privacy violations, says:
"The penalty will go to Ireland - the State that has taken Meta's side and delayed enforcement for more than four years. This case will likely be appealed by Meta, leading to more costs for noyb."
Read more on the legal struggle to achieve privacy in Europe on the NOYB homepage.
Decision of EU privacy regulators
In a far-reaching decision on Monday, EU privacy regulators, said that Meta Platforms Inc. must not force users to agree to personalized ads based on their online activity. The ruling could enormously limit the data that Meta can use to sell targeted ads.
Simply putting a paragraph into the terms of service - to which users have to agree - is not sufficient according to the General Data Protection Regulation (GDPR). Such terms are no justification to collect data and post targeted ads. Instead, Meta platforms Facebook, Instagram and WhatsApp must give users a clear Yes & No choice where they can actively agree to being tracked - or refuse.
The tech giant’s so-called forced consent to continue tracking and targeting users by processing their personal data to build profiles for behavioral advertising has been added to Meta's terms after the publication of the GDPR in 2018. Now it has been declared illegal by EU privacy watchdogs.
This decision followed complaints that were filed by European privacy NGO noyb as soon as the GDPR came into force in May 2018. It took the EU about 4.5 years to finally decide on the issue.
The reason for this lengthy process is that the Irish Data Protection Commission (DPC) has originally declared that Meta's updated terms meet the requirements by the GDPR. Ireland is Meta's main privacy regulator in the bloc because that is where Meta’s European headquarters is based.
Meta explained that its updated terms rely on the GDPR concept of "contractual necessity". The GDPR mostly prohibits companies from forcing users to turn over personal information to use their services. The only exception is when that information is necessary to execute a contract: For instance, a car sharing app needs to know your location so that it can show cars near you.
Meta relied on that contractual provision of the GDPR, to which the Irish privacy regulator initially agreed.
But now, the EU privacy regulators are passing the decision back to the DPC saying that the "contractual necessity" is not met by apps like Facebook, Instagram and WhatsApp and that it is the DPC's obligation to enforce proper privacy rights for European citizens.
The DPC now has one month to issue a final decision, along with significant fines.
The impact of the EU's decision that Facebook's current tracking practice is illegal is huge: It directly affects Facebook's business model. Right now, Facebook and Instagram profit a lot from the fact that people must give them their private data to use the service. In turn, Meta uses this data to create profiles and to post targeted ads, a gold mine for the Silicon Valley giant.
However, the EU's decision will limit Facebook's access to this gold mine and, thus, directly impact revenue.
A sign of how bad this decision is for Meta's profits is last year's decision by Apple. In 2021, Apple required iPhone app developers to ask users whether they want their usage to be tracked. And - unsurprisingly - lots of iPhone users declined being tracked and profiled.
As a consequence Meta's revenue in 2021 was reduced by 8% just because iPhone users were not willing to share their private data with Facebook, Instagram and WhatsApp anymore.
Reducing Facebook's tracking online hugely benefits the privacy of users and simultaneously harms Meta's revenue. People's data is worth much more to Big Tech than many think.
EU limits Facebook tracking
The latest EU decision is another sign of a growing interest of EU authorities to limit surveillance-based tracking. Finally, people and politicians are waking up to the dangers of behavioral advertising, and EU officials are starting to regulate it in a way to protect people's privacy.
To companies such as Facebook, Google and Amazon, this business, however, is worth billions of dollars each year.
Learn here how your are being profiled online and how you can stop it.
Regardless, even California - where most Big Tech companies are located - has adopted great privacy laws that allow users to opt out of what it calls cross-contextual behavioral advertising.
Maybe the reason for this legislation is that Californians know best how harmful tracking and behavioral advertising is as this business model originated there.
Consequences for users
The EU decision will not have direct consequences for users, unfortunately, as it can be appealed to. Such an appeal would lead to a lengthy judicial process.
If upheld, though, this decision will make it much harder for Facebook and other platforms to show users ads based on what they click, like, share and watch within these platforms' own apps.
While Meta is already allowing users to opt out of personalizing ads based on data from other websites and apps, it has never given any such option for ads based on data about user activity on its own platforms.
For Facebook - and other Big Tech companies - limiting the access to user tracking would be a huge blow as building audiences for personalized ads make up the bulk of revenue for such companies.
"This is not the final decision and it is too early to speculate," said a Meta spokesman to the Wall Street Journal, adding that EU law could allow for other legal justifications for targeting its ads. "We’ve engaged fully with the DPC on their inquiries and will continue to engage with them as they finalize their decision."
Nevertheless, the GDPR allows for large fines for major violations — up to 4% of global annual turnover.
Growing privacy enforcements
While the EU's GDPR started being enforceable already in May 2018, political enforcement has only started to ramp up in the last couple of months. By now, many Big Tech companies have been hit with hefty fines.
The Irish DPC has fined Meta more than $900 million in four other cases in the last 15 months, and currently has 10 additional inquiries into the company.
Meta's Irish subsidiary had allotted nearly 3 billion Euros for privacy fines in the EU last year - up by €1.97 billion from a year earlier, according to Irish corporate filings.
Regardless, up to now it seems much more profitable for Silicon Valley giants to just pay the fines - instead of changing their business model.
This means we must keep fighting to stop ad-based tracking. Start now by adding an adblocker to your browser!