In January 2023, the Irish Data Protection Commission (“DPC”) imposed a fine of €390 million on Meta for breaching EU data rules. The fine relates to the manner in which Instagram and Facebook request permission to use people’s data for advertisements and potentially has significant consequences for Facebook’s and Instagram’s business models.
Meta
The technology conglomerate is the owner of Facebook, Instagram and Whatsapp (among other goods and services) and harvests masses of user data every second to sell targeted ads on their platforms. Meta is currently able to access a user’s digital history across their social media platforms. They use this data to understand what keeps people on their platforms for longer and what goods or services users are more likely to buy based on the content they consume.
The GDPR breach and DPC decision
In 2018, the General Data Protection Regulation (“GDPR”) came into force. To comply with the new GDPR regime, Meta added language to their terms-of-service agreement (i.e. the terms and conditions which all users must accept in order to gain access to the related social media platform). Meta’s new terms required users to give their consent for their data to be used for personalized advertisements. Users had to give their consent in order to be able to access the relevant platforms.
The complaint to the DPC, which is the main regulatory body for Meta in the EU, was launched shortly after Meta issued their new terms of service. The complainants, a non-government privacy activist organization called ‘None of Your Business’, alleged that users were being forced to consent to Meta’s data use policy in relation to targeted ads, breaching the GDPR.
The DPC determined that by requiring users to accept the use of their data for personalized advertisements as part of their terms of service (and as a pre-condition to access the relevant social media platforms), Meta was effectively coercing its users to give their legal consent in violation of the GDPR.
Consequences of the DPC decision
The fine imposed by the DPC is, obviously, substantial. This DPC decision is one part in a broader investigation by the DPC into Meta’s data protection practices. Indeed, it is possible that additional fines or other penalties could be levied against Meta in the next year. To such an extent, Meta has supposedly allocated €2 billion to cover the fines it may incur in Europe for 2023! [1]
Meta now has three months in which to outline how it intends to comply with the DPC ruling. While the ruling does not specify what Meta must do in order to become GDPR compliant, it seems that Meta may have little choice but to allow users to choose how they want their data to be used for targeted personalized promotions. This could have drastic consequences for Meta’s business model especially if large numbers of users choose to withhold their consent as individual consumers become more alert to the use of their personal data.
This would be yet another blow to Meta’s status as an advertising giant, particularly after Apple’s privacy policy modification last year which saw yet another obstacle to Meta’s ability to easily harvest user data. In 2020, around 97.9% of Facebook’s global revenue was generated purely for advertising [2]. If advertisers no longer find value in Facebook as an advertising platform because ads can no longer be targeted towards users’ personal preferences, this could cause some significant financial consequences for the Meta group.
There are also significant potential financial and regulatory repercussions for platforms such as Facebook and Instagram, which have faced increasing regulatory action and public scrutiny over their data protection practices in recent years.
Conclusion
The DPC decision serves as a reminder of the very real penalties and high cost of non-compliance with data protection regulations. Under the GDPR, the EU’s data protection authorities have the power to levy fines of up to €20 million or 4% of the company’s worldwide turnover (whichever figure is higher). This could lead to increased expenses for any company as it works to improve its data protection practices.
The advertising market will no doubt watch carefully to see how Meta chooses to respond to the DPC ruling in the following months. While Meta states that it will appeal the ruling, there is no doubt that Meta must take steps to develop and future-proof its business model going forward. Data privacy is here to stay, and data protection regulation will inevitably continue to squeeze Meta’s ability to harvest users’ data for more targeted advertising purposes.
------------------------------
[1] Ian Curran ‘EU privacy regulators instruct Irish DPC to revise decision in Meta rulings’ https://www.irishtimes.com/business/2022/12/06/eu-privacy-regulators-instruct-irish-dpc-to-revise-decision-in-meta-rulings/
[2]S. Dixon ‘Meta: advertising revenue worldwide 2009-2021’ (27 July 2022)
