Meta’s latest Data Protection fine

On Wednesday, January 4th, Meta was hit with a combined fine of nearly 400 million euros for GDPR violations by Ireland’s Data Protection Commission (DPC). [1] The DPC found that Meta’s terms of service, which it updated the month the EU privacy legislation came into force, effectively compelled users to accept personalised advertising. In order to use Facebook or Instagram, users had to enter a contract which gave Meta permission to process user data in order to delivery its services which included “personalised advertising”. 

This is a highly significant decision for the platform, whose ads business has already been feeling the squeeze from Apple’s new privacy features. If the ruling is upheld, Meta will be forced to significantly alter its data usage policies and will have to explicitly ask its users whether they are happy for their information to be used for digital advertising or not. 

Meta released a damage control statement last week, in which they repeated twice that “advertisers can continue to use [Meta] platforms to reach potential customers, grow their business and create new markets”. [2] However, it is an unavoidable fact that transparent opt-in, opt-out choice screens for personalised advertising will cause damage to Meta’s advertising business. 

From MOW’s perspective, we are hopeful that this decision lays out firm precedent regarding what constitutes unreasonable consent terms. Whilst forcing users to accept personalised advertising as a condition of use represents an extreme scenario, other companies similarly use these settings. Google, for instance, allows the user to disable personalised advertising, but this is conditioned on the consumer logging into their account and manually updating their preferences. Importantly, Google does not provide information on how to do so at sign-in, or indeed, that this is even a possibility. We are moreover highly suspicious as to the degree to which Google, and other large tech companies, respect user choices: Google was, for instance, fined $391.5 million towards the end of last year for continuing to track users when location tracking permissions were disabled. [3]