Iubenda logo
Start generating


Table of Contents

Personalized Ads (behavioral advertising) illegal on Meta

The European Data Protection Board (EDPB) adopted three dispute resolution decisions based on Article 65 GDPR concerning Meta Platforms Ireland Limited. The decisions (which have not been disclosed publicly) relate to whether or not the processing of personal data for the performance of a contract is a suitable legal basis for behavioral advertising. 

When the EU’s General Data Protection Regulation (GDPR) took effect in May 2018, Meta Ireland Ltd. thought it could “bypass” the need for users to give their opt-in consent by only including a clause in the terms and conditions. NOYB filed complaints against the social media giant, and after 4.5 years, the European Data Protection Board (EDPB) determined that Meta’s supposed “bypass” of the GDPR was unlawful.

Did you know NOYB launched a new round of cookie complaints in August 2022 against a select group of website owners? read more on this story here 

A breakdown of the events: 

👉 Facebook used to use consent for using your data, i.e., for adverts. 

👉 Once the GDPR came into effect in May 2018, consent needed to be informed; freely given; unambiguous; specific.

👉 Facebook decided to put a consent clause into their Terms and Conditions 4.5 years ago when the GDPR kicked in at midnight. 

🎯 Why is this important?

Once facebook put consent into their terms and conditions, consent became part of the contract, and the laws for consent no longer applied, only contractual laws. The GDPR generally forbids businesses from requiring customers to provide personal information in order to use their services. However, one exception is the need for personal information to execute a contract.

👉 Therefore, when the GDPR came into effect that night, NOYB filed three complaints against Facebook, Instagram, and Whatsapp (Meta-owned companies). 

👉 In 10 private sessions, the Irish DPC is said to have given Meta permission to utilize this “bypass,” according to Meta.

👉 Now, the European Data Protection Board have overruled the Irish DPC saying that consent is a separate aspect and users say yes or no to their data being used. 

🚀 Next steps 

The EDPB verdict was not made public, but it will be in January 2023, along with the DPC’s final ruling. The Irish DPC will receive the EDPB ruling, then, within a month, the decision must be delivered to Meta in Ireland and noyb in Austria. 

Meta may then challenge the ruling, although there is little possibility of success once an EDPB judgment has been made.

The board’s choice wouldn’t compel Meta to change in a noticeable way. Instead, it would request that matching orders be applied by the Irish DPC. Meta would have to comply because its European activities are legally based in Ireland.

For further reading on this, see here for the official EDPB text. 


On January 4th, 2023, the Irish Data Protection Commission issued the final verdict: the processing on the basis of a contract is not GDPR-compliant, and fined Meta €390 million.

📌 How will Meta’s latest fine affect Facebook personalized ads?

What does this mean?

The EU rulings demonstrate an increasing willingness from regulatory bodies to rein in what is frequently referred to as “behavioral advertising.” This industry, which is worth tens of billions of dollars annually, involves displaying targeted digital advertisements to consumers based on user profiles and inferences made from their online behavior on applications and websites.

👉 Do you use cookies or other trackers for purposes such as behavioral advertisinganalyticsremarketing, and content personalization? A Consent Management Platform such as our Privacy Controls and Cookie Solution is likely required.