Iubenda logo
Start generating

Documentation

Table of Contents

How will Meta’s latest fine affect Facebook personalized ads?

On January 4th, the Data Protection Commission of Ireland fined Meta Ireland a total of 390 million euros: 210 million euros for GDPR breaches in relation to its Facebook service and 180 million euros for breaches related to its Instagram service. 

The DPC found that Meta’s processing on the basis of “contract” for personalized ads is not GDPR-compliant

Now everyone is wondering: will Meta platforms change? And how will this affect Facebook personalized ads?

Latest update: Latest update: Meta, the parent company of Facebook and Instagram, faces significant legal challenges in Norway and Ireland, impacting personalized advertising on its platforms.

In Norway, the Norwegian Data Protection Authority (Datatilsynet) has taken decisive action against Meta. Datatilsynet invoked an urgent procedure mechanism under Article 66 of the GDPR, following the Court of Justice of the European Union’s decision in Meta vs. Bundeskartellamt and earlier decisions by the Irish Data Protection Authority. Datatilsynet found that Meta’s processing of personal data for behavioral advertising posed GDPR violations and significant risks to data subjects, including those in Norway. Consequently, Datatilsynet issued a temporary ban on Meta’s adaptation of advertising based on monitoring and profiling of users in Norway, effective from August 4, 2023, until October 2023. Failure to comply with the ban may result in Meta facing a compulsory fine of up to NOK one million per day (approximately €88K). Datatilsynet also plans to request an urgent binding decision from the European Data Protection Board (EDPB) on the matter.

On August 7, 2023, Datatilsynet imposed a daily fine of NOK one million per day (approximately €88K) on Meta, effective from August 14, 2023. Despite Meta’s attempts to obtain a temporary injunction against the ban, the Oslo District Court rejected it on September 6, 2023, prompting Meta to initiate legal proceedings against Datatilsynet. The case before the Oslo District Court is expected to commence in 2024.

Update: Decision by Norwegian Personal Protection Board on Meta Case

The Norwegian Personal Protection Board has ruled that the Norwegian Data Protection Authority cannot impose daily fines on Meta and other international companies. Despite this, the existing ban on behavior-based marketing on Facebook and Instagram remains in effect.

Meta had not complied with the Norwegian Data Protection Authority’s directive banning behavior-based marketing, leading to the imposition of daily fines. This authority to impose daily fines is granted by the Norwegian Personal Information Act. However, Meta appealed the decision to the Personal Protection Board, which has now sided with Meta Ireland and Facebook Norway, revoking the daily fines.

Although the ban on behavior-based advertising continues to be enforced, the Norwegian Data Protection Authority expressed surprise at the Board’s decision. They emphasized that maintaining the ban is crucial, but the ruling significantly impacts their ability to regulate large international companies effectively.

The Norwegian law allows the Data Protection Authority to impose daily fines for violations of the Personal Data Protection Regulation. However, the Personal Protection Board’s interpretation now exempts international businesses from these fines. This ruling means that while Norwegian companies may still face daily fines for non-compliance, large international firms like Meta will not be subject to the same financial penalties.

-The interpretation by the Norwegian Data Protection Board removes a critical tool for dealing with large international companies. This outcome creates a disparity where Norwegian businesses are penalized with daily fines, while major international entities evade such consequences.

Additionally, on October 27, 2023, the EDPB issued an urgent Binding Decision related to the processing of personal data for behavioral advertising by Meta, instructing the Irish Data Protection Commission (DPC) to take action on the matter.

In parallel, in Ireland, the Data Protection Commission (DPC) fined Meta Ireland €390 million on January 4, 2023, with €210 million relating to GDPR breaches in its Facebook service and €180 million for breaches related to its Instagram service. The DPC determined that Meta’s processing of personal data for personalized ads based on a contractual basis was not GDPR-compliant.

These developments signify significant changes for Meta’s platforms in Europe. To continue showing personalized ads on Facebook and Instagram, Meta will need explicit consent from users, aligning its data processing activities with the GDPR. European users should now have the option to provide or decline consent for their personal data to be used for behavioral advertising. However, Meta has announced its intention to appeal the DPC’s decision.

This shift may impact the digital advertising industry, as businesses may need to adapt their advertising strategies, relying more on zero-party and first-party data, which users voluntarily share, to maintain effective advertising campaigns. Stay tuned for further updates on this evolving situation as we monitor developments surrounding these regulatory actions.

Facebook personalized ads, fine to Meta

€390 Million Meta fine: a bit of background

When GDPR came into effect in May 2018, Facebook decided to put a consent clause into their Terms and Conditions

📌 According to the GDPR, an organization can process personal data if the processing “is necessary for the performance of a contract to which the data subject is party”.

By doing this, consent became part of the contract, and the laws for consent no longer applied, only contractual laws. This also applied to more complex types of processing, such as behavioral advertising.

That’s why NOYB filed three complaints against Facebook, Instagram, and Whatsapp (Meta-owned companies). However, according to Meta, the Irish DPC allowed the company to rely on the basis of contract for their processing activities.

On December 6th, 2022, the European Data Protection Board (EDPB) adopted three dispute resolution decisions concerning Meta and overruled the Irish DPC saying that consent is a separate aspect and users must say yes or no to their data being used.

On January 4th, 2023, the Irish Data Protection Commission issued the final verdict: the processing on the basis of a contract is not GDPR-compliant, and fined Meta €390 million.

Interested in knowing the full background story?

👉 See the details in our post on the Irish DPC’s fine to Meta

What does this new fine to Meta mean in practice?

First of all, Meta will have to align its data processing activities to the GDPR: to show personalized ads on Facebook and Instagram, Meta will need the users’ explicit consent. The DPC has given Meta three months to comply. 

This might change the way Facebook and Instagram work, at least for EU-based users. Ideally, European users should be able to give or reject their consent to the use of their personal data for behavioral advertising, and, if they reject it, be shown a version of the social media platforms without personalized ads.

However, Meta has already announced that they will appeal the decision of the Irish DPC. 

Will this affect your Facebook personalized ads?

The digital advertising industry is one of the biggest industries online and it’s a fact that personalized ads represent a great source of income.

Many businesses rely on Facebook personalized ads because the amount of data that Meta has at its disposal helps them reach their precise target audience. However, the DPC fine demonstrates once again the DPA’s will to regulate the use of personal information for behavioral advertising.

If Meta switches to consent as a legal basis, they will have to show to EU-based users a yes/no option and allow opt-in. And many people will likely refuse to give their consent.

As with the phasing out of third-party cookies, your ads strategy might have to adapt to this new landscape: businesses will have to rely more on zero-party and first-party data, which are data that users voluntarily share with them. This is not necessarily a bad thing, because this type of data is: 

  • precise, since it comes directly from the client;
  • relevant and compliant;

thus making your Facebook ads even more effective!

💡
Using Facebook Personalized ads? Don’t forget your legal obligations!

If you use third party services like Facebook’s pixel, you MUST disclose that in your privacy policy.

👉 Here’s how to do it

About us

iubenda

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com