It’s taken four years, but the case against Meta in the EU has been settled, with their advertising practices being ruled as illegal. The social media giant now faces a $400M fine, issued by the European Data Protection Board, and will need to seriously consider how it moves forward with its data collection and advertising model in the European market.
Here’s what we know about the case, and what we can learn from Meta’s lost GDPR gamble.
In 2018, NOYB, a nonprofit organisation led by privacy advocate Max Schrems, filed two complaints that Meta’s practice of collecting user permission for targeted advertising was illegal and in breach of the General Data Protection Regulation (GDPR).
Meta’s process of collecting permission was to include a statement in their (lengthy) terms of service, which meant users had to consent to having their data used for personalised advertising or relinquish using the platform altogether. In other words, for Meta, if an individual is using Facebook, Instagram, or another app on the platform, their usage is an implicit agreement to have their personal data collected and used for the purpose of targeted advertising.
Meta’s practices raise the question: Is implicit consent truly consent? If someone uses a free platform, does that usage give the platform the right to collect and leverage that person’s data for advertising purposes?
The answer is, it depends on where you live and what data protection regulations are in place. This approach may fly in the U.S., where there is no national law around data privacy, but it just doesn’t cut it for the EU — one of Facebook's largest markets. GDPR requires organisations to secure specific consent (and a method of opting out) to collect user data and use it for things like targeted advertising.
GDPR.eu highlights that consent should be:
Despite Meta’s planned appeal, they are likely to have to make some major changes to their consent practices to align with the mechanics of GDPR, namely securing users’ permission for their data to be used for advertising. And whilst this will put an even bigger dent in their advertising revenues — following Apple’s announcement regarding iOS privacy controls in 2021 — it is the right thing to do.
As individuals, we are all used to that familiar browser experience of a crowded screen of pop-ups asking our permission to collect our data. It’s a tad irritating and many users will select ‘Accept All,’ but at least we have a choice, right?
Meta won’t be the first or the last organisation to fall foul of data privacy regulations, but if we take anything away from this recent ruling, it is this: An individual, and only that individual, should have the ability to control the fate of their own personal information.
See Virtru In Action
Sign Up for the Virtru Newsletter
Contact us to learn more about our partnership opportunities.