Decrypted | Insights from Virtru to Unlock New Ideas

Privacy vs. Profits: Lessons Learned from Meta's GDPR Gamble

Written by Emma Lowe | Jan 6, 2023 5:49:04 PM

It’s taken four years, but the case against Meta in the EU has been settled, with their advertising practices being ruled as illegal. The social media giant now faces a $400M fine, issued by the European Data Protection Board, and will need to seriously consider how it moves forward with its data collection and advertising model in the European market.

Here’s what we know about the case, and what we can learn from Meta’s lost GDPR gamble.

The Case to Date: Unpacking Meta’s Advertising Practices in the EU 

In 2018, NOYB, a nonprofit organisation led by privacy advocate Max Schrems, filed two complaints that Meta’s practice of collecting user permission for targeted advertising was illegal and in breach of the General Data Protection Regulation (GDPR). 

Meta’s process of collecting permission was to include a statement in their (lengthy) terms of service, which meant users had to consent to having their data used for personalised advertising or relinquish using the platform altogether. In other words, for Meta, if an individual is using Facebook, Instagram, or another app on the platform, their usage is an implicit agreement to have their personal data collected and used for the purpose of targeted advertising. 

Is Implicit Consent Really Consent?

Meta’s practices raise the question: Is implicit consent truly consent? If someone uses a free platform, does that usage give the platform the right to collect and leverage that person’s data for advertising purposes? 

The answer is, it depends on where you live and what data protection regulations are in place. This approach may fly in the U.S., where there is no national law around data privacy, but it just doesn’t cut it for the EU — one of Facebook's largest markets. GDPR requires organisations to secure specific consent (and a method of opting out) to collect user data and use it for things like targeted advertising. 

How GDPR Defines Consent

GDPR.eu highlights that consent should be:

  • Freely given: The individual should have the option to say “no.”
  • Specific: The individual should have a clear understanding of how their data’s going to be used.
  • Informed: The individual should know who is collecting their data and for what purposes
  • Unambiguous: There should be no question whether the individual opted in. “Silence, pre-ticked boxes or inactivity should not therefore constitute consent,” according to GDPR Recital 32.
  • Revocable: The individual should be able to change their mind and opt out whenever they choose.  

Respect the People. Respect their Privacy.

Despite Meta’s planned appeal, they are likely to have to make some major changes to their consent practices to align with the mechanics of GDPR, namely securing users’ permission for their data to be used for advertising. And whilst this will put an even bigger dent in their advertising revenues — following Apple’s announcement regarding iOS privacy controls in 2021 — it is the right thing to do. 

As individuals, we are all used to that familiar browser experience of a crowded screen of pop-ups asking our permission to collect our data. It’s a tad irritating and many users will select ‘Accept All,’ but at least we have a choice, right? 

Meta won’t be the first or the last organisation to fall foul of data privacy regulations, but if we take anything away from this recent ruling, it is this: An individual, and only that individual, should have the ability to control the fate of their own personal information.
View full post