The Irish Data Protection Commission (DPC) has fined Meta Platforms €390 million (roughly $414 million) over its handling of user data for serving personalized ads in what could be a major blow to its ad-fueled business model.
To that end, the privacy regulator has ordered Meta Ireland to pay two fines – a €210 million ($222.5 million) fine over violations of the E.U. General Data Protection Regulation (GDPR) related to Facebook, and a €180 million ($191 million) for similar violations in Instagram.
The latest enforcement comes in the wake of concerns that the social media company used its Terms of Service to gain users' forced consent to allow targeted advertising based on their online activity. The complaints were filed on May 25, 2018, the date when GDPR came into effect in the region.
It also arrives a month after the European Data Protection Board (EDPB), an independent body that oversees the consistent application of GDPR in the E.U., announced that it had reached binding decisions with regards to the matter.
The DPC ruling means that Meta is no longer allowed to rely on contracts – i.e., accepting its Terms of Service – as a legal basis for processing personal data for behavioral advertising, effectively deeming the company's advertising practices illegal.
"Meta Ireland is not entitled to rely on the 'contract' legal basis in connection with the delivery of behavioral advertising as part of its Facebook and Instagram services, and that its processing of users' data to date, in purported reliance on the 'contract' legal basis, amounts to a contravention of Article 6 of the GDPR," the DPC said.
While Meta has argued that tailoring the ads it offers based on data it has about users' online behavior is a necessary part of the personalized service it offers, the company has three months to bring its data processing operations into compliance.
"Instead of having a 'yes/no' option for personalized ads, they just moved the consent clause in the terms and conditions," NOYB's Max Schrems, whose privacy non-profit filed the original complaint against Meta, said. "This is not just unfair but clearly illegal."
Meta, which has already suffered a decline in ad revenue over the past year in part due to Apple's privacy changes in iOS last year that require apps to ask for permission before tracking users, said it was "disappointed" by the decision and that it "strongly" believes its approach respects GDPR. The firm intends to appeal the DPC's findings.
"It's important to note that these decisions do not prevent personalized advertising on our platform," the company pointed out. "The decisions relate only to which legal basis Meta uses when offering certain advertising."
The tech giant further characterized the suggestion that it can no longer offer personalized ads to European users without their opt-in approval as "incorrect," stating there has been a lack of regulatory clarity on the issue.
These new financial penalties add to a pile of privacy fines for Meta in Europe and the U.S. last year. In late December 2022, it also agreed to pay $725 million to settle a class-action lawsuit that accused the company of giving third-parties access to user data without their permission.
The class action lawsuit was prompted in 2018 after Facebook disclosed that the information of 87 million users was improperly shared with Cambridge Analytica, a British political consultancy firm that used the harvested data to inform political campaigns.
Apple is fined €8 million by France's CNIL
In a related development, France's privacy watchdog, the Commission nationale de l'informatique et des libertés (CNIL), has hit Apple with a €8 million fine for not obtaining iPhone users' consent in iOS 14.6 prior to using identifiers to present targeted ads.
"In addition, the user had to perform a large number of actions to disable this setting since this possibility was not integrated into the initialization path of the phone," the agency said.
Apple said it plans to appeal the case, noting that it provides users "with a clear choice as to whether or not they would like personalized ads." It also stated that the service only relies on first-party data.