What you need to know about the latest Meta ruling

An EU regulator finds Meta’s justification for asking users to accept personalised ads illegal, according to the terms of GDPR, in a ruling that could affect the basis of Meta’s business worldwide.

Why it matters

The decision effectively calls into question Meta’s personalised ad business model, even when it is based on first party data. But it’s not quite the hammer blow it seems – the ruling looks at the legal basis for the use of this data, not the legality of its use.

However, should this hardline ‘legal basis’ approach for the use of first party data apply beyond Meta, then the next phase of online advertising, underpinned by consented data, faces serious questions.

It’s all about GDPR

With a total fine of €390m, it is not the largest GDPR fine, but observers have suggested it could be one of the most consequential should it be upheld.

Meta has relied on a claim of contractual necessity for serving personalised advertising on its Facebook and Instagram platforms, avoiding the need for explicit consent.

However, the Irish Data Protection Commission, which took up the initial complaints, has explained that, “Information in relation to the legal basis relied on by Meta Ireland was not clearly outlined to users, with the result that users had insufficient clarity as to what processing operations were being carried out on their personal data.”

Per the terms of service, no ads meant no service – a position with which the Irish DPC originally agreed. But this latest ruling means that the social networks must now ask consent to serve advertising based on user behaviour, a source of data that had until now constituted Meta’s first party data.

Meta now has three months to outline how it will comply with the ruling, and it could ultimately force the company to include a mechanism that allows users to elect whether their data is used for targeted ads.

Given that Meta plans to appeal, this is not done yet. As a measure of how long enforcement can take, the case was first filed in 2018, on the day that GDPR came into operation.

It’s incredibly complex

If it appears confusing, that’s because it is. In the EU, regulators have interpreted and therefore applied the rules unevenly, while most cases – like this one – take many years to go through the motions.

What’s more, the Irish DPC had initially agreed with Meta’s legal basis for the use of the data. It was only the European Data Protection Board – the EU body responsible for the consistent application of the rules – which disagreed.

The Irish DPC has now concurred with the EDPB and issued a fine. In fairness to Meta, the process has been anything but clear.

“There has been a lack of regulatory clarity on this issue,” Meta notes in a statement, “and the debate among regulators and policymakers around which legal bases are most appropriate in a given situation has been ongoing for some time.

“This issue is also currently being debated by the highest courts in the EU, who may yet reach a different conclusion altogether. That’s why we strongly disagree with the DPC’s final decision, and believe we fully comply with GDPR by relying on Contractual Necessity for behavioural ads given the nature of our services.”

In context

This would, of course, be catastrophic for Meta’s EU revenues, its second highest ARPU region after the US and Canada. According to analysis by Wedbush Securities, quoted by the New York Times, this could amount to a hit of between 5-7% of overall ad revenue – “a major gut punch” in the words of one analyst.

While this ruling only affects the rights of the EU user base, the difficulty of enacting it just in one region could lead to changes worldwide.