Meta’s been blasted by the EU privacy watchdog for breaching GDPR — now what?

GDPR monste

It turns out that Meta has been illegally forcing users to accept personalized ads across Facebook and Instagram for years — at least that’s the case in Europe. Earlier this week, Ireland’s Data Protection Commission (DPC) ruled that the social media giant has been engaging in this practice, even after it changed its terms of use back in 2018. In other words, users must accept Meta’s terms or they can’t use any of its platforms.

The ruling and its consequences could fundamentally change how Meta’s ad business makes money in one of its largest markets going forward.

But before we dig into the hypotheticals, here’s a quick recap of what has actually happened: According to the DPC’s investigations, Meta hasn’t been transparent about how users’ data is collected and used. Buried deep in the tomes that are the terms and conditions for each of Meta’s social platforms are statements that essentially mean someone must either agree to let their data be used to serve them targeted ads or stop using the services altogether. This didn’t sit well with the DPC. 

“The DPC considered that a lack of transparency on such fundamental matters contravened Articles 12 and 13(1)(c) of the GDPR,” stated the regulator. “It also considered that it amounted to a breach of Article 5(1)(a), which enshrines the principle that users’ personal data must be processed lawfully, fairly and in a transparent manner.”

It’s further evidence of the law catching up with (and coming down upon) all the players in the behavioral advertising ecosystem.

So what now?

Meta has been ordered to pay a hefty fine of €390 million ($412 million), of which €210 million ($222 million) relates to Facebook, while the remaining €180 million ($190 million) relates to Instagram.

All told, a fine like this is like a parking ticket for the likes of Meta. The real issue is what happens next. The DPC stated Meta Ireland has three months to sort out its data operations so they comply with the GDPR going forward. However, it hasn’t specified what Meta must do to rectify the situation — leaving many curious about what road the social media giant might take.

Cue a lot of speculation as to whether the jig is finally up for Meta in one of its biggest markets. Last fall, Meta reported it had around 408 million users in Europe.

Nigel Jones, director of The Privacy Compliance Hub, said he believes Meta will have to find a legal basis for using customer data to serve up behavioral advertising and be completely transparent about it. This is no easy feat for even a company as fleet-footed as Meta. 

“It can’t force users to consent and it can’t hide things away in its terms and conditions,” he said. “Therefore, it seems likely Meta is facing a direct choice between arguing that it has a ‘legitimate interest’ in using data in this way, or asking users to freely choose whether they consent to behavioral advertising.”

That second option is easier said than done.

Russell Howe, vp of EMEA at data control business Ketch, said Meta could go down the path of full transparency by building trust from the outset with a comprehensive and clearly communicated set of data collection purposes defined for every channel and interaction in the Meta estate. After all, this is the general direction the market is headed — even if some parts of it are being dragged toward it kicking and screaming.

Alternatively, Meta could employ a very simple accept or reject all compliance banner that has been enough to check a box for a number of brands the world over, suggested Howe. “The latter is also still under scrutiny by the regulators — but Meta has the opportunity to step out of the shadows and build a real data driven relationship with their users,” Howe said.

Doing the right thing has a cost

Let’s say Meta did bite the bullet and opted to give users the choice of whether they want their data used for targeted advertising. There’s a chance that could blow a big hole in its ads business. Remember what happened when Apple insisted companies asked its mobile customers to opt-in to being tracked by them within each individual app? A lot of people did choose to indeed not be tracked by their apps, and advertising on Meta’s platforms struggled. 

There’s a chance that history could repeat itself. If a large portion of those users decide not to share their data with Facebook and/or Instagram in the future, it would ultimately kneecap one of Meta’s most prized parts of the business: its plethora of data related to users’ digital footprints. And that information is used by marketers to ensure ads get in front of people who are most likely to buy their products.

The whole reason why companies use Meta’s ad services is because they can target pretty well, explained Steffen Schebesta, CEO of Sendinblue. Advertising to anyone without geographic limitations, gender, age group, interest, etc., will cause spending to drop dramatically, he added.

Moreover, if a significant number of people do choose to opt-out, the price of advertising could be greatly devalued, throwing digital advertising for a tailspin in an already touchy market.

“This could lead to a pricing reset which could compound Meta’s challenges with TikTok as a competitive force,” Doron Gerstel, CEO of global ad tech company Perion, explained. “Meta has tried and failed to generate alternative revenue streams beyond advertising, such as its unsuccessful Libra currency, so this will have to change fast. When Apple unveiled its update that allowed users to opt-out of being tracked, billions of dollars were lost — so there is quite a bit on the line.”

With that said, there could be long-term gain to be had if Meta is willing to endure short-term (well, relatively) pain to run an ads business built on the back of an opt-in policy.

According to Howe, while the quantity of data would decrease, the quality of data would actually increase. After all, people would be choosing to be advertised and marketed to by sharing this particular information — which can only be good for targeted marketing. 

“All too long marketers have been addicted to the quantity of data collected as a measure of success rather than the person behind the data itself which provides a greater depth of quality and thus a trusted and more loyal relationship,” he said.

How much is on the line?

A lot, but trying to quantify that is tough.

Looking specifically at Meta’s European market, the social media giant received a total of $15.3 billion in ad revenue collectively from the U.K., Germany, France, Spain and Italy in 2022, while its U.S. market accumulated $48.7 billion, per data collated by Insider Intelligence.

Will there be backlash for Meta in the U.S.?

While this EU ruling has highlighted Meta’s unethical data operations across Europe, this is likely the beginning of a longer battle for Meta in the U.S.

Howe said he believes it’s only a matter of time before data laws catch up with Meta in the U.S. California and Virginia went live with their version of GDPR on Jan. 1, and there are three other states with similar policies that are imminent and a federal privacy law also being lobbied in Washington, he said.

Of course, while Meta is under an enormous spotlight, none of this bodes well for other platforms that use similar tactics behind closed doors.

In fact, the DPC’s ruling sets a pretty dangerous precedent for any company doing anything similar. Though, as Schebesta noted, the penalties usually ordered to these Big Tech companies are peanuts, whereas they would effectively wipe out a normal company.

As Matthieu Roche, CEO of ID5, noted, this EU ruling solidifies the fact that if social media platforms are to operate like publishers, they should abide by the same rules.

“The industry is beginning to realize that separating consent for data collection from registration to a digital service should have been an obligation for a long time,” he said. “It’s likely that more platforms that have been using the same shady approach will be scrutinized by regulators and will have to give consumers complete freedom of where to opt-in or opt-out.”

https://digiday.com/?p=483182

More in Marketing

Key takeaways from Digiday’s 2024 Gaming Advertising Forum

Now that gaming has gone from a buzzword to a regular presence in brands’ media mix, marketers are more closely scrutinizing the value and ROI of their investments in this channel — and the platforms are rising to the challenge. Here are some of the biggest takeaways from this week’s Gaming Advertising Forum.

‘The most controversial rebrand of the year’: Understanding the tightrope that legacy brands like Jaguar walk during a rebrand

Jaguar’s attempt at a sleek, ultra-modern rebrand replete with art-house aesthetics has been the talk of the water cooler – excuse me, LinkedIn – this week.

The Trade Desk finally confirms it: Meet Ventura, the OS to cement its grip on CTV

The Trade Desk is indeed building a CTV operating system. So much for shutting down those rumors. Weeks ago, CEO Jeff Green insisted they were off-base.