The Beginning of the End for Surveillance Advertising: Meta Will Seek User Consent for Behavioral Ads in Europe
In a surprise move, Meta has announced its intention to change the legal basis used to process certain data for behavioural advertising for people in the EU, EEA, and Switzerland from ‘Legitimate Interests’ to ‘Consent.’
This means that Meta users in these regions will be asked to choose whether or not they want to see ads which have been personalized based on behavior tracking on Facebook or Instagram. Under EU law, even people who say “no” must still be allowed to access the services. This could spell the end of behavioral ads based on privacy-intrusive tracking. This big shift from Meta comes after a long struggle, as explained in a post on Meta’s blog:
This change is to address a number of evolving and emerging regulatory requirements in the region, notably how our lead data protection regulator in the EU, the Irish Data Protection Commission (DPC), is now interpreting GDPR in light of recent legal rulings, as well as anticipating the entry into force of the Digital Markets Act (DMA).
This struggle was led by privacy expert Max Schrems. Just six minutes after the enforcement of the EU’s GDPR began in May 2028, Schrems filed four complaints, one each against Google, Facebook, WhatsApp, and Instagram, over the issue of forced consent to online tracking.
In October 2021, the DPC supported Meta’s contention that it could bypass GDPR requirements for consent to online tracking. However, other data protection authorities in the EU disagreed. The European Data Protection Board (EDPB) issued guidelines stating that bypassing the GDPR is illegal, and must be treated as consent. The DPC said that it was “not persuaded” by its colleagues’ viewpoint. This culminated in the EDPB overruling the Irish Data Protection Commission and imposing a heavy fine on Meta. More importantly, the EDPB said that a yes/no option for surveillance advertising must be provided.
Meta tried to get around this by switching the legal basis for its micro-targeted advertising. Instead of giving users a yes/no option as required by the EDPB, Meta claimed to have a “legitimate interest” in tracking users, a potentially valid approach under the GDPR. It did provide an opt-out from that surveillance, but the form was complicated, and seemed designed to put people off of opting out. However, an unexpected ruling by the EU’s top court in a German competition case implied that Meta’s new approach was invalid, and thus the only option was to ask users to consent to being tracked through a simple yes/no option. As a result of that ruling, in July Norway imposed a temporary ban on Meta’s surveillance-based advertising.
Meta probably saw this as foreshadowing of what would happen soon in the EU, and has decided to accept that its current business model, which is based on constant online surveillance, is no longer viable in Europe. Meta has tried to put a positive spin on its move:
There is no immediate impact to our services in the region. Once this change is in place, advertisers will still be able to run personalised advertising campaigns to reach potential customers and grow their businesses. We have factored this change into our business outlook and related public disclosures made to date.
Of particular note is the claim that advertisers will still be able to run personalized ads: the question is how Meta aims to facilitate this if it can’t track everything people do on the site. The Electronic Frontier Foundation says we should remain “cautious” until we know more. Max Schrems also has his concerns:
We will see if Meta is actually applying the consent requirement to all use of personal data for ads. So far they talk about ‘highly personalized’ or “behavioural’ ads and it’s unclear what this means. The GDPR covered all types of personalization, also on things like your age, which is not a ‘behaviour’. We will obviously continue litigation if Meta will not apply the law fully.”
We have noted before that it would be possible to offer tailored advertising using other methods. For example, contextual advertising uses information about the material being viewed by a user to select relevant ads.
The interesting question is what happens to Meta users outside the EU. If, as the company says, it can offer personalized advertising in Europe without surveillance, will it offer that in other regions? If it does, it will be another demonstration of the way in which the EU’s GDPR legislation raises data protection standards more widely. If it doesn’t, a situation could arise in which EU users have privacy protection, but those in the US, the UK, and elsewhere don’t. Once a mechanism exists for offering advertisers targeted ads without the surveillance, it will be very hard to justify not using around the world.
The UK’s data protection body, the Information Commissioner’s Office, has already stated that “We’re aware of Meta’s plans to seek consent from users for behavioural advertising in the EU, to the exclusion of the UK.” It added: “We are assessing what this means for information rights of people in the UK and considering an appropriate response.” That’s a hint that it will take legal action if the privacy of UK users is not protected in the same way as those in the EU. It’s likely that other data protection agencies will take a similar view. The more Meta abandons its surveillance advertising business model around the world, the greater the pressure on others will be to do the same.
Feature image by Minette Lontsie.
