Meta is bowing to legal inevitability in the European Union: It’s just announced it will finally comply with regional privacy regulations by giving users a free choice to deny its behavioral advertising.
The tech giant is subject to an ongoing regulatory procedure over the legal basis it claims to run microtargeted ads which had been expected to conclude around the middle of this month. But in an update to a blog post today it announced its “intention” to switch to a consent-based legal basis for targeted advertising.
With the blog post, Meta looks to be trying to get out ahead of the regulatory outcome and potentially influence the implementation timeline as well as seeking to shape the narrative about what the looming switch means for its business, such as by claiming advertisers will still be able to run “personalized” ad campaigns on its platform.
Its blog post does not include a date for when it expects to make this change — with the company offering nothing more specific than a vague reference to “the months ahead” — but of course the exact compliance timeline is not in Meta’s gift; it will be up to EU regulators to decide.
On that front an emergency intervention by Norway’s data protection authority last month slapped a temporary ban on Meta from running behavioral advertising on Facebook and Instagram in the market unless it obtained users’ consent to the processing. So if the implementation timeline isn’t a speedy one we may see other concerned EU regulators issuing their own local bans that are effective immediately.
News of Meta’s intention leaked earlier today in a Wall Street Journal article which reported that the company was under pressure from privacy regulators.
Citing people familiar with Meta’s proposal, the WSJ report suggests Meta has offered to move to consent by the end of October, apparently claiming the switch would need at least three months to implement. Although the report also floats the idea that Meta has suggested waiting even longer — until early next year! — in order to align with additional incoming legal requirements related to a separate piece of EU digital regulation, called the Digital Markets Act, which imposes new limits on how data can combined and used for behavioral ads.
Of course there’s no requirement that compliance with one piece of EU law needs to wait on any other. So a 2024 implementation timeline sounds like pure wishful thinking by Meta. (A company spokesman did not respond when we asked it to confirm or deny the WSJ report — he just emailed a link to its blog post.)
The Irish Data Protection Commission (DPC), which leads on privacy oversight of Meta in the EU, declined to comment on Meta’s announced intention to switch to consent given the existence of the ongoing procedure. “I can confirm that we’ve received correspondence from Meta in relation to this but have nothing further to add at this point because the process is ongoing,” deputy commissioner Graham Doyle told TechCrunch.
Only a few months ago, in the same blog post Meta has today refreshed with its consent intention, the company laid out its justification for switching from claiming a contractual basis to process people’s data for targeted ads to a so-called legitimate interest basis. But, as we reported last month, that “legitimate interests” escape hatch was slammed shut by a Court of Justice of the EU ruling — which essentially left Meta with no option but consent. At the start of this year, its prior claim of performance of a contract as the legal basis for the ads processing was also blasted as in breach of the bloc’s General Data Protection Regulation (GDPR).
In short, then, Meta’s privacy-hostile forced surveillance behavioral ads business model has finally run out of road in the EU. And Meta giving users a choice not to be tracked is the only choice it has left to operate legally.
Of course it’s not going to provide this choice universally. U.S. users can whistle for it. As can U.K. users (the country no longer being in the EU); Meta stipulates it will offer a free choice to users in the EU, EEA (European Economic Area) and Switzerland. But, well, Americans might start to feel like second class citizens in their own country if they see a US giant offering Europeans something they’re not getting.
Asking its users if they want to be tracked and profiled is certainly not how the social media behemoth has operated up to now. Rather it has sought to make tracking and profiling an inescapable fact of services like Facebook and Instagram (not to mention its latest platform, Threads). But as EU privacy campaigners have been pointing out for literally years, forced commercial mass surveillance is simply not compatible with EU law.
In the event it’s taken well over five years for privacy campaigners and EU courts to compel the bloc’s regulators to force Meta to stop trampling on EU users’ fundamental rights. So this major win is tempered with equally major frustration that enforcement has taken so long. Add to that, Meta’s actual privacy abuse hasn’t stopped yet — there may still be months, plural, before it provides EU users the simple ‘yes/no’ choice it is legally required to.
But the fact the adtech giant is at last being forced to reform a privacy hostile business model suggests the ‘move fast and break things’ era of untouchable platform giants and their apparent immunity to the rule of law is — finally, finally — on the wane.
So, five years+ in, maybe the GDPR is just starting to get into its groove?
Update: Max Schrems, the privacy campaigner who the filed the original forced consent GDPR complaint against Meta back in May 2018, has reacted to its announcement of an intent to switch to consent by warning he’ll be watching to see how it implements the choice — including ensuring it applies to all its processing of personal data for ad targeting.
“We will see if Meta is actually applying the consent requirement to all use of personal data for ads,” he said in a statement via his privacy rights not-for-profit, noyb. “So far they talk about ‘highly personalized’ or ‘behavioural’ ads and it’s unclear what this means. The GDPR covered all types of personalization, also on things like your age, which is not a ‘behaviour’. We will obviously continue litigation if Meta will not apply the law fully.”
In further remarks critical of how long it’s taken to enforce the GDPR against Meta, Schrems added: “After more than five years of litigation, Meta finally comes to the conclusion that it must ask people if its allowed to spy on them for ads. It took litigation by NGOs and a German [competition] authority to get where we are now — while the Irish regulator [DPC] has consistently protected Meta.”