By Adam Satariano
Meta has suffered a major defeat that could severely undercut its Facebook and Instagram advertising business after European Union regulators found it had illegally forced users to effectively accept personalised ads.
The decision, including a fine of £390 million ($A612 million), has the potential to require Meta to make costly changes to its advertising-based business in the EU, one of its largest markets.
The ruling is one of the most consequential judgments since the 27-nation bloc, home to roughly 450 million people, enacted a landmark data-privacy law aimed at restricting the ability of Facebook and other companies from collecting information about users without their prior consent. The law took effect in 2018.
The case hinges on how Meta receives legal permission from users to collect their data for personalised advertising. The company includes language in its terms of service agreement, the very lengthy statement that users must accept before accessing services like Facebook, Instagram and WhatsApp, that effectively means users must allow their data to be used for personalised ads or stop using Meta’s social media services altogether.
Ireland’s data privacy board, which serves as Meta’s main regulator in the EU because the company’s European headquarters are in Dublin, said EU authorities determined that placing the legal consent within the terms of service essentially forced users to accept personalised ads, violating the European law known as the General Data Protection Regulation, or GDPR.
Meta has three months to outline how it will comply with the ruling. The decision does not specify what the company must do, but it could result in Meta allowing users to choose whether they want their data used for such targeted promotions.
If a large number of users choose not to share their data, it would cut off one of the most valuable parts of Meta’s business. Information about a user’s digital history — such as what videos on Instagram prompt a person to stop scrolling, or what types of links a person clicks when browsing their Facebook feeds — is used by marketers to get ads in front of people who are the most likely to buy. The practices helped Meta generate $118 billion in revenue in 2021.
The judgment puts 5 per cent to 7 per cent of Meta’s overall advertising revenue at risk, according to Dan Ives, an analyst at Wedbush Securities. “This could be a major gut punch,” he said.
The penalty contrasts with regulations in the United States, where there is no federal data privacy law and only a few states such as California have taken steps to create rules similar to those in the EU. But any changes that Meta makes as a result of the ruling could affect users in the United States. Many tech companies apply EU rules globally because that is easier to implement than limiting them to Europe.
“This could be a major gut punch.”Dan Ives, an analyst at Wedbush Securities.
The EU judgment is the latest business headwind facing Meta, which was already grappling with a major drop in advertising revenue because of a change made by Apple in 2021 that gave iPhone users the ability to choose whether advertisers could track them. Meta said last year that Apple’s changes would cost it about $10 billion in 2022, with consumer surveys suggesting that a clear majority of users have blocked tracking.
Meta’s struggles come as it is attempting to diversify its business from social media to the virtual reality world known as the metaverse. The company’s stock price has plummeted more than 60 per cent in the past year, and it has laid off thousands of employees.
The announcement relates to two complaints filed against Meta in 2018. Meta said it will appeal the decision, setting up what could be a prolonged legal fight that will test the power of the GDPR and how aggressively regulators use the law to force companies to change their business practices.
“We strongly believe our approach respects GDPR, and we’re therefore disappointed by these decisions,” Facebook said in a statement.
The result was hailed by privacy groups as a long-overdue response to companies gobbling up as much data as possible about people online in order to deliver personalised ads. But the more than four years it took to reach a decision was also seen by critics as a sign that enforcement of the GDPR is weak and slow.
There are some signs in the EU of a broader, stepped-up effort to crack down on the world’s largest tech companies. New EU laws were passed last year aimed at stopping anticompetitive practices in the tech industry and forcing social media companies to more aggressively police user-generated content on their platforms. Last month, Amazon agreed to make key changes to how products are sold on its platform as part of a settlement with EU regulators to avoid antitrust charges.
In November, Meta was fined roughly $US275 million ($A407 million) by Irish authorities for a data leak discovered last year that led to the personal information of more than 500 million Facebook users being published online.
In 2023, the EU’s top court, the European Court of Justice, is also expected to rule on cases that could lead to more changes to Meta’s data-collection practices. Yet many believe the enforcement has not matched the rhetoric of EU policymakers about strong tech regulation. Max Schrems, an Austrian data-protection activist whose nonprofit organisation, NOYB, filed the complaints in 2018 that led to Wednesday’s announcement, said there are thousands of data-protection complaints that still need to be addressed.
“On paper you have all these rights, but in reality the enforcement is just not happening,” he said.
This article originally appeared in The New York Times.
Source: Thanks smh.com