EU privacy watchdog to Meta: first-party data is off limits for ads personalization

Yesterday, the Irish Data Protection Commission (DPC) announced that it had concluded two inquiries into Meta’s business practices related to personalized advertising. These inquiries stemmed from lawsuits filed in 2018 by noyb, a non-profit founded by privacy activist Max Schrems. The suits were filed upon enactment of the EU’s GDPR, which provides companies with six legal bases for processing user data — one of which is consent — and they contend that Meta’s (then, Facebook’s) use of on-site, behavioral data for the purposes of personalized advertising requires explicit, opt-in consent from users.

In response to the lawsuits, the DPC had originally sided with Meta and determined that personalized advertising — and content personalization more broadly — is a core component of the services being offered through Facebook and Instagram and therefore the contractual necessity clause of Article 6(1)(b) in the GDPR is met through user agreement with the products’ Terms of Service. This would have alleviated the need for explicit consent to personalized advertising using on-site, behavioral data.

The European Data Protection Board (EDPB), which was formed to ensure consistent enforcement of the GDPR, disagreed with the Irish DPC. The EDPB determined last month (see my tweet above) that Meta’s approach to packaging consent to the use of behavioral data in ads personalization through its products’ Terms of Service was in violation of the GDPR. The Irish DPC accepted that determination and yesterday issued a fine to Meta of €390MM (€210MM relating to Meta’s Facebook service and €180MM relating to its Instagram service). The DPC also directed Meta to bring its practices into compliance with the GDPR within three months. Meta has stated that it will appeal the decision.

If the background of this case as well as the numerous participants involved seems byzantine and confusing, it’s because this entire situation is byzantine and confusing. Acknowledging that Meta will appeal the decision, my interpretation of the outcome is that any digital product that utilizes on-site, first-party data for ads personalization must obtain explicit consent before so doing.

This is a remarkable development. Apple’s App Tracking Transparency (ATT) privacy policy disrupted the digital advertising ecosystem by instituting a distinction between the use of first-party (on-site) and third-party (cross-site) data and requiring platforms to obtain consent before collecting and utilizing the latter (see my explanation of how this change impacted what I call “hub-and-spoke” ad platforms).

This determination by the EDPB, enforced by the DPC, goes one step further and demands that the use of any data for the purposes of ads personalization be subject to opt-in consent requirements for digital products. Note that this doesn’t merely apply to Meta, although Meta was the defendant in these specific lawsuits: this determination will apply to any digital product that doesn’t currently obtain consent before personalizing ads using on-site behavioral data. The number of scaled consumer products for which this is true is unclear.

Roughly 21% of Meta’s advertising revenue was generated in Europe in Q3 2021, the last quarter for which it has announced results. Meta’s pivot to short-form video and the open graph is, by my estimation, an attempt to generate more on-site data; I’ve argued that Meta’s strategy is designed to bolster engagement through better-personalized content, the result of which would be more ad exposures served through greater time spent in its apps. The DPC’s decision threatens the viability of that strategy.

Relatedly, TikTok — which popularized the product experience defined by short-form video percolated across an open graph — had attempted last year to use the legitimate interest basis for data processing to avoid asking for consent for using behavioral data in personalized advertising. But TikTok walked back that proposed change one day before it would have gone into effect after consulting with its privacy regulator, the Irish DPC.