Norway’s privacy regulator temporarily bans Meta’s behavioral advertising

The Norwegian Data Protection Authority (DPA) today issued Meta with a temporary ban on behaviorally-targeted advertising. From its press release (machine translated into English; emphasis mine):

In December, the Irish Data Protection Authority made a decision, on behalf of the data inspectorates throughout the EEA, which established that Meta has conducted illegal behaviour-based marketing. Since that time, Meta has made some changes, but a recent judgment from the European Court of Justice ( states that Meta’s behaviour-based marketing still does not take place legally and in line with the rules. Therefore, the Norwegian Data Protection Authority is now intervening and temporarily bans the practice … The decision applies from 4 August and lasts for three months or until Meta can show that they have aligned themselves in a legal way. If Meta does not comply with the decision, the company risks a compulsory fine of up to NOK one million per day. The decision from the Norwegian Data Protection Authority only applies to users in Norway.

Norway’s DPA explicitly states that the ban applies only to ads targeted using “behavioral” data collected without consent. Data collected with consent, as well as demographic data supplied proactively by the user, may still be utilized in advertising targeting:

Nor does the Norwegian Data Protection Authority prohibit personalized marketing on Facebook or Instagram as such. The decision, for example, does not prevent Meta from targeting marketing based on information that users enter on their profile, such as place of residence, gender and age, or interests that users themselves state that they want to see marketing about. The decision also does not prevent Meta from showing behaviour-based marketing to users who give valid consent to it.

The press release seems entirely fixated on the data that Meta collects from users within its own apps, in a first-party context, although the ban broadly can be interpreted to apply to third-party data, too. From the press release (machine translated, emphasis mine):

On Meta’s platforms Facebook and Instagram, users’ activity is tracked in detail. Users are profiled based on, among other things, information about where they are, what kind of content they show interest in and what they post. The personal profiles are then used for marketing purposes – so-called behaviour-based marketing.

A few details worth clarifying:

  • The daily fine of 1MM NOK for non-compliance is roughly equivalent to $100,000;
  • This ban applies only to users in Norway.

In its announcement, the Norwegian DPA references two recent cases that I have covered. First, the Irish DPC’s judgment against Meta back in January found that Meta’s use of the contractual necessity clause for processing first-party data for ads personalization violated the GDPR. After a lengthy tribunal process with the EDPB — which is unpacked in this podcast episode — the Irish DPC fined Meta €390MM and directed the company to bring its data processing practices into compliance with the GDPR within three months. And almost exactly three months later, Meta announced that it would:

  • Change the legal basis through which it collects data in its apps for the purposes of ads personalization in the EU to legitimate interest, which carries its own risks, as I detail here;
  • Offer EU users an opt-out mechanism for personalized advertising.

It’s important to underscore here that the Irish DPC objected to Meta’s use of first-party data collected from user engagement with its own products: the clicks and views that users undertake within the Facebook and Instagram products themselves. In contrast, Apple’s App Tracking Transparency (ATT) privacy policy pertains primarily to data transmitted across contexts between parties: advertisers sending personally-identifiable conversion events to ad platforms to improve advertising targeting. The Irish DPC’s judgment focused on the data that Meta collects from within its own apps and processes for the purpose of personalizing the ads to which its users are exposed.

The second case referenced by the Norwegian DPA is that of a recent CJEU judgment, which I outline in the Twitter thread linked above. A short primer is that the German Federal Cartel Office (FCO), a competition regulator, ordered Meta to cease collecting third-party data related to users for the purposes of ads personalization, arguing that Meta’s dominant market position effectively coerced users into forfeiting their data. Meta appealed, arguing that issues related to data privacy were the remit of the GDPR and thus should be investigated by the company’s EU data privacy regulator, the Irish DPC, under the GDPR’s one-stop shop clause, given that Meta’s EU headquarters is registered in Ireland.

The CJEU issued its judgment two weeks ago (on July 4th), finding that a competition authority could indeed investigate data privacy issues if competitive concerns related to market power were sufficiently compelling, although it imposes significant limitations on any competition authority’s ability to investigate these cases unilaterally (essentially giving data privacy regulators veto power). Mikołaj Barczentewicz, whom I’ve invited to the Mobile Dev Memo podcast multiple times, wrote an illuminating summary of the judgment in two parts: one, two.

Along with the judgment, the CJEU issued commentary on the practice of ads personalization. While the commentary was not definitive, I argue in the Twitter thread linked above that I thought it could be used as air cover for national privacy legislators to take action domestically, which is seemingly what has happened in the case of Norway’s temporary ban. The CJEU considered whether the personalization of content (in the context of the FCO’s case, presumed to mean advertising) is necessary in order to provide a social media service to an end user, which would call into question the viability of the contractual necessity clause. It also questioned the use of the legitimate interest basis, which, of the six legal bases for data processing provided under the GDPR, would leave consent as the only realistic option. From the CJEU’s press release about the judgment :

As regards more generally the processing operation carried out by Meta Platforms Ireland, including the processing of ‘non-sensitive’ data, the Court examines next whether this is covered by the justifications, set out in the GDPR, allowing the processing of data carried out in the absence of the data subject’s consent to be made lawful. In that context, it finds that the need for the performance of the contract to which the data subject is party may justify the practice at issue only on condition that the data processing is objectively indispensable such that the main subject matter of the contract cannot be achieved if the processing in question does not occur. Subject to verification by the national court, the Court of Justice expresses doubts as to whether personalised content or the consistent and seamless use of the Meta group’s own services are capable of fulfilling those criteria. Moreover, according to the Court, the personalised advertising by which the online social network Facebook finances its activity, cannot justify, as a legitimate interest pursued by Meta Platforms Ireland, the processing of the data at issue, in the absence of the data subject’s consent

The CJEU also questioned whether a user could genuinely and freely give consent at all to a company with a dominant market position. From the press release:

Lastly, the Court notes that the fact that the operator of an online social network, as controller, holds a dominant position on the social network market does not, as such, prevent its users from validly giving their consent, within the meaning of the GDPR, to the processing of their personal data by that operator. However, since that position is liable to affect the freedom of choice of those users and create a clear imbalance between them and the data controller, it constitutes an important factor in determining whether the consent was in fact validly and, in particular, freely given. This is for the operator to prove.

Per my Twitter thread, I believe this theoretical commentary has opened the door to more pointed interpretations by national regulators. The Norwegian DPA’s decision is one such example. Norway’s DPA indicates in its press release about the decision that it will consult with the EDPB about whether its ban may be extended for more than three months.

*Note: Norway is not an EU member state, but it is a member of the European Economic Area (EEA). The GDPR was incorporated into the EEA Agreement and was subsequently implemented into national law.