EU privacy watchdog to Meta: first-party data is off limits for ads personalization
Yesterday, the Irish Data Protection Commission (DPC) announced that it had terminated two inquiries into Meta’s merchantry practices related to personalized advertising. These inquiries stemmed from lawsuits filed in 2018 by noyb, a non-profit founded by privacy objector Max Schrems. The suits were filed upon establishment of the EU’s GDPR, which provides companies with six legal bases for processing user data — one of which is consent — and they contend that Meta’s (then, Facebook’s) use of on-site, behavioral data for the purposes of personalized razzmatazz requires explicit, opt-in consent from users.
In response to the lawsuits, the DPC had originally sided with Meta and unswayable that personalized razzmatazz — and content personalization increasingly widely — is a cadre component of the services stuff offered through Facebook and Instagram and therefore the contractual necessity clause of Article 6(1)(b) in the GDPR is met through user try-on with the products’ Terms of Service. This would have alleviated the need for explicit consent to personalized razzmatazz using on-site, behavioral data.
The European Data Protection Board (EDPB), which was worked to ensure resulting enforcement of the GDPR, disagreed with the Irish DPC. The EDPB unswayable last month (see my tweet above) that Meta’s tideway to packaging consent to the use of behavioral data in ads personalization through its products’ Terms of Service was in violation of the GDPR. The Irish DPC wonted that determination and yesterday issued a fine to Meta of €390MM (€210MM relating to Meta’s Facebook service and €180MM relating to its Instagram service). The DPC moreover directed Meta to bring its practices into compliance with the GDPR within three months. Meta has stated that it will appeal the decision.
If the preliminaries of this specimen as well as the numerous participants involved seems byzantine and confusing, it’s considering this unshortened situation is byzantine and confusing. Acknowledging that Meta will request the decision, my interpretation of the outcome is that any digital product that utilizes on-site, first-party data for ads personalization must obtain explicit consent surpassing so doing.
This is a remarkable development. Apple’s App Tracking Transparency (ATT) privacy policy disrupted the digital razzmatazz ecosystem by instituting a stardom between the use of first-party (on-site) and third-party (cross-site) data and requiring platforms to obtain consent surpassing collecting and utilizing the latter (see my explanation of how this transpiration impacted what I undeniability “hub-and-spoke” ad platforms).
This determination by the EDPB, enforced by the DPC, goes one step remoter and demands that the use of any data for the purposes of ads personalization be subject to opt-in consent requirements for digital products. Note that this doesn’t merely wield to Meta, although Meta was the defendant in these specific lawsuits: this determination will wield to any digital product that doesn’t currently obtain consent surpassing personalizing ads using on-site behavioral data. The number of scaled consumer products for which this is true is unclear.
Roughly 21% of Meta’s razzmatazz revenue was generated in Europe in Q3 2021, the last quarter for which it has spoken results. Meta’s pivot to short-form video and the unshut graph is, by my estimation, an struggle to generate more on-site data; I’ve argued that Meta’s strategy is designed to perpetuate engagement through better-personalized content, the result of which would be increasingly ad exposures served through greater time spent in its apps. The DPC’s visualization threatens the viability of that strategy.
Relatedly, TikTok — which popularized the product wits specified by short-form video percolated wideness an unshut graph — had attempted last year to use the legitimate interest understructure for data processing to stave asking for consent for using behavioral data in personalized advertising. But TikTok walked back that proposed transpiration one day surpassing it would have gone into effect without consulting with its privacy regulator, the Irish DPC.
.