Meta, GDPR, and Consent: The Future of Targeting on Facebook and Instagram

Estimated Reading Time: 9 minutes
November 3, 2023
Meta, GDPR, and Consent: The Future of Targeting on Facebook and Instagram

For much of 2023, marketers and advertisers have been wrestling with the question of Meta’s GDPR compliance. The ongoing saga has left everyone in limbo for if, how, and when Meta will introduce the concept of consent for the processing of users’ personal data on Facebook and Instagram platforms. The answers to these questions are sure to have significant impacts on marketers and their advertising strategies for years to come. As the action has picked up, let’s take a look at the current status of Meta, consent, and GDPR.  

Background

In the summer of 2023, the Court of Justice of the European Union found that Meta’s use of “contractual necessity” as their lawful basis for the processing of EU user’s personal data for behavioral advertising to be in violation of GDPR. As a result, Meta was forced to rely on a separate lawful basis for such processing. After initially trying to rely ‌on “legitimate interest” the CJEU judgment also clarified that “legitimate interest” would be insufficient for the advertising use case, leaving consent as the only viable alternative. 

Meta has continued the processing of EU consumers’ personal data instead of GDPR compliant consent as they work through a solution which is amenable to data protection requirements in the EU. As a result, Norway’s DPA issued a “ban” on Meta’s processing of personal data unless valid consent for said processing had been given. The initial “ban” was implemented on August 4, 2023 and was set to last for three months. The ban applied only to processing in Norway and instituted a fine of $1 million NOK for each day in which Meta was in violation. As the end of the “ban” approached, Norway’s DPA submitted a request to the European Data Protection Board for the ban to apply EU-wide and be extended indefinitely until Meta came within compliance. On October 31, 2023, the EDPB ruled in support of the Norwegian DPA’s request. 

Meanwhile, Meta indicated in September 2023 that they would plan to offer a subscription-based (paid) ad-free option in addition to the free services for Facebook and Instagram. The continued use of the free ad-supported Facebook and Instagram would require the processing of personal data for behavioral advertising. On October 30, 2023, Meta made an official announcement that the new plan options would be released in November. 

Meta cited their commitment to following EU legislation as the reason for doing so in a press release announcing the move. The press release states that the move complies with EU law and “how our lead data protection regulator in the EU, the Irish Data Protection Commission, is interpreting GDPR”. They continue, “The option for people to purchase a subscription for no ads balances the requirements of European regulators while giving users choice and allowing Meta to continue serving all people in the EU, EEA, and Switzerland. In its ruling, the CJEU expressly recognised that a subscription model, like the one we are announcing, is a valid form of consent for an ads funded service.” 

Where We Are Now

To summarize:

  • Meta’s processing of EU users’ personal data for advertising was lacking a valid lawful basis and in violation of GDPR.
  • Based upon the CJEU decision, Meta would need to offer a valid mechanism for consent to lawfully process EU personal data for advertising purposes. 
  • Norway’s DPA and the EDPB have issued an EU-wide prohibition on Meta’s processing of personal data for use in behavioral marketing beginning on November 14, 2023. Meta must bring their processing of said data into GDPR compliance by then. 
  • Meta is taking the approach of offering users the choice between a paid ad-free option where personal data will not be processed for behavioral marketing or a free ad option where it will. They take the stance that this satisfies GDPR requirements and the CJEU judgment. 
    • It is unclear, although unlikely, that this approach has been vetted and approved by data protection authorities in Europe.

What Is Next?

As of November 1, 2023, it is likely that:

  • Meta will seek approval from the Irish DPC for their pay-or-protect consent option.
  • Given past actions, the Irish DPC will probably agree with Meta that the option satisfies the necessary requirements.
  • Other European DPAs leading to further consideration by the EDPB and CJEU will then likely challenge the Irish DPC’s decision.
  • Ultimately, two outcomes are in the end likely:
    • Meta offers “consent” via the ad-free paid vs free tier option.
    • Meta is required to be given explicit consent before any processing of EU users’ personal data for behavioral marketing.

InfoTrust Point of View

Rational / Logic

Meta is relying on Paragraph 150 of the CJEU Judgment which reads: 

“Thus, those users must be free to refuse individually, in the context of the contractual process, to give their consent to particular data processing operations not necessary for the performance of the contract, without being obliged to refrain entirely from using the service offered by the online social network operator, which means that those users are to be offered, if necessary for an appropriate fee, an equivalent alternative not accompanied by such data processing operations.”

This logic is consistent with other decisions, including a decision from the conference of Germany data protection authorities in March of 2023. The first point of that decision reads:

“In principle, tracking of user behavior (tracking) can be based on consent, provided that an alternative model without tracking is offered, even if it is subject to a charge. However, the service that users receive in a paid model must firstly represent an equivalent alternative to the service they obtain through consent. Secondly, the consent must meet all the effectiveness requirements stipulated in the General Data Protection Regulation (GDPR), in particular the requirements set out in Art. 4 No. 11 and Art. 7 GDPR.1”

Ultimately, the “pay or okay” approach is likely to be decided by the CJEU. 

Recommendation 

We recommend ‌organizations to move forward as ‌Meta will be forced to obtain explicit consent from all users prior to their processing of the user’s personal data for behavioral advertising on Facebook and Instagram. A few questions to ask:

  1. How does Meta fit into my advertising strategy? Why am I targeting users on the platform?
  2. If Meta were to have to gain explicit consent to personalize advertising based upon consumer behavior and personal data, how would I change my media strategy with respect to Meta?
  3. If I were to consider moving my spend from Meta to other platforms, would I immediately do so or would I test?

The last question is the most important. For all organizations we work with, they would test and evaluate the effectiveness of their spend on Meta vs alternatives against their goals (defined as part of the purpose in the first question). These are the activities an organization can control. Control what you can control and let the courts sort out how Meta will have to behave to comply with GDPR. 

What Are Others Saying?

From noyb (via Techcrunch)

noyb’s founder and honorary chairman, Max Schrems, wrote: “The CJEU said that the alternative to ads must be ‘necessary’ and the fee must be ‘appropriate’. I don’t think €160 a year is what they had in mind. These six words are also an ‘obiter dictum’, a non-binding element that went beyond the core case before the CJEU. For Meta this is not the most stable case law and we will clearly fight against such an approach.”

In Norway

“The Norwegian Data Protection Authority is very concerned about the illegal tracking, monitoring and profiling that takes place on Facebook and Instagram. Although it has long been clear that Meta is breaking the law, and despite the Norwegian Data Protection Authority’s ban, Meta continues with its illegal processing of personal data. This is the reason why we have chosen to raise the matter to the Personal Data Protection Board (EDPB), which has now agreed that there is an urgent need for a permanent ban on the illegal activities at European level.”

At the EU level

The European Data Protection Council (EDPB) adopted a so-called ‘swift binding decision’ under Article 66 (2) of the Data Protection Regulation. This is done at the request of the Norwegian Data Inspectorate.

In the decision, the EDPB instructs the Irish Data Protection Authority—which is the leading regulatory authority against Meta—to take definitive action against Meta Ireland within two weeks, in the form of a prohibition on the processing of personal data for use in behavioral marketing in the light of Article 6 (2) of the Regulation [1 (b) (contract) and (f) (balancing)].

The ban applies to the entire EU / EEA and will apply from one week after the final measures have been notified to Meta Ireland.

On October 31, 2023, the Irish Data Protection Agency informed Meta of the EDPB’s binding decision.

How the situation unfolds will be very impactful for not just how advertisers define their strategies for Meta in 2023, but the outcomes will reverberate across the media landscape. Answering the question of “pay or okay” consent being compliant will impact publishers across Europe and EU consumers’ experience on the web. Meanwhile, the answer to lawful processing for advertising for social media platforms could shift base protections afforded to those in the EU. Watch this space closely for a rundown of implications as the outcome becomes more clear.

Ready to begin your privacy-centric journey?

Our team is here to help you get started.

Authors

  • Lucas Long is co-author of the Amazon best-selling book, Crawl, Walk, Run: Becoming a Privacy-Centric Marketing Organization. He is also the Director of Privacy Strategy at InfoTrust, working with global organizations at the intersection of digital strategy, privacy regulations, and technical data collection architecture. Through these efforts, Lucas helps companies understand their limitations for data enablement due to privacy challenges and design optimal ways to accomplish core use cases in a compliant manner.

    When not discussing the intricacies of GDPR and cookie laws with clients, Lucas enjoys traveling and exploring new cultures, one bite at a time. Based in Barcelona, he is also a presenter, featured at industry events organized by Google, the Digital Analytics Association, the American Marketing Association, and the Journal of Applied Marketing Analytics.

    View all posts
  • From a misguided beginning in media planning some 18 years or so ago, Ash Lindley has worked across much of digital including SEO, digital analytics, and cloud architecture everywhere from an upstart digital agency to unwieldy full-service media agency environments, and a stint client-side for curiosity’s sake. As Strategy Lead, Ash is primarily focused on Wardley Mapping at InfoTrust, along with anything and everything privacy related in his spare time.

    View all posts
Last Updated: November 3, 2023

Get Your Assessment

Thank you! We will be in touch with your results soon.
{{ field.placeholder }}
{{ option.name }}

Talk To Us

Talk To Us

Receive Book Updates

Fill out this form to receive email announcements about Crawl, Walk, Run: Advancing Analytics Maturity with Google Marketing Platform. This includes pre-sale dates, official publishing dates, and more.

Search InfoTrust

Leave Us A Review

Leave a review and let us know how we’re doing. Only actual clients, please.

  • This field is for validation purposes and should be left unchanged.