Privacy regulators in the European Union have ruled that Meta, parent company of Facebook and Instagram, can’t make giving up data for targeted ads a condition of joining the social networks, according to reports published Tuesday in the Wall Street Journal and Reuters. The decision threatens to upend the social media giant’s business model and alter the financial underpinnings of the internet.
Signing up for Facebook or Instagram means clicking past a privacy policy and consenting to the social networks’ digital surveillance for advertising purposes. If you don’t agree, you can’t have an account. But the European Data Protection Board (EDPB) made up of all of Europe’s privacy regulators issued a series of new decisions Monday reportedly declaring that this kind of coerced consent violates the General Data Protection Regulation (GDPR), the EU’s sweeping privacy law.
The EDPB confirmed it had reached a binding decision about the legality of data collection on Facebook, Instagram and WhatsApp in a press release, but hasn’t made the contents of the ruling public. However, key details leaked to the press Tuesday.
The decision wouldn’t just affect Meta. Every company that serves targeted ads works in much the same way as the social media giant. You can sometimes opt out of having data from other parts of the internet used for advertising on social media, but the new ruling seeks to limit company’s from using the data they collect on their own networks. It would be a sea change to how privacy works online.
“The EU regulators’ decision, if it is upheld, would have a dramatic impact on Meta’s revenue in Europe, kneecapping its ability to use information about its users’ on-platform activities in order to sell targeted advertising,” said Debra Aho Williamson, a principal analyst at Insider Intelligence, in an email. “However, we expect Meta to fight vigorously to defend its business, and it could be months, if not years, before any impact is truly felt.”
Meta did not respond to a request for comment on the ruling.
The ruling doesn’t immediately force Meta to change its practices. Instead, it calls on Ireland’s Data Protection Commission to issue specific orders within a month, which are likely to include substantial fines, Reuters reported. Meta will likely appeal the decision as well, which may allow the status quo to continue during litigation.
But depending on how the ruling plays out, it could mean that Meta and other companies it owns have to get real, informed consent before they chew up all your personal information and spit out ads. What would that look like? It’s not clear yet.
When people are presented with a choice of whether to be tracked online (and still use a given site or app), they tend to say no. Over the last year, Apple rolled out a privacy setting which makes apps ask permission before they track users, “Ask App not to Track.” The vast majority of people say no, and Meta’s business took a nosedive as a result—the company said it lost $10 billion thanks to Apple’s privacy setting alone. An EU ruling against Meta could spell financial crisis for the company, whose share price has already fallen like a rock this year. Meta’s stock was down 6.79% at the closing bell Tuesday after the news.
But the ruling is likely far bigger than Meta. Lots of other companies, from Google to TikTok to smaller players, operate via a similar legal model: consent to targeted adds or go use some other platform. It’s unclear how widely the EU ruling would apply across the continent, but it’s possible that one of the foundational models of online business could be disrupted.
The open secret of the tech industry is lots of companies, apps and websites haven’t come up with a way to make money aside from harvesting data and targeting ads. If company’s can’t use your data, they can still show you “contextual” ads, which are based on the content you’re looking at (imagine an ad for Honda’s on an article about cars). But contextual advertising is cheaper than ads tailored via your personal information, and therefore less profitable for the company’s selling it.
An EU ruling only has a direct effect on businesses operating in the EU, but it’s a sign that governments may finally be changing their tune when it comes to privacy. So far, lawmakers have been willing to pass privacy rules that make certain data practices more cumbersome for the business world, but this is the first time that a major government body has taken steps to curtail targeted ads outright.
But the GDPR serves as a model for the privacy laws in the United States and across the globe. If this strict interpretation of the law is successful—however you define success—it could hint at a far more private future.
Update 12/07/21, 12:05 p.m. ET: This story has been updated with details about a press release from the European Data Protection Board.