Meta Fined €390M Over Targeted Advertising, Ordered to Comply With GDPR

Ireland’s Data Protection Commission today ordered Meta to pay fines of €390 million for unlawfully collecting personal data and targeting ads at Facebook and Instagram users. The fines follow last month’s ruling by the European Data Protection Board that Meta cannot use its terms of service as a legal basis for targeted advertising. The Irish DPC also gave Meta three months to bring its targeted advertising into compliance with the EU’s General Data Protection Regulation, which will likely require the company to give users a simple way to opt out of all targeted ads.

The GDPR generally prohibits companies from forcing users to submit to personal data collection in exchange for a service. Meta has long argued that the GDPR’s contractual necessity exception allows the company to collect personal data to fulfill its terms of service and that personal data collection for targeted advertising is a necessary aspect of the platform. In other words: Meta contends that users are in a contract to receive targeted ads.

But the EDPB rejected Meta’s use of the contractual necessity exception in December, and today’s order by the Irish DPC implements that ruling. The complaints that led to the DPC’s enforcement action were brought in 2018 by Max Schrems, co-founder of None of Your Business and a member of the EPIC Advisory Board.

“This decision serves as another reminder that European citizens have rights that Americans do not,” said EPIC Deputy Director Caitriona Fitzgerald. “Congress’ failure to pass a privacy law has allowed companies like Meta to profit off our most intimate personal information without limit. Congress must pass a comprehensive privacy bill this year that promotes innovation while protecting privacy.”

EPIC has long supported protections for the privacy of social media users. EPIC recently submitted comments on the Federal Trade Commission’s commercial surveillance rulemaking. In addition to urging a ban on targeted advertising directed at minors, EPIC reiterated its call for the FTC to adopt a data minimization rule to ensure that businesses only collect data consistent with consumer expectations. EPIC also supports passage of the American Data Privacy and Protection Act, which would place strict limits on targeted advertising and establish a universal opt-out mechanism for consumers.