Stop me if you’ve heard this one before: European regulators have fined Meta (specifically, Facebook and Instagram) for inappropriately collecting and sharing user data. Is this déjà vu? Not quite. The latest decision, which will cost Meta €390 million, hits Meta where it hurts most: its targeted advertising business.

Core to the privacy complaint is how Facebook and Instagram gained consent for behavioral advertising. They force users to accept personalized ads by embedding the requirement for behavioral advertising in their terms of service (which you must accept to use Facebook or Instagram at all) and categorizing behavioral advertising as a contractual necessity. The Irish Data Protection Commission (DPC) deemed that a violation of the GDPR by not giving users meaningful choice to opt in or out of behavioral advertising.

Meta plans to appeal the decision. If the ruling stands, Meta will likely need to explicitly ask users for consent for behavioral advertising (or find a workaround). It would also need processes, workflows, and capabilities to disable targeted advertising for users who don’t consent while also convincing advertisers that its properties are still worthy of their ad budgets. This is a significant undertaking for a company that the DPC described as such: “Facebook and Instagram services include, and indeed appear to be premised on, the provision of a personalised service that includes personalised or behavioural advertising.

For marketers, this latest ruling:

  • Gives them yet another limitation in a data deprecation world. If Meta is forced to ask users for explicit consent for behavioral advertising, advertisers will feel the pinch. As consumers opt out, the number of individually targetable users will be smaller. Individual targeting is getting harder as browsers, operating systems, and users themselves restrict how their data can be used, so advertisers need to adopt audience-based strategies. When Apple’s App Tracking Transparency created a consent pop-up for cross-app and cross-site tracking, it saw low opt-in rates (although stats vary) and hurt revenue at companies such as Facebook, Twitter, and Snap.
  • Pushes them to reexamine their own consent practices. Regulators around the world have been examining the ways that companies capture consumer consent and issuing fines. In November, US state attorneys general hit Google with a $392 million fine for its confusing double opt-out process for location data collection; in September, South Korea fined Google and Meta for failing to properly gain user consent. Yes, the big headline grabbers of late have been “big tech” companies, but as consumers become increasingly privacy-aware — and savvy — all companies should be examining how they ask for consent, if that consent is freely given, and if they are using any coercive or manipulative design (also known as dark patterns).

There may be yet another Meta fine announced in the next week or so, as the DPC is also reviewing a similar complaint about behavioral advertising and forced consent in WhatsApp. Stay tuned.