On Jan. 4 after four years of inquiry, Ireland’s Data Protection Commission (DPC) fined the parent company of Facebook and Instagram, Meta Ireland, 390 million euros for breaches of the EU’s General Data Protection Rule (GDPR).
Specifically, Meta Ireland was fined 210 million euros for Facebook breaches and 180 million euros for Instagram breaches. The DPC, which is the GDPR’s Irish supervisory and enforcement authority, also gave Meta Ireland three months to bring its data processing operations into compliance.
Meta is appealing the ruling stating, “The debate around legal bases has been ongoing for some time and businesses have faced a lack of regulatory certainty in this area. We strongly believe our approach respects GDPR, and we’re therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines.”
Negligible Short-Term Impact on Meta
While the fines themselves will have little impact on Meta’s multibillion-dollar bottom line, what is at stake is the long-term viability of Meta’s advertising model, said Stephanie Liu, a privacy and marketing analyst at Forrester.
“It's not going to fundamentally change their business,” said Liu. “But it will make an impact on the extent of how profitable their advertising is. We saw this when Apple rolled out App Tracking Transparency. Meta’s ad revenues declined. If they lose the appeal of this ruling, I think we'll see something similar here.”
Apple’s anti-tracking feature, App Tracking Transparency (ATT), which the company released in April 2021 and gives users the option to block apps from tracking them, has cost Facebook an estimated $10 billion in ad revenues to date.
Related Article: Is Less More for Customer Personalization and Privacy?
The Opt-in vs. Opt-Out Marketing Model
The issue behind the DPC’s ruling is that users have no choice but to allow Facebook and Instagram to leverage their personal information and online activities as a condition of using those services, said Liu. When users agree to Meta’s terms of service, there is a clause in those terms that says Meta can use online behavior data for targeted advertising.
The GDPR’s requirements for consent are stringent, requiring users to have some sort of opt-out mechanism, said Liu. In its ruling, the DPC said the way Meta obtains permissions ran afoul of the GDPR’s privacy protections.
According to NOYB, the European privacy rights NGO that brought the complaints that led to the CPDs ruling, Meta’s terms of service are a clear violation of the GDPR’s regulations and intent.
The DPC’s decision doesn’t mean Meta can’t target ads, said NOYB in its blog post on the ruling. It can. But, unless a user specifically opts in, Meta can’t use tracking data from its vast network of website and app publishers, marketing partners and ad networks to target those ads based on what users are looking at online, their personal information and other data points such as the devices they are using.
Potential Long-Term Damage to Meta Advertising Model
If Meta loses its appeal, two things will likely result. The first is that they may lose even more ad revenue because they won’t be able to sell microtargeting to advertisers, said Liu. As Apple’s ATT impact on Facebook revenues has shown, when people are given the choice, they will choose not to be tracked.
“Just to put a tidy bow around this, the ruling gets to how Meta needs targeted advertising to support its business,” she said. “That is its main moneymaker. And, as they chase their metaverse dreams, they need advertising as the key revenue stream to support the R&D of that.”
And, second, they may have to start operating more like other online service providers by creating unique websites for the different parts of the world in which they operate, said Kristina Podnar, a digital policy consultant.
“If you talk to any marketer, and you ask them, ‘How do you do SMS text [marketing]?’ They do it based on country and local laws,” said Podnar. “How do they do email marketing? Same thing. Everybody's going in this direction of local country laws.”
Even though Meta would have to rearchitect its platform to cater to local laws and regulations, if Meta were to take this route, it could blunt the impact of the DPC’s ruling on the company’s revenues since most countries and US states do not have opt-in rules similar to those in the GDPR.
Related Article: Is It Possible to Have Both Privacy and Personalization?
Broader Impact for Online Marketing Questionable
As for targeted online marketing in general, neither Liu nor Podnar expect major fallout. While Amazon, Netflix, Google and other tech giants use similar tactics to power their recommendation engines, no other company has the same, internetwide reach as Meta.
What is more likely, said Podnar, is greater scrutiny of all the big tech players' data privacy and management practices. This is already playing out in the US, where five states have new privacy laws on the books this year and many other states — and even Congress — are considering them.
“I think the question is, ‘What is the spillover?’” said Podnar. “I don't think that over the next two to three years there's going to be any significant impact on marketers. You're going to see more and more investigations into Meta and into Google. You’re going to see a refinement to GDPR. You’re going to see more refinements in the US, just like you saw with CCPA [California Consumer Privacy Act]. And you're going to see even more states coming on board in the US with data privacy laws.”