Meta offers EU, EEA and Swiss users opt-in consent for ads, excludes UK

In an update to a blog post on Tuesday, 1 August, Meta announced that it intends to "change the legal basis that we use to process certain data for behavioural advertising for people in the EU, European Economic Area (EEA) and Switzerland from ‘Legitimate Interests’ to ‘Consent," on its Facebook and Instagram platforms. The move, first reported in The Wall Street Journal (£), comes after the Court of Justice of the European Union (CJEU) ruled against the company in Case C-252/21 about whether it can use personal data beyond what is strictly necessary to perform a contract. The CJEU ruling followed two final decisions adopted by the Irish Data Protection Commission in January, fining the company €390 million and concluding that its legal basis for processing user data to deliver targeted advertising was invalid.

Meta's proposed update could be implemented as early as the end of October. Furthermore, its offer to limit targeted, personalised ads to users who opt-in is a significant step beyond their current policy, which only allows users to opt-out of such ads after completing a lengthy form. Should the EU accept the proposal and a large number of users decline targeted ads, Meta's revenue could be affected as their systems would have fewer signals to infer interests and build audiences for ads.

In a statement responding to the reports, NOYB wrote that after more than five years of litigation and decisions by the EDPB and CJEU, Meta has finally agreed to comply with EU privacy laws. Whether Meta will apply the requirements for consent under the EU General Data Protection Regulation (GDPR) in full remains to be seen, as the company only committed to a change in the legal basis used “to process certain data for behavioural advertising”. NOYB cautions that this wording could be ambiguous, resulting in business as usual. They claim the term “behavioural advertising” is not defined by the law, making it unclear whether Meta will interpret a person’s age or location as behaviour. Should the GDPR not be fully implemented, NOYB said it would commence further litigation. 

Max Schrems, NOYB honorary chair, said, "We will see if Meta is actually applying the consent requirement to all use of personal data for ads. So far they talk about 'highly personalised' or "behavioural' ads and it's unclear what this means. The GDPR covered all types of personalisation, also on things like your age, which is not a 'behaviour'."

After taking a day to consider the announcement, on Wednesday, the UK Information Commissioner's Office (ICO) issued a statement. Stephen Almond, Executive Director of Regulatory Risk, said that the ICO is closely monitoring Meta's actions regarding obtaining user consent for behavioural advertising in the EU while excluding the UK. Almond confirmed the ICO is "assessing what this means for information rights of people in the UK and considering an appropriate response." 

The ICO's statement was reported in The Guardian (main article) and TechCrunch, with the latter highlighting that the UK regulator was clearly unimpressed by Meta's reluctance to show UK users the same level of respect for their data rights as people in the EU, EEA and Switzerland. TechCrunch remarks that the situation looks particularly awkward for the ICO in that post-Brexit Meta has calculated it doesn’t have to offer the same concessions to the UK as its European counterparts despite "on paper" having an equivalent privacy regime. 

The crux of the matter appears that without the "protective shielding" of the CJEU, the ICO is beginning to realise that the "defence of domestic data protection rules now falls squarely on its shoulders."