A Paradigm Shift in Behavioural Advertising

In a significant move, Meta, the company behind Facebook, has announced a change in its data processing approach for behavioural advertising in the EU/EEA region. This decision comes after facing extensive litigation and regulatory pressure from multiple European authorities including the Norwegian Data Protection Authority (DPA), the German Kartellamt, the EDPB, and the CJEU. As a result, Meta will be shifting its lawful basis for behavioural advertising from legitimate interests to consent, but with a notable exclusion – UK users.

The Background

Under the EU General Data Protection Regulation (GDPR), companies must have a lawful basis for processing personal data. One commonly used basis is “legitimate interests,” which allows data processing if a genuine and legitimate reason exists and it does not outweigh individuals’ rights and freedoms.

However, behavioural advertising, which relies on personal data to target ads based on user behaviour, has raised privacy concerns and faced scrutiny from regulators on the basis that legitimate interests is an insufficient basis to target ads toward users.

The Change: From Legitimate Interests to Consent

In response to 5 years’ worth of legal challenges and regulatory pressure, Meta will change its legal basis for processing users’ personal data for behavioural advertising within the EU/EEA. Instead of relying on legitimate interests, the company will now require explicit consent for this type of advertising.

The decision follows substantial legal actions against Meta. The Irish Data Protection Authority fined the company €400 million in January 2023, confirming in its decision that legitimate interest couldn’t justify data processing for behavioural advertising.

Meta has chosen to exclude UK users from this change, despite the UK still being subject to its UK GDPR. This has put the UK’s data protection regulator, the Information Commissioner’s Office (ICO), in a challenging position, as the defence of domestic data protection rules now rests solely on its shoulders without binding support from the Court of Justice of the EU (CJEU).

Impact and Implications

The implications of this change for Meta and its users in the EU/EEA are significant:

• Enhanced Privacy Protection: Users within the EU/EEA will have more control over their personal data, and Meta must ensure clear and unambiguous consent is obtained before engaging in behavioural advertising.
• Compliance Challenges: Transitioning to consent may present technical and operational challenges for Meta in obtaining and managing user consent.
• Potential Revenue Impact: With a more stringent consent requirement, some users may choose not to opt-in for behavioural advertising, potentially affecting Meta’s advertising revenue within the EU/EEA.

As for UK users, they will not be given the same level of respect for their data rights as users in the EU/EEA, as Meta continues to rely on legitimate interests for ad tracking. UK users were moved from the company’s Irish subsidiary to its US user agreements earlier this year.

Looking Ahead

The shift to consent as a legal basis marks a significant change for Meta’s advertising practices in the EU/EEA region. The company’s decision underscores the increasing demands for privacy protection by European regulators and the need for businesses to adapt their data processing practices.

While this change currently applies only to behavioural advertising, businesses operating in the EU/EEA and the UK should closely monitor further developments and ensure they comply with the evolving data protection landscape. The ICO must also consider its response to Meta’s exclusion of UK users from obtaining consent for ad tracking, as this decision puts the responsibility of enforcing UK data protection law solely in its hands.