Meta will soon be forced to seek European users’ consent before using their personal information to deliver those users targeted advertisements on Facebook and Instagram.
A European Union-wide ban announced Wednesday dealing with Meta’s handling of user data proposes blanket restrictions which could be finalized as soon as late next week.
It’s just the latest clampdown on Meta’s business model in Europe, where the company has struggled to align its advertising operations with EU privacy regulations. And it comes just as Meta moves to implement a subscription model in the EU for users who do not consent to having personally tailored ads as part of their Instagram or Facebook experiences.
The restrictions were announced by the European Data Protection Board (EDPB), a group of EU data regulators representing numerous countries in the bloc.
Under EU rules known as the General Data Protection Regulation (GDPR), Meta must cite one of several specific legal justifications in order to collect and use people’s personal data for advertising.
Meta had previously argued that its data practices were justifiable under GDPR because it enters into a type of contract with users that it must fulfill when they agree to its terms of service. Alternatively, Meta had said, the practices were justifiable because Meta had a “legitimate interest” in processing user data to carry out its business activities.
In July, the EU’s top court found neither justification to be persuasive, but recognized subscription models as one method for websites to differentiate consenting users from non-consenting users.
Meta’s move to implement a subscription model for its platforms was a recognition of that ruling, and an effort to comply with GDPR, a Meta spokesperson said in a statement.
“Meta has already announced that we will give people in the EU and [European Economic Area] the opportunity to consent and, in November, will offer a subscriptions model to comply with regulatory requirements,” the spokesperson said. “EDPB members have been aware of this plan for weeks and we were already fully engaged with them to arrive at a satisfactory outcome for all parties.”
The EDPB decision, which was reached on Oct. 27, formally bars Meta from citing the earlier legal justifications, leaving “consent” as one of the company’s only remaining options for using personal information for advertising while still complying with the GDPR.
It directs the Irish Data Protection Commission, Meta’s primary privacy regulator in Europe, to issue a final rule on the matter by Nov. 10.
“It is high time for Meta to bring its processing into compliance and to stop unlawful processing,” said Anu Talus, chair of the EDPB, in a statement.