Meta was fined $410 million (€390 million) because it didn’t follow EU data protection rules.
Meta’s request to use people’s information for ads on Facebook and Instagram was denied by the Irish Data Protection Commission (DPC).
Meta, which runs both sites, has three months to change how it collects and uses data to make ads more relevant.
Meta says it is “disappointed” with the decision and plans to appeal it, saying that it does not limit targeted advertising on its platforms.
According to the authority, Facebook and Instagram are not permitted to “force consent” by pressuring users to agree on how their data is handled or leave the platform.
The DPC ensures that Facebook and Instagram comply with EU data protection legislation because their European headquarters are in Ireland.
Privacy experts laud the ruling as a watershed moment because it requires Meta to give people true control over how their data is used to target online adverts.
Meta will have to adjust the way a critical portion of its business operates as a result.
In 2021, advertising will produce more than $118 billion (£97.8 billion) in revenue for the company.
The fine is the watchdog’s second significant penalty in recent months.
In November, the DPC penalized Facebook €265 million (£228 million) for a data breach that exposed the personal information of hundreds of millions of Facebook users online.
According to the Irish Times, Meta has set aside €2 billion (£1.7 billion) to cover expected European fines in 2023.
New laws, new issues
Facebook and Instagram needed users to click “I accept” to certify that they consented to update the terms of service, which specified how personal data would be used in advertisements, to comply with GDPR.
Users who were rejected were barred from using Facebook or Instagram.
The complainants claimed that Meta was “forcing” people to accept their data being used in targeted adverts, violating the GDPR.
According to Meta’s executives, Facebook and Instagram are “inherently individualized,” and targeted ads are an “essential and important component” of how the networks work.
They said that Meta was not issuing an ultimatum to users and that the platforms would be unable to function if data for advertising was not used.
On the other hand, the DPC concluded that this was not the case and that users were required to consent.
The DPC also believes Meta should be more forthcoming with users about how and why it uses their data.
The decision, however, was made only after considerable consultation with other European data groups.
In December, the European Data Protection Board resolved this.
According to Meta’s representatives, the company intends to contest the amount of the fines levied “since authorities disagreed on this matter.”
Rather than requiring customers to accept how the organization uses data, the firm claims that it provides them with various tools to regulate how their data is utilized.
Meta to pay $725m to settle the Cambridge Analytica scandal
Late last year, Meta, Facebook’s owner, agreed to pay $725 million (£600 million) to settle legal action relating to a data breach linked to political consultancy Cambridge Analytica.
In the long-running battle, Facebook was accused of providing access to users’ personal information to third parties, including the British firm.
According to lawyers, the proposed award is the largest in a data privacy class action in the United States.
Meta did not admit wrongdoing and insisted that its privacy policies had been “revamped” in the previous three years.
According to the firm, the deal was “in the best interests of our community and stockholders.”
The lawsuit was brought on behalf of a large proposed class of Facebook users whose personal information was shared with other parties on the social network without their permission.
According to the judgment document, the class size is “250-280 million” people, and it includes all Facebook users in the United States from May 24, 2007, through December 22, 2022.
How the claimants will receive their part of the settlement still needs to be determined.
The settlement hearing has been scheduled for March 2, 2023.
Third-party apps collecting personal information from Facebook users were at the heart of the 2018 Cambridge Analytica privacy controversy.
In 2016, the now-defunct consultancy firm assisted Donald Trump’s successful presidential campaign by profiling and targeting voters using personal information from millions of US Facebook users.
Without the users’ knowledge, the data was taken via a researcher who had been granted permission by Facebook to install an app on the network that copied data from millions of its users.
Facebook believes that around 87 million people’s data was inappropriately shared with the political consulting firm.
The uproar prompted governmental examinations into Facebook’s privacy practices, which resulted in lawsuits and a high-profile US congressional hearing during which Meta CEO Mark Zuckerberg was interrogated.
In 2019, Facebook agreed to pay $5 billion to settle an FTC investigation into its privacy practices.
Furthermore, the internet giant agreed to pay a $100 million settlement to the US Securities and Exchange Commission in response to charges that it misled investors about the misuse of consumers’ data.
State attorney general investigations are underway, and the company is challenging a legal action initiated by Washington, DC, attorney general.