EU Regulator Penalizes Meta with $400 Million Fine for Coercing Users to Accept Targeted Ads

Facebook's parent company, Meta, was fined more than $400 million by the Irish privacy regulator on Wednesday for violating EU privacy laws with its advertising and data handling practices.

The Irish Data Protection Commission has ordered Meta to pay two fines totaling 390 million euros ($444.5 million) for violating the European Union’s General Data Protection Regulation (GDPR). This is the largest fine ever imposed by the Commission for GDPR violations.

The total amount of the penalties is 390 million euros ($414 million).The fines imposed on Meta by the Irish regulator mark the conclusion of two lengthy investigations. The DPC had been criticized for delays in the process, but began investigating the company on May 25, 2018, the day the EU’s GDPR came into effect.

The GDPR imposes strict requirements on companies that process people's information. Companies that violate the rules may be subject to penalties of up to 4% of global annual revenues.

The DPC ruled on Wednesday that Meta must bring its data processing operations into compliance within three months. The DPC is the lead regulatory authority for Meta and several other U.S. tech giants that have their headquarters in Ireland.

Meta, which changed its name from Facebook in 2021, said in a statement Wednesday that it planned to appeal the ruling. The decision does not amount to a ban on personalized advertising and businesses can continue using Meta’s platforms to target users with ads, it added.

Meta plans to appeal a ruling that was handed down Wednesday. The ruling does not ban personalized advertising, and businesses can continue using Meta's platforms to target ads to users. Meta made these statements in a Wednesday statement.

A spokesperson for Meta told CNBC that the suggestion that personalised ads can no longer be offered by Meta across Europe unless each user’s agreement has first been sought is incorrect.

"This issue has been lacking in regulatory clarity for some time, and the debate among regulators and policymakers over which legal basis is most appropriate in given situations has been ongoing," the spokesperson said.

We strongly disagree with the DPC's final decision on behavioural ads, and believe that we are in full compliance with GDPR by relying on Contractual Necessity. Given the nature of our services, we will appeal the substance of the decision.

Previously, Meta relied on a user’s consent to process their information for the purposes of behavioral ads. However, after the entry into force of the GDPR, the company changed the terms of service for Facebook and Instagram, and switched the legal basis upon which it processes that information to something called "contractual necessity."

In 2015, Max Schrems, an Austrian privacy activist, submitted a complaint alleging that Facebook's change to its terms of service forced users to accept the processing of their information for ad targeting in exchange for use of the platform.

Schrems said in a statement Wednesday that the DPC's decision means that Meta will have to develop a version of its apps that doesn't use personal data for advertising within three months.

He said that Meta would still be allowed to ask users for consent to ads with a “yes/no” option.

This is a huge setback for Meta's profits in the EU, according to Schrems. He says that people now need to be given the option of whether or not they want their data to be used for advertising purposes, and that they should be able to change their mind at any time. The decision also levels the playing field for other advertisers who also need to obtain consent from users.

In December, the European Data Protection Board (EDPB) ruled that Meta was not entitled to rely on contracts as a legal basis for processing user data for targeted ads. This effectively means that Meta's advertising practices are illegal under EU law.

After that move, the DPC said it found that Meta was not entitled to rely on the "contract" legal basis for delivering behavioural advertising as part of its Facebook and Instagram services. It also said that Meta's processing of users' data to date, in purported reliance on the "contract" legal basis, violates Article 6 of the GDPR.

The fines imposed by the DPC were substantially higher than those proposed in a draft decision in October, in which the regulator suggested a levy of between 28 million and 36 million euros.