Ireland’s privacy regulator has issued a fine of €390 million, or about $414 million, to Meta Platforms Inc. over the way the company collects user data for advertising purposes. 

The Data Protection Commission announced the fine today. Additionally, the DPC ruled that Meta must bring its advertising practices into compliance with privacy rules within three months.

Meta collects data about user activity on Facebook and Instagram to help it deliver behavioral ads, or ads that are customized for consumers’ interests. Under the European Union’s GDPR privacy law, a company can only collect such data if certain legal requirements are met. The €390 million fine that the DPC has ordered Meta to pay was issued in connection with those legal requirements. 

Under GDPR, a company can use personal data for behavioral advertising purposes if it receives users’ consent to collect their information. Additionally, companies may collect such information if doing so is necessary for the performance of a contract. Meta argues that its data collection practices fall into the latter category and are therefore allowed under GDPR. 

The DPC sided with the company in an initial draft decision. But the matter was later referred to the EDPB, a board of EU data protection regulators, which rejected Meta’s argument. The EDPB determined that Meta’s collection of personal information isn’t necessary to the performance of a contract as the company claims, which means the practice has no legal basis.

In addition to fining Meta, today’s ruling requires it to find a different legal basis for collecting user information. One way the company could comply with GDPR is by asking users for permission to access their data.

Such a change has the potential to hurt Meta’s revenue. If a significant number of users were to opt out of data collection, the company may find it more difficult to deliver personalized ads. According to the Wall Street Journal, it’s believed that Meta’s ad prices could fall up to 20% in such a scenario.

In a blog post, Meta argued that the ruling won’t necessarily require it to receive users’ permission to collect data. “The suggestion that personalised ads can no longer be offered by Meta across Europe unless each user’s agreement has first been sought is incorrect,” the company stated. Meta added that it plans to appeal the ruling.

The legal basis of the company’s advertising practices was one of two factors behind the €390 million fine it has received. The other was the way Meta informed users about its data collection methods. Officials determined that “users had insufficient clarity as to what processing operations were being carried out on their personal data” and for what purpose.

The fine is the latest in a series of penalties that Meta has received since the start of 2021 for failing to comply with GDPR privacy requirements. The combined value of the fines amounts to nearly $1.4 billion. 

Photo: Nokia621/Wikimedia Commons