Meta suffered a major defeat on Wednesday that could severely undercut its Facebook and Instagram advertising business after European Union regulators found it had illegally forced users to effectively accept personalized ads.
The decision, including a fine of 390 million euros ($414 million), has the potential to require Meta to make costly changes to its advertising-based business in the European Union, one of its largest markets.
The ruling is one of the most consequential judgments since the 27-nation bloc, home to roughly 450 million people, enacted a landmark data-privacy law aimed at restricting the ability of Facebook and other companies from collecting information about users without their prior consent. The law took effect in 2018.
The case hinges on how Meta receives legal permission from users to collect their data for personalized advertising. The company includes language in its terms of service agreement, the very lengthy statement that users must accept before accessing services like Facebook, Instagram and WhatsApp, that effectively means users must allow their data to be used for personalized ads or stop using Meta’s social media services altogether.
Ireland’s data privacy board, which serves as Meta’s main regulator in the E.U. because the company’s European headquarters are in Dublin, said E.U. authorities determined that placing the legal consent within the terms of service essentially forced users to accept personalized ads, violating the European law known as the General Data Protection Regulation, or G.D.P.R.
Meta has three months to outline how it will comply with the ruling. The decision does not specify what the company must do, but it could result in Meta allowing users to choose whether they want their data used for such targeted promotions.
If a large number of users choose not to share their data, it would cut off one of the most valuable parts of Meta’s business. Information about a user’s digital history — such as what videos on Instagram prompt a person to stop scrolling, or what types of links a person clicks when browsing their Facebook feeds — is used by marketers to get ads in front of people who are the most likely to buy. The practices helped Meta generate $118 billion in revenue in 2021.
The judgment puts 5 to 7 percent of Meta’s overall advertising revenue at risk, according to Dan Ives, an analyst at Wedbush Securities. “This could be a major gut punch,” he said.
The penalty contrasts with regulations in the United States, where there is no federal data privacy law and only a few states like California have taken steps to create rules similar to those in the E.U. But any changes that Meta makes as a result of the ruling could affect users in the United States; many tech companies apply E.U. rules globally because that is easier to implement than limiting them to Europe.
The E.U. judgment is the latest business headwind facing Meta, which was already grappling with a major drop in advertising revenue because of a change made by Apple in 2021 that gave iPhone users the ability to choose whether advertisers could track them. Meta said last year that Apple’s changes would cost it about $10 billion in 2022, with consumer surveys suggesting that a clear majority of users have blocked tracking.
Meta’s struggles come as it is attempting to diversify its business from social media to the virtual reality world known as the metaverse. The company’s stock price has plummeted more than 60 percent in the past year, and it has laid off thousands of employees.
Wednesday’s announcement relates to two complaints filed against Meta in 2018. Meta said it would appeal the decision, setting up what could be a prolonged legal fight that will test the power of the G.D.P.R. and how aggressively regulators use the law to force companies to change their business practices.
“We strongly believe our approach respects G.D.P.R., and we’re therefore disappointed by these decisions,” Facebook said in a statement.
The result was hailed by privacy groups as a long-overdue response to companies gobbling up as much data as possible about people online in order to deliver personalized ads. But the more than four years it took to reach a decision was also seen by critics as a sign that enforcement of the G.D.P.R. is weak and slow.
“European enforcement has not yet delivered on the promise of the G.D.P.R.,” said Johnny Ryan, a privacy rights activists who is a senior fellow at the Irish Council for Civil Liberties. The judgment signals that “Big Tech may be in for a far bumpier ride.”
Within the European Union, there has been disagreement about how to enforce the G.D.P.R. Irish authorities said they initially ruled that Meta’s use of terms of service for permission was legally sufficient to comply with the law, but they were overruled by a board made of up representatives from all E.U. countries.
“There has been a lack of regulatory clarity on this issue, and the debate among regulators and policymakers around which legal basis is most appropriate in a given situation has been ongoing for some time,” Meta said in its statement.
Helen Dixon, the head of Ireland’s Data Protection Commission, said regulators must be an “honest broker” and not give in to demands from privacy activists who are pushing for rulings that will not stand up to legal challenges.
“We won’t achieve results by simply seeking to rewrite the G.D.P.R. as we would have liked to have seen it written,” Ms. Dixon said in an interview.
There are some signs in the E.U. of a broader, stepped-up effort to crack down on the world’s largest tech companies. New E.U. laws were passed last year aimed at stopping anticompetitive practices in the tech industry and forcing social media companies to more aggressively police user-generated content on their platforms. Last month, Amazon agreed to make key changes to how products are sold on its platform as part of a settlement with E.U. regulators to avoid antitrust charges.
In November, Meta was fined roughly $275 million by Irish authorities for a data leak discovered last year that led to the personal information of more than 500 million Facebook users being published online.
In 2023, the European Union’s top court, the European Court of Justice, is also expected to rule on cases that could lead to more changes to Meta’s data-collection practices.
Yet many believe the enforcement has not matched the rhetoric of E.U. policymakers about strong tech regulation. Max Schrems, an Austrian data-protection activist whose nonprofit organization, NOYB, filed the complaints in 2018 that led to Wednesday’s announcement, said there are thousands of data-protection complaints that still need to be addressed.
“On paper you have all these rights, but in reality the enforcement is just not happening,” he said.