Meta’s targeted advertising model faces restrictions in Europe | Popgen Tech

The new EU decisions can be appealed, which could lead to them being suspended pending potentially lengthy litigation. However, if upheld, they could make it harder for Meta and other platforms to show users ads based on what they type and view within those platforms’ own apps. For years, Meta has allowed users to opt out of personalizing ads based on data from other websites and apps. But it didn’t offer such an option for ads based on data about user activity on its own platforms — like what videos an Instagram user watches.

If any significant portion of its users opt out of such targeting, Facebook and Instagram will end up with less information to build audiences for the personalized ads that analysts and people close to the company say make up the bulk of its revenue.

The council’s rulings on Monday, which have not yet been made public, do not directly order Meta to change practices, but rather call for Ireland’s Data Protection Commission to issue public orders reflecting its decisions, along with significant fines, the people said. added. Ireland is Meta’s most important privacy regulator in the bloc, as it is where Meta’s European headquarters are based.

Meta will also be able to appeal the Irish decision, as well as the EU decision.

“This is not the final decision and it is too early to speculate,” a spokesperson for Meta said, adding that EU law may allow other legal justifications to target its ads. “We have engaged fully with the DPC regarding their inquiries and will continue to engage with them as they finalize their decision.”

The company has previously argued that tailoring the ads it sells based on data it has about users’ online behavior is an essential part of the personalized service it offers. It also said it has options for users to control how it uses their data.

A spokesman for Ireland’s Data Protection Commission said it would be inappropriate to comment on the content of the decisions. A spokesman for the European Data Protection Board, the body representing all EU privacy regulators, confirmed that the board had made decisions on Monday but declined to comment on their content.

An eventual decision from the Irish Data Protection Commission is unlikely to specify how Meta must comply. But if the ruling is upheld, it could lead to Meta asking users for consent to targeted ads, or offering them an opt-out. The company declined to say what it might do.

Any impact from the decision would come on top of the revenue Meta took in at Apple Inc.

last year required iPhone app developers to ask users if they wanted their usage tracked. Many iPhone users dismissed that tracking, cutting Meta off from a significant source of data it used to target ads. The company said the change reduced its revenue by 8% in 2021, and the company is still grappling with its impact.

The EU decisions show what privacy lawyers describe as a growing willingness by the bloc’s regulators to rein in what is often called “behavioral advertising.” That business, worth tens of billions of dollars a year, involves showing users digital ads that are targeted based on profiles and inferences made from those users’ digital activity on apps and websites.

A new privacy law in California also allows users to opt out of what it calls cross-contextual behavioral advertising, said Dominique Shelton Leipzig, cybersecurity and data privacy partner at Mayer Brown. “What we are seeing now is a more intensified approach from regulators to behavioral tracking,” Ms. Shelton Leipzig said last month.

The EU’s General Data Protection Regulation became enforceable in 2018, and enforcement has increased over the past year and a half. Amazon.com Inc.

was fined about $786 million in Luxembourg last year for violations related to its advertising, a decision it is appealing.

Ireland has fined Meta more than $900 million in four other cases in the past 15 months, and currently has 10 additional inquiries into the company. Meta is still appealing two of those decisions and is considering an appeal in the most recent one. The company’s Irish subsidiary allocated nearly 3 billion euros, or about $3.15 billion, in EU privacy fines as of Dec. 31, 2021, up €1.97 billion from a year earlier, according to a recent Irish corporate filing.

In the Meta decisions, a concept called contractual necessity is at issue. The GDPR mostly prohibits companies from forcing users to hand over personal information to use their services. One exception is when that information is needed to perform a contract: A food delivery app needs your home address to deliver the pizza you ordered.

Meta decided to rely on that contractual provision of the GDPR when it went into effect in 2018, leading to complaints from Austrian privacy activist Max Schrems. The Irish privacy regulator initially agreed with Meta that the company could use that provision of the GDPR, according to a copy of one of its draft decisions leaked last year.

But at least 10 EU privacy regulators had objections to his decisions. Their disputes ended up before the EDPB, of which all EU privacy regulators are members. The board overruled Ireland’s stance on behavioral advertising and ordered it to issue dissuasive fines, the people familiar with the decisions said.

The EDPB has overruled decisions, including from Ireland previously, and is emerging as its own force in European privacy enforcement. The board, which has a staff that helps research and write its decisions, recently said it needs more resources.

Some lawyers representing companies say the EU’s privacy enforcement through the EDPB may go too far. “The direction of travel seems to be a more absolutist and draconian interpretation of GDPR,” Ross McKean, a privacy lawyer at DLA Piper, said ahead of the EU decisions.

Write to Sam Schechner at Sam.Schechner@wsj.com