Personalized advertising – the latest GDPR fine against Meta


Photo of author

Donata Stroink-Skillrud

Co-founder and President of Termageddon

Ever since the Cambridge Analytica scandal, Meta (formerly known as Facebook) has been in the crosshairs of privacy law enforcement actions, with groundbreaking fines being issued. The latest fine of €390 million was issued by Ireland’s Data Protection Commission for violations of the European Union’s General Data Protection Regulation (GDPR). If you are a proprietor of a small business, you may be thinking that you are in no danger of receiving such fines since you are not processing the personal data of millions of individuals. However, it is important to note that plenty of small businesses have been fined for GDPR non-compliance and, if you are engaging in personalized advertising, the lessons learned from this enforcement action can help you avoid fines in the future. In this article, we will discuss this enforcement action and some tips that you can take to avoid making the same mistakes. 

Does GDPR apply to you? 

The fine issued by Ireland’s Data Protection Commission was for non-compliance with GDPR so it is important to first determine whether GDPR applies to you. GDPR applies to you if you: 

  • Process personal data in the context of your establishment in the European Union, regardless of whether the actual processing takes place in the European Union; 
  • Offer goods or services to individuals located in the European Union, regardless of your location; 
  • Monitor the behavior of residents of the European Union, regardless of your location; 
  • Process personal data where European Member State law applies by virtue of public international law, regardless of your location. 

GDPR was enacted to protect the privacy of residents of the European Union and, as you can see from the above, you do not actually have to be located in the European Union for this privacy law to apply to you. 

Do you engage in personalized advertising? 

This fine was issued due to non-compliance with GDPR in the context of personalized advertising (sometimes also called targeted or behavioral advertising). Personalized advertising is the act of using insights into who a customer is to increase the relevance of an advertisement. For example, if a company knows that Joe recently bought a new car, they may show ads for car washes to Joe as there is a high likelihood that Joe would want to keep his new car nice and clean. Companies often engage in personalized advertising on platforms such as Facebook, Instagram, LinkedIn or Twitter to improve their advertising return on investment. However, such ads collect and use a lot of personal data about an individual such as their names, email addresses, IP addresses, purchasing history, likes and dislikes so it is important to comply with applicable privacy laws when engaging in such advertising. 

GDPR legal bases

Lastly, this fine that was issued against Meta was based on the legal basis used to process personal data for personal advertising. One fundamental principle of GDPR is that you cannot process personal data unless an exception, called a legal basis, applies. Data controllers can choose from the following legal bases to process personal data: 

  1. The individual has provided consent to the processing of their personal data (e.g. an individual agreed to receive email newsletters by agreeing to your Privacy Policy when subscribing to that newsletter); 
  2. Processing is necessary for compliance with a contract (e.g. you need to process the individual’s home address to ship them the shoes that they purchased from you) or to take steps that the individual requested prior to entering into a contract (e.g. you need to process the individual’s email address to send them a quote that they requested); 
  3. Processing is necessary for compliance with a legal obligation (e.g. you need to process the individual’s address to accurately calculate how much sales tax to charge them); 
  4. Processing is necessary in order to protect the vital interests of the individual or of another person (e.g. you need to process an individual’s location to see who they came into contact with to limit the spread of a disease); 
  5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (e.g. the police need to process an individual’s address to arrest them for a crime); 
  6. Processing is necessary for the purposes of the legitimate interest pursued by the controller or by a third party. 

While some legal bases overlap and there is some debate over what legal basis is appropriate for certain processing activities, it is important to note that if you process personal data under the consent legal basis, individuals can withdraw their consent at any time, which would stop that processing. 

The Meta GDPR fine

In this instance, right at the time of the effective date of GDPR, Meta required users to agree to an updated Terms of Service. If users did not agree to the updated Terms of Service, they would no longer be able to access their Facebook account. The Terms of Service included a provision that required users to agree to the processing of their personal data for personalized services and behavioral advertising. 

The complaint initially stated that this practice was in violation of consent principles. However, Ireland’s Data Protection Commission stated that Facebook did not rely on consent as the legal basis so the violation could not be sustained. However, after this decision was published, 47 other Supervisory Authorities wrote letters to Ireland’s Data Protection Commission stating that they disagreed with this decision and that Meta should not be allowed to use the contract legal basis for processing personal data for personalized advertising. 

The reversal of the first decision found that Meta used the contract legal basis to send personalized advertisements to these individuals. Ireland’s Data Protection Commission found that Meta “was not entitled to rely on the contract legal basis as providing a lawful basis for its processing of personal data for the purpose of targeted advertising” and thus fined Meta for GDPR violations. While it still remains to be seen whether this decision is appealed, the verdict for now is that the contract legal basis cannot be used for personalized advertising. 

What does this decision mean for you? 

If GDPR applies to you and you engage in personalized advertising, you should consider the following: 

  1. Remove privacy information and requirement to process personal data for personalized advertising from your Terms of Service. Instead, include all privacy information in your Privacy Policy;
  2. Allow individuals to choose whether or not they would like to receive personalized ads. You can achieve this through your Privacy Policy and cookie consent banner; 

Ensure that the legal bases in your Privacy Policy are correct and consider switching to the consent legal basis. If you are using the Termageddon Privacy Policy generator, you can change the legal basis for the processing of personal data on page 2 of the Privacy Policy questionnaire under “legal bases under which you process this information:

A screenshot of the Termageddon dashboard showing where this selection can be made.
Photo of author
About the Author
Donata Stroink-Skillrud

Donata is the Co-founder and President of Termageddon and a licensed attorney and Certified Information Privacy Professional. She serves as the Vice-Chair of the American Bar Association's ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy




How To's

Privacy Policy

Terms of Service

Subscribe for Updates
  • This field is for validation purposes and should be left unchanged.