Big news! Meta, the parent company behind Facebook and Instagram, is facing a European ban against using the legal bases of “contract” and “legitimate interest” in the context of their profiling activities for advertising purposes.
In other words, European regulators are demanding that Meta ban personalized ads for Facebook and Instagram users, which requires it to rely on its users’ personal data.
Indeed, by using Facebook and Instagram, you as a user (without most people realizing it) often give up your personal data to Meta. Meta, in turn, then uses that data to resell to advertisers so that they can send targeted ads on their behalf.
Norway’s data protection authority Datatilsynet, had referred that question to the EDPB, which responded.
Meta’s Alternative to Personalized Ads
Completely surprised Meta cannot have been. After all, they had been working on an alternative model for some time according to the increasingly popular “Pay or OK” principle.
In that model, Meta offers you a choice on its platforms: either you pay for access or you consent to their profiling activities.
This approach was adopted from the media world, where this model is already regularly used, especially in Germany and Austria. The two main differences with the existing “Pay or OK” models and how Meta intends to apply it:
- In the media world, users have not spent the last decade building a presence on a platform that (until a few years back) announced it would always remain free. How free is the permission/choice to suddenly have to pay or be profiled?
- The amount that Meta proposes (between 10 and 13 euros per month) is almost double the amount of other examples from the media world, and really, all you get in return is the ability to access your own data and that of others without being profiled, unlike a journalistic product such as an online newspaper.
My organization advertises on Meta. What should I do as a Data Protection Officer?
The legal tussle now arising between Meta, European authorities, and organizations such as NOYB is, of course, not the battleground of the Data Protection Officer (DPO). Several issues in this discussion are relevant to the DPO because many organizations do business with Meta.
Let’s have a look at them:
- When you start sharing data with Meta (retargeting, custom audiences, Meta pixel), in many cases, you are joint data controllers. That means your organization also has obligations. The most important one here is transparency to the user, so include appropriate disclosures in your privacy statement.
- Communicate to internal teams working with Meta tools that they should also pay attention to targeting: the criteria used to select people for advertising can also be sensitive.
- Particularly with technology like tracking pixels: are certain parts of the website or application where that pixel should not be? Think of pages where data is provided via forms, or pages where recording the visit can already be sensitive. A classic example: someone visiting a page, “How do I tell my partner I’m HIV positive?” will prefer not to see that visit recorded by Meta.
- Last but not least, question the use of Meta’s services: is Meta Pixel really necessary? Should we advertise through Meta?
Do you also always want to stay updated with the latest news that could impact your work as a DPO? Then subscribe to our Stay Tuned formula, where we organize a quarterly event at different locations with a whole day full of interesting topics.