For many years now, EFF has argued that pervasive online behavioral surveillance, which powers the exploitative data broker industry as well as some of the largest online tech companies, should be banned. Companies should voluntarily make these changes to benefit their users, but EFF also strongly supports legislation that would require businesses to get consumers’ opt-in consent before collecting and processing this private behavioral data. Such legislation has stalled in the U.S. However, years after the General Data Protection Regulation, was made law in the European Union, Meta (Facebook)—one of the largest collectors of behavioral data in the world—has announced what could be a major step toward ending its behavioral advertising without opt-in consent.
This is, of course, not Meta’s choice. They sidestepped the GDPR using Terms of Service trickery for as long as they could. Later, Meta bypassed legal constraints by arguing that the personalization of content and advertising was necessary to provide an agreed-upon service to users. When this became untenable, they circumvented the consent requirement by asserting that the company had a legitimate interest in showing targeted ads.
While we welcome this shift, the company deserves few accolades
But as they write in today’s announcement, recent court interpretations of the GDPR, as well as the incoming Digital Markets Act (DMA), have forced their hand.
Implementation Matters
Meta’s announcement states that in the EU, the European Economic Area, and Switzerland, the company will “change the legal basis that [it uses] to process certain data for behavioural advertising… from ‘Legitimate Interests’ to ‘Consent’.” In practice, it’s not clear what this means yet. The company says that “advertisers will still be able to run personalised advertising campaigns to reach potential customers,” and it must consult with the regulators on implementation. Perhaps Meta will say that it can keep doing what it has been doing on grounds of an implausible claim that users have already consented. A more straightforward interpretation of the law and court rulings would require the company to turn OFF behavioral data collection for affected users, and only turn it back on if users have been given clear consent options, and make an informed and voluntary choice to have their data collected.
While we welcome this shift, the company deserves few accolades. Meta fought these laws. Now that it’s lost that battle, it is only making this change for its European users because it otherwise would likely face significant new fines (on top of a $1.3 billion fine already levied against it for another GDPR violation).
Opt-in consent to collect, retain, disclose, or use a person’s data is at the core of the GDPR. It’s good to see the law having a (potentially) significant impact, even if it’s been seven years since it passed. Given how long it took for the GDPR to have this impact, lawmakers in the rest of the world must act swiftly to pass their own comprehensive consumer privacy legislation.
Meta says it will need time to discuss these changes with regulators, and it will need three months or longer to let users choose whether to allow the company to use behavioral ads. Until we know how the company plans to ask for that consent, and how it will interpret those answers, we should remain cautious about declaring victory.