Asking for permission isn’t just polite; it’s legally required.
European regulators are losing their patience with companies that attempt to use legitimate interest as their legal basis for processing personal data.
Under GDPR, legitimate interest allows companies, in certain cases, to process personal data without consent so long as it’s collected legally and there’s a justifiable reason for its use.
You can talk about the “value exchange” of personalized advertising until you’re blue in the face, but targeting people with ads ain’t one of those cases.
Meta is learning this the hard way.
Not too legit
Until earlier this year, Meta relied on a provision under GDPR called “contractual necessity” as its legal basis for data processing.
Users were previously required to agree to ad tracking as part of Meta’s terms of service, effectively forcing anyone who wanted to use one of its apps to accept tracking by default. (It’s not possible to use any of Meta’s apps without first agreeing to terms and conditions.)
Ireland’s data protection authority, which is considered business friendly, initially gave its blessing to this approach. But the Irish reversed course in January after the European Data Protection Board (EDPB) ruled that bundling consent for tracking into terms of service is illegal under GDPR. The EDPB also fined Meta roughly $414 million.
Considering that Meta generated $31.5 billion in advertising revenue last quarter, $414 million is a rounding error for them.
But the implications of the EDPB’s ruling are far more significant than the fine.
When contractual necessity went out the window, Meta changed its legal basis for personalized advertising to legitimate interest and created an unwieldy online form that people could use to opt out of targeted ads.
That didn’t cut the mustard either. In early July, the Court of Justice – the EU’s highest court – ruled that legitimate interest isn’t an appropriate legal basis in this case.
The upshot: Meta needs consent if it wants to process data for personalized advertising in Europe.
Permission … please?
The Wall Street Journal reported earlier this week that Meta does plan to start getting permission from users in the EU before showing targeted ads on Facebook and Instagram.
It’s a huge development with major implications for all businesses, not just Meta.
“US-based companies – whether we’re talking about publishers, platforms or advertisers – must pay attention to consent,” said Cillian Kieran, CEO and co-founder of privacy compliance startup Ethyca. “They’d do well to implement reliable, auditable consent records with a positive end-user experience to show that they’re keeping up with growing regulatory demands.”
Emphasis on the “positive user experience.”
Consent under GDPR must be unambiguous, freely given, specific and informed. In other words, attempting to hide consent requests within a dark design pattern isn’t a legal way forward.
And so the $414 million-dollar question – actually, make that the $7.268 billion-dollar question (that’s how much ad revenue Meta generated in Europe in Q2 alone) – is: How can companies ask for ad tracking consent in a manner whereby people will actually say yes?
“We’ve seen many users become more sensitive to how their data is being used, with increasing awareness of how they can manage their privacy choices,” said Rachael Ormiston, head of privacy at compliance platform Osano. “It’s hard to predict, but I would imagine it’s a very real possibility that Meta will see poor opt-in rates.”
People need a reason to opt in. And it’s difficult to imagine anyone doing so, Kieran said, “unless it’s imperative to the product experience.”
We’ll have to wait and see whether Meta eventually shares its opt-in rate once it starts asking for tracking consent. In the meantime, Meta’s long road to permission (and perdition?) is “proof that regulations do have teeth,” Kieran said.
“While the wheels of the justice system turn slowly, they do turn,” he said. “In three to five years, I expect that data processing will be a highly regulated industry – and that will simply be the cost of doing business.”
Thanks for reading! Let me know what you think. Drop me a line at [email protected]. And if you want to see how the sausage is made, here’s some live footage of me producing this newsletter.
