top of page
Search

Does the EDPB's Meta decision ban behavioural advertising without consent?

  • Writer: Adam Smith
    Adam Smith
  • Dec 4, 2023
  • 7 min read

Updated: Feb 8, 2024

Much has been made of the European Data Protection Board's (EDPB) urgent binding decision of 27 October 2023 (the Decision), which prevents Meta from relying on the legitimate interests lawful basis to process personal data for behavioural advertising purposes.


The decision undoubtedly is a concern for companies in the adtech sector, with some commentators suggesting that the decision amounts to a ban on the practice without the prior consent of recipients. But is this correct? And what does the decision really mean for other companies seeking to provide more targeted promotions to consumers of online services?


Some background

The EDPB's urgent binding decision is its latest intervention following the Irish Data Protection Commissioner's (DPC) inquiry into two complaints relating to the use of personal data by Meta's Facebook and Instagram platforms under their respective terms of service. The complaints, made on 25 May 2018 - GDPR Day! - alleged that Meta was effectively forcing users to consent to the use of behavioural advertising by requiring users to agree to Facebook/Instagram's terms of service if they wanted to use that platform. While this was rejected by the DPC, the EDPB ultimately decided in its binding decisions of December 2022 that behavioural advertising was not a fundamental part of the service offered to users and thus related data processing could not rely on contractual necessity as a lawful basis.


The December 2022 decisions did not consider reliance on the legitimate interests lawful basis but, given the nature and scope of Meta's targeted advertising activities, Norway's data protection authority, the Datatilsynet, in July imposed an interim ban on Meta's processing for behavioural advertising purposes when relying on the ground. With the interim ban due to expire in early November, the Datatilsynet requested the EDPB to make the ban permanent and apply it across the EEA, which the EDPB did with its Decision.


Understanding the ban

The scale and ubiquity of Meta's social networking services gives it unprecedented access to personal data relating to its millions of users' interests and behaviours, both on Meta platforms and on the wider internet. While it is common for companies to track users' viewing habits online through the use of cookies and similar technologies, few if any can combine this tracking information with the vast array of very personal information that users frequently upload to their Facebook and Instagram accounts. This makes for a particularly attractive proposition to prospective customers looking to maximise the reach and impact of finite marketing budgets. Almost by default, however, the sheer size and quality of the data sets Meta has curated create friction with the principles of proportionality and necessity that underpin the GDPR and other EU laws.


Reliance on the legitimate interests lawful basis requires the satisfactory outcome of a legitimate interests assessment, which involves a three-step test:


  1. Does the controller or a third party have a valid purpose ('legitimate interest') for the processing activity?

  2. Is the proposed processing activity necessary for the achievement of that purpose?

  3. are those legitimate interests outweighed by the competing interests, rights and freedoms of the data subjects?


The necessity point was examined by the EDPB in the December 2022 decisions, albeit in the context of the contractual necessity basis. Here, the EDPB considered whether there were any realistic, less intrusive alternatives to behavioural advertising that would show the processing was not actually necessary. The decisions gave the example of contextual advertising based on geography, language and site content.


Irrespective of the alternatives potentially available, the EDPB also described Meta's behavioural advertising as complex, massive and intrusive, from which we can perhaps infer betrays the EDPB's view that the practice would struggle to satisfy the balancing test.


Does this mean that consent is necessary for all behavioural advertising?

It is important to bear in mind that there is nothing in the text of the EDPB's announcement that suggests the ban imposed on Meta is intended to be applied more broadly. The commentary within the December 2022 decisions serves to highlight the extraordinary nature of Meta's market position and capabilities, many of which appear influential in the decisions and, by extension, may suggest the decisions should not be considered beyond these specific circumstances:

  • Meta is huge, as are its data sets: even with the extensive use of cookies and other web technologies, few if any other companies could hope to have access to such broad and detailed information about their users and website visitors. The Facebook and Instagram platforms are many people's go-to social networks, where they paint a picture of their lives and voice opinions on things that matter to them - very few other online resources attract such intimate sharing.

  • Meta likely collects certain special categories of personal data: a separate Meta case determined by the CJEU, Case C-252/21, looked at Meta's profiling activities in the context of action taken by the Bundeskartellamt (Germany's federal cartel office) over an alleged abuse of a dominant position pertaining to certain data processing activities. Here, the CJEU discussed the potential for Meta to end up tracking users' visits to flirting sites, gay dating sites, political party homepages and health-related websites, that data qualifying as special categories of personal data. In most cases, information about these visits could not be argued to have been 'manifestly made public' by the user, leaving explicit consent as the only applicable Art. 9(2) GDPR condition to validate processing of those special categories.

  • Criticism over insufficient transparency: the CJEU and EDPB have both voiced scepticism over whether the amount of information provided by Meta to users in relation to its behavioural advertising activities being sufficient to lead users to reasonably expect that personal data collected on and off the platforms to be used in such a manner.

  • Everyone has a Facebook/Instagram account: okay, so we know that's not technically true but it can certainly feel like it at times. And while it might sound flippant or trivial, there is a serious point to be made here, as it speaks to the fact that people from all walks of life use Meta platforms, even children and other vulnerable groups.

Legitimate interests still offers an easier route to compliance for other adtech companies then?

In pointing out that legitimate interests may still be open to controllers engaging in personalised advertising, we are not suggesting that consent should be dismissed as a potential option. There are any number of variables that will determine whether a controller is better off using legitimate interests or consent as their lawful basis.


Looking at EU regulation outside of this case, it appears that there is a certain expectation that controllers wishing to use behavioural advertising base their processing of personal data on consent. Italy's data protection authority, the Garante, in July 2022 issued TikTok with an urgent warning against its proposal to switch the lawful basis for certain personalised advertising from consent to legitimate interests (although this may have been influenced by the fact that consent, which gives data subjects full control of whether processing goes ahead, was to be dropped), while a European Parliament briefing paper on the issue of targeted advertising in digital services talks of consent for behavioural advertising as if it is the only valid lawful basis.


While we privacy lawyers often caution against reliance on consent unless no other lawful basis is available, in truth there are circumstances in which consent is not the only option but is nevertheless the most appropriate. A little nuance can be useful: aspects such as the data range, intrusiveness of the processing, and the types of individual whose personal data is processed should be considered.


What's Meta doing in response?

Ahead of the EDPB announcement of the Decision, Meta unveiled a subscription model it will be rolling out across the EEA and Switzerland to allow subscribers to experience ad-free versions of Facebook and Instagram. Its press release states that the model has been expressly recognised as valid form of consent for an ads-funded service by the CJEU in Case C-252/21.


Others - specifically the Datatilsynet and Max Schrem's noyb NGO - are less convinced by the validity of the subscription model, suggesting that a 'pay or okay' approach falls short of the GDPR's requirements, where consent must be specific, informed, freely given, and unambiguous. It should be noted, however, that other prominent tech platforms such as Spotify and YouTube offer ad-free versions for subscription without experiencing major regulatory issues.


So what should controllers do when considering how their personalised ad services comply with data protection laws?

The Decision may not have imposed a blanket ban on behavioural advertising on the basis of legitimate interests but it does serve to highlight the challenging nature of the sector. Below, we set out a few pointers for controllers seeking to stay on the right side of data protection laws:

  • Don't shirk the LIA: take the legitimate interests assessment seriously, be honest about the nature of your intended processing and the level of intrusion involved, and let it inform the safeguards and measures you'll implement to protect data and ensure data subjects are treated fairly.

  • Do consider consent: some personalised adverts can feel intrusive and it is not always clear whether your interests really do outweigh those of the data subjects. Plus, where the activity involves communicating directly with a user, seeking consent for these more targeted messages might help foster a stronger relationship with them.

  • Think about how much data your model ingests: it's worth considering the extent of the data your behavioural advertising model ingests. The use of third party cookies is considered far more intrusive than own-site tracking, and many browsers have stopped or are phasing out third party cookie support. You may want to consider whether legitimate interests should be used for profiles based solely on onsite data, with consent sought for the inclusion of data sourced from third party sites. And if you use third party cookies, consider whether to limit the length of time they collect usage information by ensuring the cookies have relatively short expiry times.

  • Consider whether you're collecting particularly sensitive information: extensive use of third party cookies could ultimately involve the collection of special categories of personal data, which likely will require user consent. Likewise, third party cookie usage is considered far more intrusive than tracking restricted to

  • Give people enough information about what you're doing: ensure that data subjects are provided with sufficient information about the proposed processing of their personal data for behavioural advertising, drafted in a manner that is easily digestible by target individuals.

  • Begin the transition to contextual advertising? marketeers are already talking about alternatives to behavioural advertising with the anticipated death of the third party cookie on the horizon. As such, it may be a good time to consider whether the time has come to transition to a more context-focused promotional strategy. Even in its most primitive form, the linking of adverts to the content on web pages may still be said to take into account user interests - and those interests in most cases will be more immediate than those harvested in behavioural data sets. Depending on the nature of the model, they can be managed without processing any personal data.

Comments

Commenting on this post isn't available anymore. Contact the site owner for more info.
bottom of page