Executive Summary

• On 27 October 2023, the EDPB announced that, within two weeks, Meta, must cease processing personal data for behavioural advertising on the legal bases of contract and legitimate interest across the entire European Economic Area (EEA).
• This binding decision aims to achieve enforcement of an earlier decision by the EDPB (December 2022) that made Meta’s behavioural advertising practices illegal.
• The EDPB decided that Meta’s practices were not sufficiently clear or transparent and that both contract and legitimate interest were an insufficient basis to allow them to analyse individuals’ personal data to tailor advertising to them.
• Meta have appealed the decision, resisted its content and continued to process personal data to undertake behavioural advertising using EU/EEA citizens data.
• On October 30th, Meta announced that they will introduce an Ad Free subscription model in EU/EEA which has been dubbed journalistically as “pay for privacy”.  
• Meta will now need to seek approval from the Irish DPC for their pay-or-protect consent option.
• This “Pay for Privacy” option has been met with further outrage from supervisory authorities and key privacy figures including Maximillian Schrems. Consequently, further legal action and consideration by the EU courts and EDPB is very likely.

What does this mean for businesses?

• Businesses also using personal data to undertake behavioural advertising by relying on legitimate interest/contract should cease doing so.
• Instead, they must seek explicit consent from data subjects to undertake this kind of processing. A failure to do so could result in substantial fines, legal action, and significant reputational damage.
• To avoid this, companies developing or distributing AdTech, should now ensure that those to whom they sell their software:
  • comply with the GDPR.
  • are sufficiently clear and transparent about the purposes of processing.
  • do not rely on contract/legitimate interest as legal bases for processing. involved in behavioural advertising and
  • use a consent model instead of other lawful bases.
• Businesses who rely on Meta’s behavioural advertising should consider whether continuing to do so is strictly necessary, asking themselves whether less invasive forms of advertising can realise similar levels of engagement whilst maintaining GDPR compliance and avoiding possible reputational damage due to a public association with the Meta dispute.

AiPrivSec

For more information on the complying with the GDPR, to seek our help to establish fair, transparent and legal processing of personal data or for access to our whitepapers get in touch by clicking here.