Burying Behavioral Advertising in Terms of Service Violates GDPR Principles

Burying Behavioral Advertising in Terms of Service Violates GDPR Principles
Photo by Christian Lue on Unsplash

2023 started with a serious blow to behavioral advertising. Irish Data Protection Authority (IE DPA) issued a decision to Meta that put its Behavioral Advertising under high scrutiny. This decision was handed down to Irish DPA from the European Data Protection Board (EDPB) and is an outcome of the dispute resolution amongst various EU regulators.

The decision came about as a result of data subject complaints filed in May 2018, when GDPR came into effect, with Austrian and Belgian authorities. The basis of complaints was that Meta had updated its terms of service and instead of relying on consent, it relied on the "contract" as legal basis for most of its processing operations. Users of the platforms were required to accept the updated terms of service in order to continue using the services. This made the services conditional on acceptance of the updated terms of service and was deemed as Meta was "forcing" users to consent to the processing of their personal data for behavioral advertising and other personalized services.

The regulatory process began 4 years ago and has been complex. It involved peer regulators in the EU/EEA and faced various objections. When consensus could not be reached, EDPB stepped in for dispute resolution resulting in the issuance of this decision via IE DPA.

At this point, Meta in the EU, is given 3 months to bring its processing operations into compliance with the GDPR.

The decision is, of course, significant for Meta’s business model in the EU. But also has implications for various players in the advertising ecosystem who use first party data for advertising. These entities include social platforms, DTC businesses, retail media, ecommerce as well as third party adtech and martech companies. It puts limits on the use of first party data specific to its use in Behavioral Advertising and reliance on Quid Pro Quo in agreements where free online services are provided in exchange for user data.

The burying of, use of data collected, for behavioral advertising, in a 1st party's terms of service is deemed as invalid contractual basis under GDPR. This ruling declares that a contract is not an appropriate lawful basis. Businesses can’t rely on contracts as a proxy for consent. EDPB has now ruled that EU privacy law does not allow platforms to use the so-called “contract basis” for collecting data used to target, tailor and sell advertising. Given the share of revenue driven by behavioral advertising, Meta likely is considering and/or experimenting alternate ways to offer personalized advertising on its properties.

Processing of personal data collected by the company, may or may not be based on ‘consent’ but it certainly can't be Terms of Service. EDPB states that, “'Having considered the submissions of the parties, including the submissions on the Preliminary Draft Decision, I proposed to conclude, in the Draft Decision, that the legal basis for processing of personal data under the Terms of Service between Facebook and its users, including the Complainant, does not, as a matter of law, have to be consent under Article 6(1)(a) GDPR and, as a matter of fact, Facebook does not rely on consent for this purpose and the agreement to the Terms of Service does not constitute consent for the purposes of the GDPR. Some of the challenges identified with Terms of Service agreements are:

  • Transparency - Contracts tend to be lengthy, difficult to comprehend, lack of specificity in language, and are one-sided. Further, the terms around data use tend to get hidden in the legalese. Under this decision, Meta was considered not transparent to users, at the time of providing and executing the contract. “Meta’s terms-of-service agreement — the very lengthy statement that users must accept to gain access to services like Facebook, Instagram and WhatsApp — includes language that effectively means users must either allow their data to be used for personalised ads or stop using Meta’s social media services altogether.”
  • Fairness - Because of the use of ‘terms of service contract’ as the means of consent, the data subjects misunderstood if they were consenting or contracting, which is deemed unfair by the authorities. Further, Bundling of services under such contract terms of service failed to provide the fundamental understanding of the contract i.e. what service users were signing up for specifically. Meta’s fundamental service is communication. Data subjects didn’t realize the extent to which their information was being used to deliver these ads.

It appears that options for a lawful basis are quite slim. Opt-out alone may not not suffice. Based on Meta’s claims, “Meta has long allowed users to opt out of personalizing ads based on data it gleans from users’ activity on other websites and apps. But it doesn’t give users any such option for opting out of ads based on data about activity on its own platforms—such as what posts a user comments on or videos an Instagram user watches.”

For Meta, getting an EU wide Opt-In is likely an arduous task. Compulsory Opt-in by users would lead to revenue decline, caused by reduced volume. As seen with Apple’s ATT, if a large user base declines to share their data, it would drastically impact advertising revenues that are generated from in-feed advertising. The practices helped Meta generate $118 billion in revenue in 2021. It may also lead to reduction in ad prices by 10% to 20% in a worst-case scenario, wiping 12% to 25% from the company’s valuation.

Another option is applying Legitimate Interest and checking if the data processing for personalized advertising holds ground against the purpose, necessity and balancing tests. This is an alternative that companies may consider based on this decision or when ‘Contract’ may not be a viable basis. But as seen in last year’s Italian authorities issued a warning to TikTok that processing data on the basis of its ‘legitimate interest’ would be in conflict with GDPR

The decision does not state specific action that Meta must take to enable user choice or opt-ins for behavioral advertising, but it does disregard user contract as an acceptable mechanism. It appears to be that the appropriate lawful basis that can be used for behavioral advertising are dwindling, hence making it seem like consent may be the favored option remaining, unless regulators provide more guidance.

EU authorities have invalidated Meta’s position that the lawful basis for serving ads can be for the Performance of a Contract. Based on the Irish DPA statements, Meta cannot serve ads based on performance of a contract because the serving of ads isn't necessary to the contract:

'The fact that the Facebook Terms of Service do not provide for any contractual obligation binding Meta IE to offer personalized advertising to the Facebook users and any contractual penalty if Meta IE fails to do so shows that, at least from the perspective of the Facebook user, this processing is not necessary to perform the contract.'

This decision also has some noteworthy observations on the regulatory process:

  • This decision may result in a global impact for Meta but more importantly strengthens GDPR. GDPR has been criticized for being weak and enforcement has been slow. It could be contended that this is the most consequential decision to date under GDPR. In addition to 390 million euros ($414 million) in fines, this ruling will likely require Meta to make costly changes to its advertising-based business in the European Union, one of its largest markets. This decision puts attention back on the Regulators in the EU who are starting to be quite active and are taking actions across all businesses, irrespective of the size.
  • This also brings to light the role and authority that the European Data Protection Board holds. EDPB overruled the ruling by the Ireland’s Data Protection Commission, who lead enforcement of the GDPR for Meta as Meta’s European headquarters are in Dublin. EDPB has also directed IE DPA to conduct a fresh investigation of Facebook and Instagram data processing operations in relation to special categories of personal data that may or may not be processed in the context of those operations.
  • It is yet to be seen what changes Meta implements in regards to its business operations in EU and modification of its advertising business in the region. Regardless, regulators globally are likely taking note of these developments and future developments associated with this decision will show the magnitude of its effect globally.
  • Given the revenue impact this would have on Meta, a lengthy and complex litigation is expected assuming Meta decides to fight back. Meta is said to have earmarked $2 billion for European penalties this year, so they likely saw this coming and may have a response in the works already. But that set aside is quickly diminishing - Ireland alone has fined Meta nearly $1.4 billion in five separate decisions over the past year and a half. If Meta chooses to appeal and/or litigate, it may be a complicated litigation in regards to which regulator will have a greater say - Irish DPC or other regulators or the EDPB.

Beyond the implications for Meta and behavioral advertising more broadly, the Irish DPC has a good deal at stake as well. The EDPB seems to have called into question DPC conclusions on the case, and in particular has demanded harsher and more far reaching penalties, some of which the DPC has adopted. As the matter winds its way through legal challenges and potential incremental solutions from Meta, will the resolution be seen as an effective collaboration between regulators, as contemplated by the GDPR? Or will the DPC’s authority ultimately be undermined by criticism and potential challenge from the EDPB? Max Schrems has already weighed in, and he has emerged as a strong critic of the DPC.

In a nut-shell, this decision further brings to light the regulatory beliefs towards Behavioral advertising. The decision doesn't mean end of Behavioral advertising per say. But when 1st party data is involved, it needs to be reviewed and revised carefully against the definitions under GDPR and all privacy laws. GDPR doesn’t specify which lawful basis should be used for processing. It’s upon the business to apply the correct lawful basis, check for its performance of contract obligations, adhere to privacy principles and create linkages between collection / processing, purpose, rights and obligations. Clear and straightforward explanations about data use and obtaining explicit permission is necessary.

###