The European Data Protection Board (the EDPB) has determined that the legal basis relied upon by Meta for processing personal data for the purposes of targeted advertising on Facebook and Instagram is invalid.
The EDPB considered whether providing targeted advertising (via ad tech or otherwise) was objectively necessary for Meta to provide its Facebook and Instagram services to users based on its terms of service. The EDPB found that providing targeted ads was not part of Meta's core service offering and, as a result, not necessary for the performance of Meta's terms of service.
Meta had traditionally relied on such processing as being necessary to perform its contract with Facebook and Instagram users for the purposes of complying with the EU's General Data Protection Regime (GDPR). Meta has been ordered to change its data-targeting model to be GDPR-compliant in the next three months and has also been issued with a €390m fine.
The decision highlights the potential disconnect between a service provider and service recipient's understanding of what an online service is, which has been more widely observed as a shortcoming of the "data as payment" business model.
The EDPB's decision is indicative of a more general shift in regulatory approach towards ad-funded platforms and services. There are an increasing number of examples of action being taken against BigTech companies in this space, with TikTok also having recently been put under scrutiny in relation to its practices in this area.
As regulators globally (who have often been the subject of criticism for a lack of enforcement) appear to increasingly be taking action against the "data as payment" business model, we are likely to see more and more activity in this area.
While the New Zealand Privacy Act 2020 (Privacy Act) does not require an organisation to have a specific legal basis for processing in the same way that the GDPR does, if you are using ad tech to provide targeted ads on your platform, you must be transparent about the use of users' personal information in your terms of service.
In particular, in order to avoid falling foul of the Privacy Act, make sure you highlight your use of personal information for the purposes of targeted advertising in plain English right up front in your T&Cs. Don't try to hide these sorts of disclosures deep in the text of lengthy terms, which risks being viewed as a breach of the fairness principle under Information Privacy Principle 4 of the Privacy Act.
Providers of these types of services may also wish to explore alternative and less intrusive means of using ad tech for targeted advertising (for example, contextual advertising based on geography, language and content, as opposed to user activity tracking) and to ensure that users are provided with effective "control" over the type of targeted ads that they are exposed to, including an ability to turn targeted advertising off should they wish to do so.
A copy of the Decision can be found here.
This article is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the experts listed below.