Summary
The recent binding decision by the European Data Protection Board (EDPB) regarding Meta's personalized advertising practices may have broader implications for advertising technology companies and ad-based business models in the European Union (EU). This decision responds to Meta's violations of the EU General Data Protection Regulation (GDPR).
While Meta has proposed a move to an ad-free subscription model for Facebook and Instagram users in the EU to address these violations this month, EU data protection authorities are signaling deeper scrutiny of the entire advertising technology industry. Regulators from Belgium, France, and Germany have indicated at the IAPP Europe Data Protection Congress that significant changes in ad tech privacy regulations are on the horizon.
"What happens to the data which has already been collected in the past? Will it still be used for profiling? Those are questions I think we have to pay attention to" -Hielke Hijmans, President, Belgium Data Protection Authority Litigation Chamber (Source: IAPP) |
Personalized advertising, which relies heavily on profiling behavioral data, may face challenges in meeting GDPR standards related to legal basis, legitimate interest, and consent.
Meike Kamp, Berlin Commissioner for Data Protection and Freedom of Information, referenced previous decisions against Meta, where the performance of a contract for personalized advertising did not meet GDPR standards, and the Court of Justice of the European Union ruled that Meta could not justify data processing for personalized advertising without the data subject's consent.
The future of behavioral advertising in the EU may hinge on the ongoing EDPB review of Meta's "pay or OK" consent-based subscription model. While some authorities, like Norway's Datatilsynet, have deemed the subscription model noncompliant, the EDPB's final decision is pending. Concerns have been raised about the subscription model's affordability for users, especially teenagers, and questions about using previously collected data for profiling.
It's important to note that the subscription model focuses on data collection rather than advertising in general. Kamp emphasized that "business as usual" might not be possible under GDPR requirements, irrespective of user payments or consent.
What are your thoughts regarding payment models? Join the conversation in our Yes We Trust community, a free discussion group for data privacy professionals and enthusiasts, on LinkedIn: