The European Data Protection Board (EDPB) has fined Meta millions of dollars and told the company to stop serving ads based on personal data.
The EDPB told Meta it must obtain opt-in consent from users for advertising, and rejected the claim by Meta that its use of personal data is covered by contractual law requirements.
Meta does not currently provide an opt-in option for its users as required by General Data Protection Regulation (GDPR).
Ireland’s Data Protection Commission announced the ruling on Wednesday, and imposed fines of 390 million euros, or $411 million, saying the company violated EU privacy laws by saying such ads are necessary to execute contracts with users, according to one report.
Facebook and Instagram have three months to stop relying on their contracts with users to justify its use of the ads, which are targeted based on a user’s online behavior and activity.
Ireland’s privacy regulator said it issued its decisions after a board representing all privacy regulators in the bloc last month ordered the Irish regulator to do so, over the Irish regulator’s objections,
Ireland leads the enforcement of the EU’s GDPR for Meta because the company’s European headquarters are in Dublin, according to The Wall Street Journal.
About one-quarter of Meta’s $83 billion in advertising revenue for the nine months that ended September 30, came from Europe.
“We strongly believe our approach respects GDPR, and we’re therefore disappointed by these decisions,” a spokesman told the WSJ.