Siding against Meta Platforms, a court in Norway has upheld a privacy regulator's order requiring the company to either obtain users' consent to online behavioral advertising, or pause serving ads to people based on their online activity or general locations.
Line Coll, director of the Norwegian agency Datatilsynet, called the court's decision “a big victory for people’s data protection rights.”
A Meta spokesperson said the company is “disappointed” by the decision, and will consider next steps.
The spokesperson added that Meta recently announced plans to seek consent from users in the European Union, European Economic Area and Switzerland before harnessing their data for behavioral advertising. It's not yet clear when Meta will start doing so.
The Datatilsynet's order, issued in July by the Norwegian agency Datatilsynet and slated to take effect last month, included fines of around $100,000 per day for noncompliance after August 14.
The order expires in mid-November, but the Datatilsynet said it may seek to extend the ban. Behavioral advertising is “one of the largest risks to privacy,” the regulator stated in July in a summary of its decision.
The prohibition applies to ads targeted based on inferences drawn from online behavior and estimated locations, and not to ads based on information people volunteer in their profiles, such as their cities, gender, age or interests.
Meta challenged the Datatilsynet's order in Oslo District Court on several grounds, including that there was no need for “urgent measures” such as an injunction, given that behavioral advertising is a “very widespread” and long-standing practice, according to an English language translation of the opinion.
The court rejected that argument, writing: “There are serious breaches of the regulations with extensive illegal use of large amounts of data, and there is an urgent need for measures to be taken.”
The court also ruled that an order requiring a company to cease "illegal activities" wasn't “disproportionate."
“The interests of the plaintiffs are primarily of an economic nature. These interests must be compared with the interests of Norwegian users’ privacy and rights,” the opinion states.
The Norway authorities aren't the only ones to pressure Meta over privacy. For instance, late last year, the Irish Data Protection Commission ruled that Meta lacked a valid basis to process users' data. (Europe's broad General Data Protection Regulation requires companies to have a legal basis to process data.) The Data Protection Commission rejected Meta's argument that its contracts with users provided a legal basis to serve them with targeted ads, and fined the company roughly $414 million.