Meta has been fined €390m euros (£346m) for breaking EU data rules.
The Irish Data Protection Commission (DPC) says the way Meta asked permission to use peoples’ data for ads on Facebook and Instagram was unlawful.
Meta, which owns both platforms, has three months to change how it obtains and uses data to target ads.
Meta says it is “disappointed” and intends to appeal, stressing that the decision does not prevent personalised advertising on its platforms.
The regulator said that Facebook and Instagram can not “force consent” by saying consumers have to accept how their data is used, or leave the platform.
As Facebook and Instagram have European headquarters in Ireland, the DPC takes the lead in ensuring they comply with EU data law.
Privacy campaigners say the decision is a major victory and means Meta will have to give users real choice over how their data is used to target online advertisements.
It means Meta will potentially have to change the way a key part of its business works.
The bulk of the firm’s money, over $118bn (£97.8bn) in 2021, comes from advertising.
The fine is the second significant penalty imposed by the watchdog in recent months.
In November it was fined €265m (£228m) by the DPC over a data breach that saw the personal details of hundreds of millions of Facebook users published online.
According to the Irish Times Meta set aside €2bn (£1.7bn) to cover potential European fines in 2023.
New law, new complaints
The DPC investigation was sparked by complaints made in 2018 by privacy campaigner Max Schrems, on behalf of two users in Austria and Belgium. The complaint was brought just as the EU’s new data and privacy law, the General Data Protection Regulation (GDPR), came into operation.
In order to comply with GDPR both Facebook and Instagram asked users to click “I accept” to indicate that they agreed to updated terms of service setting out how their data would be used in ads.
If users did not accept, they were unable to use Facebook or Instagram.
The complainants argued that this meant Meta was “forcing” them to consent to their data being used in targeted ads – and this breached the GDPR.
Meta’s representatives argued that Facebook and Instagram are “inherently personalised” and that, as part of that personalisation, targeted ads are a “necessary and essential part” of how the platforms work.
They said Meta was not giving users an ultimatum, and that there was just no way the platforms could work without using data for advertising.
But the DPC found that is not the case, and users were forced to consent.
The DPC also found that Meta was not clear enough with users about how it was using their personal data and why.
But the decision was only arrived at after a dispute with other European data authorities.
That was finally settled in December by the European Data Protection Board.
Meta’s spokespeople say that it plans to challenge the size of the fines imposed, “given that regulators themselves disagreed with each other on this issue”.
The company argues that far from forcing people to accept how it uses data, it gives consumers a number of tools to control how their data is used.