Meta faces $100,000 daily fine for harvesting user data to power ads
The Norwegian data protection authority’s ruling could set a precedent for other regulators
Norway is set to impose heavy fines on Meta after ruling that the social media giant’s behavioral advertising practices do not comply with its laws.
Datatilsynet, the Norwegian data protection authority, had given Meta until 4 August to submit evidence it’d changed its approach to harvesting geolocation data to power targeted advertising.
From 14 August the authority will fine Meta 1 million kroner ($98,500) per day until November 3, or until the firm complies with laws set out under GDPR as well as domestic data protection regulations. It clarified this doesn’t amount to a Facebook or Instagram ban in Norway.
Meta faces a total bill of 81 million kroner ($7,978,500) over the fine period, but Datatilsynet reserves the right to ask the European Data Protection Board (EDPB) to extend the fine, or make it permanent.
Behavioral advertising is a method through which publishers can take advantage of user data to push individually-relevant advertising content. In December 2022 the Irish Data Protection Commission (DPC) ruled that Meta unlawfully processed user data for behavioral advertising and fined the firm €390 million.
Datatilsynet cited a July decision from the Court of Justice of the European Union (CJEU) which stated Meta hadn’t changed its policies enough to comply with the law, following the DPC ruling.
The authority said Meta tracks the interests of users and what they post to build a detailed profile on them to determine which content to show them. It contended this is an issue of freedom of information, and that such targeted advertising is “particularly problematic from a democratic perspective”.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Automate personalization with AWS
Learn how you can leverage the benefits of personalization and automation across every customer touch point.
Meta has disagreed with the order and will challenge it. The firm has contended its promised consent changes are in line with prior demands but could be hit with fines of a similar nature by other authorities if authorities disagree.
"Today, we are announcing our intention to change the legal basis that we use to process certain data for behavioral advertising for people in the EU, EEA and Switzerland from ‘Legitimate Interests’ to ‘Consent’," Meta stated on 1 August.
"This change is to address a number of evolving and emerging regulatory requirements in the region, notably how our lead data protection regulator in the EU, the Irish Data Protection Commission (DPC), is now interpreting GDPR in light of recent legal rulings, as well as anticipating the entry into force of the Digital Markets Act (DMA)."
Will Richmond-Coggan, a partner at national law firm Freeths specializing in data protection litigation and enforcement told ITPro all European supervisory authorities can impose recurring fines.
“Other authorities will therefore be watching with interest to see if the Datatilsynet’s approach has the desired effect,” he said.
“One benefit of a recurring fine is that it underscores to businesses the continuing cost of their non-compliance, for as long as they fail to address it. But it is unlikely that such fines will have very much of a deterrent effect. In reality, the value is in the coercive effect of the adverse publicity around a company being in a continuing breach, and the pressure that this brings to bear towards remediating that issue.
“If there is a sense that this contributes to the pressure on Meta to get their house in order, and particularly if it seems that this approach resonates with the public and consumers who start to move away from Meta’s products in response to the adverse publicity, we can expect to see increased enthusiasm for this enforcement model from other supervisory authorities.”
The Irish DPC is the designated supervisory authority when it comes to adjudicating over several big tech companies, including Meta, because they’re headquartered in Ireland. The law, however, lets the likes of Datatilsynet to impose a three-month decision for violations that are deemed sufficiently urgent.
The DPC fined Meta €265 million ($290 million) in November 2022 for data scraping, and a further €390 million ($427 million) in December over its ad targeting policies, bringing the total 12-month fine total to more than €1 billion.
Another fine came in May 2023, with Meta fined a record $1.3 billion by the DPC for breaching GDPR through data transfers to the US that were deemed insufficiently protective of citizens’ rights and freedoms.
The firm subsequently announced plans to ask EU users for their consent on targeted advertising, and that the change would take several months to implement.
Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.
In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.