Privacy Violations Continue with Meta Fined €390M: Here’s What Brands Need to Know
Head of Consultancy, Europe Femi Taiwo, gives a view on the latest in user privacy legislation and how brands should respond.
Meta has been fined €390M for breaking privacy rules (€210M for Facebook & €180M for Instagram). Although this may sound like déjà vu, the latest is that Meta added user consent for advertising into their Terms of Services, in effect, using its prerogative as a walled garden to bind preferences to contract. Femi Taiwo breaks down what all of this means for brands and how they can act on it now with six key recommendations.
Since the GDPR became enforceable in 2018, heavy scrutiny has been applied to the BigTech companies, specifically GAMA (Google, Apple, Meta, Amazon), all headquartered in Dublin. This has led to growing pressures on the Irish Data Protection Commission to resolve its backlog of cases.
The Irish DPC found Meta guilty of breaching the GDPR because its action relies on a GDPR provision that almost all in the advertising world had been using erroneously: “Legitimate Interest”. Meta is likely to appeal.
With a long backlog, this development from the Irish DPC is expected – and in line with the fallout from the Belgian DPA’s ruling last year in February against IAB Europe’s Transparency & Consent Framework (TCF) v2.0.
What does it mean?
These developments may not be a surprise to many, as they’re in tune with the way the EU has enforced consent pre-GDPR. This is effectively an extension of the all too familiar PECR Directive. This ruling simply suggests that you cannot force users to opt-in to advertising along with a contract.
The purpose of “Legitimate Interest” was never intended for this use, the examples given in law are for the likes of fraud prevention or threats to public security. The fines, however, are expected to persist, given that the news has come directly from Dublin, the “home” territory.
There will also likely be a lot of noise surrounding the potential impact on Meta’s Future revenue, it is important to remember that:
- This fine represents 0.35% of Meta’s ad revenue in ONE year (2021)
- Meta has a Marketing budget for the Metaverse that’s significantly larger than this
- Even looking at all the fines they’ve had in the past 2 years, it’s still only totals ~ €1.3Bn – there is a lot of room before it becomes concerning
One thing we can be certain of is that there will be an increasing amount of interest in the wider advertising industry as this has implications for adjacent cases like the TCF ruling, which enforces transparency.
Consent enforcement in the EU has been broadly consistent, so if we consider this as an extension of existing rulings (for example, you cannot auto opt-in users into email marketing with a Terms of Service acceptance) then this is hardly a surprise, reinforcing the need for brands to start acting in the face of this.
This ruling in effect states that you cannot force users to opt-in to advertising to fulfil a contract.
What could this mean for Meta’s future business? We would expect Meta to diversify away from a single type of ad income stream. In many ways, this is what the Metaverse is, as was Ascenta (drone connectivity) before it, as well as Facebook.org/Free Basics.
What we’re witnessing is a reshaping of the ecosystem by regulators. Although it is happening globally, it is being felt acutely in Europe, and we expect other legislature like the Digital Markets Act will compound this feeling.
Meta is not alone. Google has also faced heavy fines and we expect Apple to allow sideloading (installs of apps outside its official AppStore) at some point this year.
With each of these rulings, we anticipate there to be contingencies that the BigTech companies can deploy to change the market in their favour, like how the GDPR worked in favour of BigTech although it was largely expected to hinder them.
What does it mean for brands?
Nothing will change in the near-term – it will be business as usual, even if Meta must implement the changes in Q2 of 2023, we still foresee delays as Meta do their due diligence to solve the problem. Even if all remains the same, this is a good opportunity for brands to consider these six key recommendations:
Review your consent mechanisms
If you operate in the EEA then you have an obligation to obtain consent for the processing of personal information (under the GDPR). You will likely have a Consent Management Platform (CMP) to assist with this so it’s important to make sure:
/ The user consent preferences are being honoured
- Does a non-consent signal mean that a user truly doesn’t have personalised advertising activated? Are your Analytics and Paid Media tools recognising and acting on these signals?
/ You can identify your true consent rate
- Are you able to model the unconsented users based on what you can see in the CMS?
/ Leverage your CMS
- Lean more into CRO & UX experiments to test best paths to maximise revenue/conversion without relying on cookies or identifiers
Examine your channel mix – what value are Meta’s properties really driving?
/ You may already be running incrementality tests (we’d highly recommend it) and have alternative methodologies for attributing digital campaigns so this would be a good time to expand these tests & work intentionally through a roadmap.
Lean more into your own tech & data
/ If you have a Customer Data Platform (CDP), accelerate the role the CDP plays by using it to activate tactical executions with paid media
Create segmentation of your CRM audiences so the data can travel where the next blue-sky opportunities are, rather than being tethered to what is currently working
Look deeper into your business data (product/margin/returns/etc data) so you can readily grow your first-party data independently of the platforms
Retargeting Strategy
/ From a social activation perspective, we would recommend brands keep a close watch on retargeting performance as any changes Meta makes will have significant ramifications on delivery.
We expect Meta will continue to drive good incrementality overall, but the in-platform mix will likely shift further towards prospecting/acquisition.
At Assembly, we’re able to help you review your current retargeting strategies and update your retargeting framework, where applicable. We would strongly recommend conducting this review with the inclusion of a data collection audit that aligns with your CRM audience segmentation and future approach to CDP execution.
Evaluation of all partners and publishers
/ The Meta ruling will have a wider impact on how partners and publishers opt-in and opt-out audiences. There are no shortages of cookie-less solutions in the industry, including the partners Assembly works with.
We would recommend including Demand-side Platforms (DSPs) that specialize in cookie-less buying and other methods of building personas. We’re on hand to assist you with a partner audit to ensure best practice is in place.
Server to Server Integrations
/ This ruling carries additional weight for Meta because we’re nearing the end of our reliance on tracking pixels for delivering advertising performance. This should signal an acceleration for organisations to implement more robust data collection using server-to-server integration solutions.
If you have a significant amount of spend on Meta, you should strongly consider implementing their Conversions API (CAPI) solution, with a testing plan & a roadmap for data adoption as part of your standard campaign reporting.
If you require CAPI support, Assembly can help with Paid Social consultation or implementation services, where needed.
We know that key questions such as these are important to help businesses plan in a rapidly evolving space so please contact us if you require assistance in navigating these six recommendations.
Assembly remains committed to helping brands find the change that fuels their next phase of growth.