Happy New Year, Except to Facebook/Meta

The EU is starting its privacy year with a bang: Facebook parent Meta will be fined hundreds of millions of dollars (again) in relation to privacy practices falling afoul of the EU's privacy laws (GDPR). This brings the running total of fines against Meta for 2022-2023 to more than a billion dollars, if my math is correct.  

More significantly, the issue this time is that Meta essentially requires that consumers agree to receive personalized advertising as a condition for using its Facebook service. Rather than give consumers a clear choice upfront about whether to opt into personalized ads, Facebook tried to hide the "consent" mechanism in its terms and conditions of service. Ireland's data regulator has given Meta three months to outline a proposed fix.

Why It Matters

The EU takes privacy seriously. It is clear that the data regulators around the EU mean to bring Facebook to heel when it comes to user data and ad tech, including by forcing more transparency into Facebook's practices. Google has also been in the regulators' cross-hairs, for its advertising and other practices that depend on data for its revenue. For most US companies, these data squabbles are only indirectly relevant (they may affect ad tech, analytics, or other services they purchase from Facebook and Google).  

This latest case, however, has some object lessons for any company: you can't pretend to give consumers a choice when they don't really have one. Be clear about consent. Be clear about whether "no" from the consumer means you will stop doing something. Don't try to hide "consent" mechanisms in your terms and conditions. 

Your company may not have to pay a billion dollars of fines every year. Still, any investigation means costs and disruptions, all of which are unnecessary if you give consumers clear disclosures about their choices.