On Wednesday, 4 January 2023, a board of EU regulators found Facebook and Instagram parent company Meta in violation of their General Data Protection Regulation (GDPR). The core of the complaint was that in order for a user to be able to use their services, they were obliged to accept personalised ads.
Initially, the case was brought before Ireland’s data privacy board since the tech giant’s European headquarters is located in Dublin, Ireland. Their first ruling was that Meta’s practices are in line with GDPR rules. However, the case was re-tried, with representatives from each of the 27 EU member states serving on the board, and the new decision found Facebook’s parent company in violation. As a result, they had to endure a hefty, €390 million (equalling $421 million today) fine.
According to the EU data regulator, it is not allowed to make a user accept personalised ads if they wish to use a service. People should still be able to use these sites and apps, even if they would not be willing to give up their data for advertisers. However, the problem for Meta is that personalised ads based on user data are much more valuable than so-called ‘contextual ads’, which simply relate to the specific content someone is seeing on the site. Thus Meta can expect a drop in their ad revenue if the ruling is upheld on appeal.
A similar situation occurred in 2021, when Apple allowed its iPhone users the choice to block advertisers from accessing their locations. The majority of iPhone users opted to do so. As a result, Meta saw a $10 billion loss in advertising revenue.
In their piece on the subject, The New York Times quoted Dan Ives, an analyst at Wedbush Securities who estimates that
5–7 per cent of Meta’s total advertising revenue is at risk.
For reference, Meta’s annual revenue was $27.7 billion for their fiscal year ending on 30 September 2022—the vast majority, around 98 per cent, of which comes from showing online ads to their users.
The California-based tech giant is already going through turbulent times. Last year, its stock price lost over 60 per cent of its value. The company has already begun downsizing their workforce. Some of this was brought about by external factors, such as the rising federal interest rates in the US that had to be implemented to curve inflation. Investors are now incentivised to put their money in low-risk treasury bonds and bills which offer decent returns again. As a result, the demand for tech stocks as a whole has gone down. The NASDAQ composite index, which includes most of the biggest tech company stocks, plummeted 33 per cent year—however, as the numbers show, Meta still managed to underperform the market.
Last November, the company already had to endure another fine of around $275 million. In that case, their offence was letting a data leak happen that jeopardised the personal information of 500 million of their users. And it seems the pressure is not letting up any time soon. While European data protection activists welcomed the new developments and the massive GDRP fine, they also lamented the fact that it came—in their opinion—too late. The interest group filed the initial complaint against Meta back in 2018, so it took over four years to get a ruling favourable for them. Also, an appeal on the American company’s part is still coming.
GDPR is an EU law that was passed in 2016 and took effect in 2018. Since then, fines have been issued in over 1,500 cases.
However, this €390 million ‘traffic ticket’ for Meta is one of the largest ever issued, second only to the staggering €746 million penalty another American tech giant, Amazon received back in July 2021.
This is in line with the bigger overall trend of national and international regulators putting more pressure on tech companies. In April 2018, Facebook founder and CEO Mark Zuckerberg appeared at a public hearing in front of the United States Congress to answer questions about how the British political consulting firm Cambridge Analytica acquired the data of US voters through Facebook’s platform. The next month, in May 2018, Zuckerberg went to Strasbourg, France to be questioned in a similar fashion at the European Parliament. The same year, as we wrote above, the GDPR took effect. In 2019, the European Union approved a new directive that became known as ‘Article 13’ which gave publishers more tools to monetise their copyrighted materials on the internet. This was seen as an overreach by the global online community that expressed quite a lot of outrage about the matter. Article 13 was still passed in the EU Parliament (under its new name ‘Article 17’), but it is yet to bring the catastrophic changes envisioned by many on the internet.
Also, back in September 2019, Google’s parent company Alphabet Inc. was dealt an even bigger financial blow than Meta’s recent fine for not being up to par with data regulation. They had to settle a case with the Federal Trade Commission in the United States for $170 million, a record payment in the agency’s history. They were found in violation of the Children’s Online Privacy Protection Rule (COPPA) for channelling the personal information of children under 13 to advertisers without their parents’ consent.
New tech regulations enacted in any of the major Western markets, be it the EU or the US, are likely to have a global effect, as it is usually easier for the companies to apply the new rules to all of their users, as opposed to just in one region alone. They do not really have the option to pull out of these markets if they do not want to comply either, given their sizes—the 27 EU member states have a combined population of around 450 million, while the current US population is around 330 million.