On 27 October 2023, the European Data Protection Board (EDPB) issued a critical and binding decision against Meta Ireland Ltd, marking a significant challenge to their practices.
The EDPB found that Meta had created detailed user profiles without consent by monitoring user activity on Facebook and Instagram for targeted advertising.
This approach breached the principles of the General Data Protection Regulation (GDPR), forcing the EDPB to enforce a ban on Meta's use of personal data for personalised advertising.
Irish authorities quickly followed suit, extending this ban to processing such data throughout the European Economic Area (EEA).
This directive has significant implications for businesses, requiring immediate and thorough adjustments to their data handling and advertising strategies.
Here are some key steps you can take to prepare for the changes ahead:
1. Secure user’s consent
The importance of explicit user consent cannot be overstated. Consider using solutions such as DataGuards' Consent and Preference Manager (CPM) to simplify this vital data processing element. Correct consent is not only a regulatory requirement; it also increases visitor’s trust.
2. Balance legitimate interests with individual rights
Simply claiming 'legitimate interest' to justify using personal data for advertising in your terms and conditions is insufficient. Legitimate interest is one of several possible legal grounds for legally processing personal data.
However, Article 6(1)(f) of the GDPR states that legitimate interests must not override the rights of the data subjects. It is essential to review your data processing practices to ensure that they comply with legal standards and respect the rights of individuals.
You might also be interested: Opt-in and Opt-out: How to get, record, and manage customer consent
3. Stay ahead of regulatory developments
The evolving data protection landscape requires organisations to be proactive. Responding to these changes quickly and effectively is critical. By implementing the steps outlined and leveraging the resources available, you can ensure the integrity of your data processing practices and position your organisation to meet future challenges successfully.
Meta's recent announcement of a pure subscription model raises further questions about GDPR compliance. While the EDPB and the Irish authorities review the approach, German authorities consider a pure subscription legitimate under strict and concrete conditions. Stay abreast of these developments and be prepared, especially about the treatment of data from underage users.
Consult with DataGuard‘s experts
In the face of these changes, professional guidance can be invaluable. If you're unsure of the implications for your specific context, get tailored advice from DataGuard’s experts to ensure your business remains compliant and ahead of the regulatory curve.