The EU is going toe to toe with Meta once more, with the social network giant conceding defeat yet again. After having taken Meta to task for various privacy violations and data breaches, Meta is now having to provide European users with a way to opt out of behavioural advertising. The threat of fines totalling $100,000 a day probably helped things along a little bit.

This has been a long time coming. In fact, it’s taken no fewer than five years of “extensive litigation” to reach this landmark moment. Two complaints from the European Center for Digital Right (NYOB) back in 2018 set the wheels in motion. Additional interest from the European Data Protection Board and decisions made by the Court of Justice of the European Union (CJEU) heaped additional pressure on the now relenting Meta.

From Meta’s most recent post on this subject:

Today, we are announcing our intention to change the legal basis that we use to process certain data for behavioural advertising for people in the EU, EEA and Switzerland from ‘Legitimate Interests’ to ‘Consent’. This change is to address a number of evolving and emerging regulatory requirements in the region, notably how our lead data protection regulator in the EU, the Irish Data Protection Commission (DPC), is now interpreting GDPR in light of recent legal rulings, as well as anticipating the entry into force of the Digital Markets Act (DMA). 

As The Record explains, behavioural advertising typically involves the display of adverts customised by someone’s browsing habits and / or app usage. A picture is built up over time of said user, and it essentially follows them around the web. Web browsers have been pushing back against some of this behaviour for some time now, with some of them isolating third party cookies or looking to sunset them completely.

In this case, Meta may be looking to get ahead of the game somewhat in the face of what The Record calls “an inevitable near-term regulatory reality”, and so look proactive while getting its own preferred time frame for changes in order.

There’s no solid dates set yet for when these changes may come into force. October has been referenced as a possibility, but (as with the delays to cookie sunsetting) there may well be similar delays here. From the Meta blog:

We will share further information over the months ahead, because it will take time for us to continue to constructively engage with regulators to ensure that any proposed solution addresses regulatory obligations in the EU, including GDPR and the upcoming DMA.

Whenever these changes come into force, many meta users will not see the benefit. If you’re located outside of the EU, the European Economic Area (EEA), or Switzerland, then unfortunately you’re out of luck on the behavioural advertising avoidance front.

This may well create additional pressure regardless, given the many privacy and safety organisations located in the US who will no doubt be watching these developments closely to see what can be replicated.

Meta has had a very rough time of things where the EU is concerned. Back in July 2022, regulators were threatening to ban Facebook in relation to data transfers to the US. In September of the same year, Instagram was counting the cost of a $400m fine related to the handling of children’s data. November? That would be the $277m fine issued by the Irish Data Protection Commision because of a Facebook data breach. March was all about Facebook having “illegally processed” user data. July of this year saw Meta subsidiaries ordered to pay $14m over misleading data collection disclosure.

Wherever you look, no matter which part of the business we’re talking about, there’s often a fine and an EU regulator thrown into the mix. It’s a very large and costly legal war of attrition, and the message is loud and clear. The EU will keep doing this for as long as it takes for Meta to get its house in order.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.