Meta’s consent bypass strategy fails in EU

Hello all! I hope all of our subscribers in the northern hemisphere are surviving the short winter days.

There is some significant GDPR-related news in our newsletter today: Meta may no longer serve targeted advertisements to EU citizens without their consent.

For those of you familiar with EU law, it’s probably a surprise that Meta was able to serve targeted ads without consent in the first place—users must explicitly opt into the data collection and processing required for ad personalization in the EU, so personalizing ads without that consent seems like a clear violation.

However, consent is just one way to obtain a legal basis for processing personal information. Meta attempted to sidestep this requirement by burying targeted advertising language in its terms and conditions. In this way, they hoped to rely on another legal basis for data collection and processing: the performance of a contract. If users agreed to the terms and conditions of Facebook, WhatsApp, or Instagram, Meta argued they were agreeing to receive the “service” of being presented personalized ads, and therefore to the data collection and processing necessary to present those ads.

According to reporting from the Wall Street Journal, the European Data Protection Board (EDPB) has deemed this to be an inappropriate legal basis. However, the EDPB hasn’t actually made any orders to Meta; rather, it has requested that the Irish Data Protection Commissioner (DPC) issue public orders and fines. 

It should be noted that all of this comes from unnamed sources in the WSJ article and that nothing has been officially declared yet. Further, the Irish DPC has a history of playing nice with tech companies (in fact, the Irish DPC worked with Meta on establishing its original consent bypass strategy). 

Still, if the news is to be believed and if the Irish DPC enforces the EDPB’s findings, it could be a major blow to Meta’s business in the EU. When asked whether they’re comfortable with being tracked—even for something as seemingly innocuous as advertising—most people respond in the negative.

Best,
Arlo

Names, personal information of more than 6,000 noncitizens exposed by ICE
The personal information of more than 6,000 noncitizens was erroneously posted on the U.S. Immigration and Customs Enforcement (ICE) website, a breach that could result in retaliation from the individuals, gangs, and governments that the immigrants were fleeing. The information was up for five hours, which included the names, case status, detention locations, and other data of immigrants seeking to avoid deportation to countries such as Iran, Russia, and China.
Read more

LastPass' latest data breach exposed some customer information
LastPass recently disclosed that it was the victim of a data breach last August and that hackers accessed customer information. However, the password management company asserted that none of its customers’ passwords were exposed during the breach.
Read more

The big problem with Spotify Wrapped
More and more tech companies are coming under fire for surveilling their user base and monetizing their users’ data—but Spotify has managed to whitewash its surveillance by wrapping it up into a consumer-facing annual event called Spotify Wrapped.

“This is a particularly shining example of the fact that Spotify’s business model is based on surveillance,” says Evan Greer, director of the digital rights advocacy group Fight for the Future. “Spotify has done an amazing job of marketing surveillance as fun and getting people to not only participate in their own surveillance, but celebrate it and share it and brag about it to the world.”
Read more

The FTC wraps up public comments on consumer-surveillance proposal
The Federal Trade Commission (FTC) has closed comments to inform new rules regulating commercial surveillance and data security practices. As part of this comment-seeking period, the FTC consulted with individual experts, the public at large, and trade organizations to determine how surveillance and data security practices impact the public and businesses alike. By the end of the comment period, the FTC gathered over 11,000 responses.
Read more



Personalized ads on Facebook, Instagram, and WhatsApp declared illegal
When the GDPR originally came into force in the EU, Meta argued that it could "bypass" the requirement to get opt-in consent from users by simply adding a provision in the terms and conditions on the grounds that targeted advertisements were part of the core service it provided consumers. However, the European Data Protection Board determined that this practice was illegal and that Meta must allow users to have access to a version of all apps that do not use personal data for ads. 
Read more



Meet the MSPA, the IAB’S answer to state privacy laws
The Interactive Advertising Bureau (IAB) has released its multistate privacy agreement, or MSPA, a contractual framework designed to help ensure that companies and their vendors respect consumer consent preference signals. State privacy laws require that not only do businesses honor consumer consent, but that the downstream vendors who receive consumers’ personal information also honor that consent. The MSPA is a modular framework that ensures this can happen even with the complex patchwork of privacy laws at play in the U.S.
Read more



Meta releases new features to support teen privacy
Recently, Meta rolled out a new suite of features to protect the privacy of teens using Facebook, including default privacy settings for new accounts, measures to limit unwanted interactions with adult users, and a tool to limit the spread of teens’ intimate images online.
Read more



The EU settles on proposed AI Act language
After some debate, the EU’s member states have settled on proposed language for the upcoming AI Act. The Act is designed to ensure that AI systems used in the EU are safe and respect existing laws on fundamental rights and values.
Read more



Osano blog: 1-month countdown to 2023’s state privacy laws
The last installment in our countdown series is here! The Osano team has been producing blog posts that describe what activities businesses should carry out and when in order to enter 2023 prepared for the slew of new data privacy laws coming online in that year. In this edition, we describe the last set of steps that a business needs to take in order to have a strong foundation for compliance in the new year.
Read more

Interested in working at Osano? Check out our Careers page! We might have the perfect opportunity for you.