July 18, 2023  •  3 min read  •  By Marty Swant

Ivy Liu

Meta already faces a lot of regulatory pressure in Europe, but the parent company of Facebook and Instagram now has yet another government poking at its privacy practices.

On Monday, the Norwegian Data Protection Authority (Datatilsynet) said it will require Meta to stop behavioral advertising on Facebook and Instagram in the country for the next three months unless users give consent. If Meta doesn’t comply with the ruling — which applies to data such as web browsing and location — the company will face daily fines of around $100,000.

Although the ruling was limited to just Norwegian users of Meta’s platforms, privacy experts think it could have broader implications for other countries and companies if it’s adopted by other EU regulators. One attorney also noted Norway’s decision addresses whether companies can use their own first-party data to personalize ads without asking for consent, which in this case is limited to info such as a person’s information listed in their profile.

“This decision would have major impacts on the standard business processes across industries,” said Dan Felz, a partner at the law firm Alston & Bird. “It goes well beyond the decision about ads personalization issued in January by the Irish Data Protection Commissioner. The closest thing I have seen is German regulators attempting to move financial services providers towards a consent-first model for customer profiling for advertising purposes.”

The decision comes after other key decisions related to Meta’s advertising operations in Europe including the EU’s top court ruling earlier this month that Meta was violating EU privacy laws by collecting users’ data for behavioral advertising.

By raising new questions about the legal basis of consent when it comes to ad-tracking, others say Datatilsynet’s decision could prompt companies to explore other advertising models — such as shifting toward contextual targeting or going dark on Meta platforms — rather than risk regulatory action.

“We’re seeing privacy regulators show their teeth a bit more this year,” said Joe Jones, director of research and insights at the IAPP. “… There’s something in this judgment for everyone.”

Meta did not respond to Digiday’s request for comment, but some privacy advocates celebrated Monday’s ruling by issuing their own statements. In a press release published by NOYB — an Austria-based digital rights group that helped spark a privacy investigation in France against the Parisian ad-tech firm Criteo — Program Director Romain Robert described Norwegian DPA’s decision as “exciting.”

“It clearly seems to be an attempt to bypass the Irish DPC, which wasn’t enforcing its own decision against Meta give years after NOYB’s complaints,” Robert said in a statement.

In a blog post published by Amnesty International, Sherilyn Naidoo, Amnesty International’s policy adviser on technology and human rights, said using social media and protecting privacy “should not be a tradeoff” and urged other governments in Europe and elsewhere to take similar actions.

“Data protection authorities across the EU and the wider world should follow suit in taking similar action in the short term,” Naidoo said in the statement. “And in the long term should enact binding regulation to ban targeted advertising on the basis of invasive tracking practices.”

https://digiday.com/?p=511273