For years, public pressure has built up in response to perceived encroachments on data privacy. The complaint processes under EU's GDPR have been long-winded and inconsistent, but beginning to have regulatory implications. It is clear that service providers will be forced to adapt their practices. Specifically how and to what extent remains an open question, as advertisers, and consumers themselves, are loath to give up services that have thoroughly integrated into their existence.
This month, the Irish Data Protection Commission (DPC) has given two decisions with potentially massive impact on ad targeting and provision of digital services. At the beginning of the year, the Irish DPC imposed 330 million euros in penalties on Meta for lacking a lawful basis for using data to target ads on Instagram and Facebook. On January 19th, the regulator ruled on a 5.5 million euro GDPR fine for Meta for WhatsApp breaching "its obligations in relation to transparency". In the WhatsApp decision, the Irish DPC considered WhatsApp's Terms and Conditions (T&C), as opposed to investigating data flows and behavioral targeting data. These emerged as a prominent consumer concern in 2016, when Meta (at that time Facebook) went back on it's promise not to merge data from Facebook and WhatsApp.
Inconsistencies in enforcement are also apparent within the union. The Irish DPC has been active in regulatory work, but six out of seven of their recent decisions have seen intervention from the joint European Data Protection Board (EDPB). As none of the other 30 EEA member states in the EDPB voted to back the Irish regulator's decisions in the recent Meta cases, it is not given that the Irish stance will prevail. In all, Meta's fines over the last 16 months total more than 1.3 billion euros.
Social media run on advertising revenue
As dominant social media services like Facebook and TikTok are financed with ad revenue, a systemic shock to ability to sell and deliver ad content would directly impact the availability of these services to consumers. Twitter is preparing to launch an ad-free subscription tier. However, social media services that consumers pay for will never deliver on the original mass premise, neither for users or advertisers, as the audience just isn't there.
Should consumers be allowed to consent, and effectively sell their data, as they do now? The use of social media currently happens on a contractual basis. The current regulatory discussion effectively questions the right of companies to use personal data as a requirement for using their services. These include demographic data such as your age and location, personally identifying information like email address or phone number, as well and explicit and inferred data on interests or purchase intent garnered as the service is used.
These data are used to target advertising to you in various ways. The rise of the social media technology giants has been so spectacular because this targeting works well: ads in their services are often a better investmern for brands and advertisers, funneling billions in revenue to the platforms and providing an effective method for reaching consumers.
While many consumer groups and individuals concerned with targeting over-reach have welcomed regulatory action, it is unclear whether aggregate public opinion would stand for the potential gutting of services and social media that millions have integrated into their daily lives.
Will current-form services cease to exist?
In the now-decided complaints against Meta, the Irish DPC found that Meta violated transparency requirements by not being clear enough about the legal basis for processing personal data, and invalidating Meta's legal framework of a contract between consumers and the company as a basis for ad targeting.
Regulators effectively banning current-form social media in the EU is a possible outcome – just not a likely one. Foremost, consumers are too heavily invested on a psychological level: social media is crack and the masses are hooked. Even as people express negative attitudes over data collection and use, that does not translate into stopping use of the services. As long as a considerable proportion of the population want these services, banning them remains politically charged.
Regulatory nudges towards a more transparent system will nevertheless continue. The Meta vs. Irish DPC cases will in likelihood proceed to the Court of Justice of the European Union (CJEU), so that a binding Union-wide resolution can be established. The major legal question for both consumers and businesses will be what kind of contracts individuals are able to enter into as a requirement for digital services.
Are consumers free to sell their data to social media companies? Are companies required to provide their service optionally without targeted advertising?
These immediately lead to a legally critical follow-up question: Can GDPR and DMA constrain national contract law i.e. the free ability of individuals to enter into contracts of their choosing?
Apple's ATT action showed that when given an opt-in choice, consumers are unlikely to give permission to share their data with advertisers. Around 25% of iPhone users did so, providing a benchmark for what might happen with Meta services. This change in itself was seen to strike up to 10 billion dollars from Meta's projected revenue.
The EU (via the Irish DPC) requires Meta to respond with a WhatsApp data use opt-in prompt in their services by June 2023. However, the legal wrangling in the EU court system – with the EDPB attempting to overrule the Irish decision, and the eventual outcome likely being settled in CJEU, leaves a solid opening for Meta's well-resourced legal team on both cases.
The interpretation of GDPR's article 6.1(b) in particular is under question. A restrictive stance would see use of data limited to what's "necessary for the provision of a service" instead of "necessary for the performance of a contract" – clearly different things. Even if targeted ads are included in the basic contract, users would still have the opportunity opt out of data use via the right to object (GDPR 21.1). An objection might still render the service unusable, but not comprise the default (opt-in) model for data use as with the more restrictive interpretation.
Ad money will find a way
If the decision stands, or something similar traverses the system, it might not yet be the end of social media as we know it. There is simply too much money on the table – over 90 billion euros in 2022. One can imagine that besides reinvigorated investmensts into contextual advertising, behavioral targeting will find a new opening from blurring the lines between organic content and ad content. The process in already underway. The delivery of advertising on social media is increasingly through content feeds using AI-driven algorithmic recommenders, instead of the previous generation on interest and intent based audience segments. Ads are shown to users who respond to them, the same way other content is fed to the user.
Removing behavioral targeting would concievably strip off at least the algorithmically targeted ads from the feed. What might still remain, depending on legal and technical interpretation, would be commercial content that the user has opted in to recieve, e.g. posts from accounts that they follow, whether influencers promoting brands or brands directly followed by the user. It is difficult to see how these types of communications could be blocked by virtue of data use for behavioral targeting, since they are the user-requested content components of the service. A blanket requirement on commercial content in social media would go wildly beyond EU pricavy legislation restrictions on data use.
If direct commercial messages without probabilistic targeting remain fair game, established brands and influencers would benefit with increasing gatekeeper power over their audiences, whereas new entrants would have a much harder time reaching consumer audiences. As with much of digital regulation, the outcomes for competition and market function can be unpredictable and entirely welcome.
Please get in touch (firstname.lastname@example.org) with any corrections, additional insights or fresh speculation.
Illustrated with help from Midjourney AI.