On October 27, the European Data Protection Board (EDPB) adopted a binding decision requiring the Irish Data Protection Commission to prohibit Meta from processing personal data for behavioral advertising on the bases of performance of a contract and legitimate interests across the European Economic Area. This latest action is the most recent in a string of decisions stemming from the Court of Justice of the European Union (CJEU) and actions from data supervisory authorities such as Norway’s around Meta’s behavioral advertising practices. In its July 4 decision, the CJEU clarified their understanding of Meta’s behavioral advertising practices as “[m]ade possible in technical terms by the automated production of detailed profiles in respect of the network users and the users of the online services offered at the level of [Meta]. To that end, in addition to the data provided by the users directly when they sign up for the online services concerned, other user- and device-related data are also collected on and off that social network and the online services provided by [Meta], and linked to their various user accounts. The aggregate view of the data allows detailed conclusions to be drawn about those users’ preferences and interests.”
Of course, this characterization of Meta’s practices as detailed by the CJEU is common across many different types of companies. Fundamentally, the EDPB’s decision and the CJEU’s July 4 ruling raise questions not just about Meta’s business model in the EEA, but also about the future of behavioral advertising across the EEA. Below we will discuss what the state of behavioral advertising is in Europe and contrast this from the regime in the United States.
GDPR Bases For Processing: Performance Of A Contract & Legitimate Interests
Article 6 of the EU’s General Data Protection Regulation (GDPR) lists 6 bases for processing, namely consent, processing necessary for the performance of a contract, and processing necessary for the purposes of the legitimate interests of the controller (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data).
Performance of a Contract
Meta had attempted previously to base their behavioral advertising practices on processing necessary for the performance of a contract. The rationale was that Meta is not able to offer its platform without serving cross contextual and targeted advertisements to its users. However, the CJEU held that “The fact that such [behavioral advertising] processing may be referred to in the contract or may be merely useful for the performance of the contract is, in itself, irrelevant in that regard. The decisive factor for the purposes of applying the justification . . . is rather that the processing of personal data by the controller must be essential for the proper performance of the contract concluded between the controller and the data subject and, therefore, that there are no workable, less intrusive alternatives.” In other words, processing based on performance of a contract can only be used as a basis “on the condition that the processing is objectively indispensable for a purpose that is integral to the contractual obligation intended for those users, such that the main subject matter of the contract cannot be achieved if that processing does not occur.” The CJEU held that since behavioral advertising is not necessary for a consumer to use an online social network, behavioral advertising cannot be the indispensable basis for a contractual obligation.
The legitimate interests basis from Article 6(1)(f) of GDPR has been a popular basis for processing personal data because of its flexibility. This basis requires a balancing test between the legitimate interests pursued by the controller and the interests or fundamental rights and freedoms of the data subject. Such a balancing test, while not a panacea for all processing activities is a more open ended basis than many of the others in Article 6.
However, this basis has been a difficult basis for behavioral advertising going as far back as the 1995 Directive which preceded GDPR (95/46/EC). Even then, the Article 29 Working Party (the predecessor to the EDPB) issued guidelines around legitimate interests, which looked skeptically at behavioral advertising. This sentiment was echoed again in 2017 by the Article 29 Working Party’s guidelines around automated decision-making and processing (pursuant to the then newly passed GDPR) which said, “[i]t would be difficult for controllers to justify using legitimate interests as a lawful basis for intrusive profiling and tracking practices for marketing or advertising purposes, for example those that involve tracking individuals across multiple websites, locations, devices, services or data-brokering.” One reason is that data subjects may not be able to reasonably expect or understand the extent of behavioral advertising, which is balanced against any necessary purpose the controller may have. As the CJEU stated, “[t]he processing at issue in the main proceedings is particularly extensive since it relates to potentially unlimited data and has a significant impact on the user, a large part – if not almost all – of whose online activities are monitored by [Meta], which may give rise to the feeling that his or her private life is being continuously monitored.”
Is Consent The Only Option in Europe?
This leaves consent as the most likely basis for compliant behavioral advertising in the EU. This should not come as much of a surprise as certain types of marketing such as email marketing already require opt-in consent due to the ePrivacy Directive. Meta has proposed a subscription model for EU users where users would have the option of a paid subscription without targeted advertising or consenting to targeted advertising without the paid subscription. However, doubts still remain even here as to whether this model could be considered valid consent and this new model will likely be challenged.
Regardless of how Meta attempts to gain the consent of its users, the more pressing problem from a commercial standpoint persists as to how consent as a basis for behavioral advertising would ever be valid. This is not a new problem. Some of the problem stems from the EU’s stringent understanding of consent, which is why consent is an unpopular basis for processing when a controller is given an option among bases for processing. Consent requires the data subject to be highly informed, be free in assenting to the consent, and maintain a persistent revocation right. This makes consent a difficult standard to apply en masse.
Specifically for behavioral advertising, the European Parliament conducted a study in 2021 which listed numerous limitations to consent as a basis for processing including that “individuals are subject to persistent multiple requests for consent, concerning processing operations involving obscure technicalities [and] undetermined risks” and that profiling broadly opens up the way for manipulation as data subjects may not be able to make informed choices in light of not being aware of the influence of their choices. As the study stated, “Individuals may be ‘hyper-nudged’ by targeted advertising and adaptive manipulative design into choices they will possibly regret. This can be achieved by profiting of their (mis)perceptions and weaknesses.” In other words, under the EU’s understanding of consent, data subjects and data supervisory authorities can always claim that any consent with respect to behavioral advertising was not freely given, which would render any consent invalid.
What Makes The US So Different?
As a counter to the EU’s general skepticism to behavioral advertising are the US state comprehensive privacy laws, beginning with the California Consumer Privacy Act (CPRA) from 2018 as amended by the California Privacy Rights Act (CPRA) from 2020, and other newly passed state comprehensive privacy legislation. These laws have been fairly uniform in only requiring businesses bound by such laws to offer opt-outs to behavioral advertising (called “sharing” under CPRA and called “targeted advertising” under other state laws such as the Colorado Privacy Act).
What we are therefore seeing is a coalescing of conflicting standards between the US and the EU with regard to behavioral advertising, similar to the conflict in laws we have already seen between the US and the EU in relation to email marketing. Broadly speaking, CAN-SPAM under US federal law is an opt-out regime while ePrivacy Directive in the EU is (usually) an opt-in regime with regard to email marketing. Behavioral advertising is now following a similar pattern where the US states are opt-out and the EU appears to be forming an understanding that opt-in consent is the only basis.
But as pointed out, one key difference between email marketing and behavioral advertising is that it is not even clear in the EU that opt-in consent can work as a basis.
So What Should Companies Do?
Similar to email marketing, companies have to take into account the discrepancy between the more permissive US laws and the more restrictive EU laws when it comes to behavioral advertising. Meta is serving as the test case but all companies, even ones that are not online social networks, have to be aware that all behavioral advertising in the EU is suspect and prone to challenge. The EU will have to clarify its position on behavioral advertising to avoid a scenario where behavioral advertising is, for all intents and purposes, essentially illegal.
In the meantime while behavioral advertising in the EU is in this state of limbo, companies should review whether:
Consent is the basis for processing in the EU for behavioral advertising purposes and if not, consider switching to consent as the basis;
There is a valid opt out from behavioral advertising;
Users are provided with a clear understanding of how behavioral advertising functions on their products and services; and
Most importantly, they have a backup plan in the event the EU takes a more hardline stance on behavioral advertising, even with consent as a basis for processing.