Meta violates GDPR with non-compliant targeted ad practices, earns over $400 million in fines

Must-read big data coverage

• What Powers Your Databases? Take This DZone Survey Today!
• New AI Data ‘Universal Translator’ From Salesforce, Snowflake, Others
• Top Tech Conferences & Events to Add to Your Calendar in 2025
• Google Releases Data Commons MCP Server to Supercharge AI Agents

As of Wednesday, Jan. 4, Meta has once again been hit with a major GDPR violation, earning itself more than $400 million in fines for its latest data privacy misstep. The EU’s Ireland-based Data Protection Commission levied two sets of fines after ruling that EU-based users have been illegally forced to accept personalized, targeted ads from both Facebook and Instagram.

SEE: GDPR resource kit: tools to become compliant (TechRepublic Premium)

This GDPR ruling is one of the most severe since GDPR was first instituted in 2018, but it’s certainly not Meta’s first expensive run-in with the regulation. In this report, we’ll share what we know about Meta’s latest violation, and we’ll dive a little deeper into Meta’s troubled past with GDPR.

Jump to:

• Fast facts about Meta’s 2023 GDPR targeted ads violation
• A look at Meta’s 2022 GDPR violations and fines
• What this could mean for Meta

Fast facts about Meta’s 2023 GDPR targeted ads violation

Starting the new year on a sour note, Meta has lost a flagship GDPR case based on its targeted advertising practices and now must pay fines of €390 million, or over $400 million. This ruling was made by Ireland’s Data Protection Commission, an Ireland-based branch of the European Union’s GDPR regulators.

To get you up to speed, here are some of the most important facts to know about this latest violation and ruling:

• Meta is being fined for violating EU user privacy rights, with nonconsensual targeted advertising practices on Facebook and Instagram.
• More specifically, Meta is under fire for adding a clause to its advertising terms of services that essentially required users to share their personal data; this violates the GDPR-based privacy rights of EU users.
• €210 million of fines were issued for Facebook violations, while €180 million were issued for Instagram violations.
• This case was processed in Ireland because Meta’s regional headquarters is located in Dublin.
• The Ireland regulator at first ruled in favor of Meta, but their position changed after an EU board of regulators from the greater EU bloc objected to their ruling.
• Meta believes its advertising practices already align with GDPR and plans to appeal this ruling.
• Although this ruling has only just been made, it stems from complaints that go back to 2018, the year GDPR was first put into effect.
• Meta has three months from the time of this ruling to achieve GDPR compliance.

A look at Meta’s 2022 GDPR violations and fines

Meta has had a rough time with GDPR violations, especially over the course of the last year. In 2022 alone, it is believed that Meta paid €670 million in fines for GDPR violations. According to the latest data analyzed by Atlas VPN in December 2022, Meta’s violations account for more than 80% of the total €830 million in violations that EU businesses accumulated in 2022.

According to Atlas VPN’s report, some of Meta’s biggest 2022 penalties came during Q4 of 2022. The company was fined €405 million in September 2022 and €265 million in November 2022. Even prior to this 2023 ruling, Meta had paid approximately €1 billion in GDPR fines.

What this could mean for Meta

This latest violation may seem like nothing more than the latest feather in Meta’s non-compliance cap, but it’s much more than that: It is a major case that illustrates bigger issues and challenges in the tech giant’s business model.

SEE: Data governance checklist for your organization (TechRepublic Premium)

With this ruling, the longer-term success of Facebook’s and Instagram’s revenue models is put into jeopardy. Meta’s child brands, Facebook and Instagram, heavily rely on user data collection to conduct behavioral analytics and granularly target advertising campaigns.

Much of these two websites’ revenue comes directly from the clicks and engagement targeted ads generate. Thus, losing a segment of user data as big as the EU’s 27-nation bloc’s population could mean major trouble for the platforms’ continued growth.

And hefty fines are obviously not ideal for a company already struggling with massive waves of layoffs and the other pains that come with several quarters of stagnating growth. Meta is still one of the largest tech companies in the world, but it’s struggling to keep up with the scale and vision it has set out for itself.

Regardless of what future plans the company has for the Metaverse or its other lofty projects, GDPR and other regulatory compliance efforts should be the company’s first priority right now. As Meta is already struggling with reputational damage and bad press related to consumer data privacy, the company can’t afford to take too many more major hits in this area.

Read next: Top data governance tools (TechRepublic)