EEA Meta Restrictions: Position Paper

Back to Blog

An outline of the decision recently made by the European Data Protection Board to ban Meta’s current behavioural advertising processes within the EEA (European Economic Area), how this may impact advertisers using Meta’s targeted advertising services, and recommendations by Data Sciences (DS) on optimizing advertising and targeting systems going forward.

1. What’s going on

As of November 2023, the behavioural advertising ban originally issued by the Norwegian Data Protection Authority originally applied to Norway and the data of Norwegians, has been extended to the 30+ countries included in the entire EEA. The decision has also now been made permanent. This is currently an issue primarily between Meta and the data protection agencies. However, it leaves organizations currently using Meta to reach their target audiences contending with a new set of considerations on the biggest digital advertising platform in Europe and wondering how they may need to adapt their targeting efforts to ensure they meet their goals. DS has been following the process closely and has developed a set of initial recommendations accounting for the ever-shifting landscape of international data protection regulation.

What is included in the ban?

The ban refers specifically to the storage and processing of user data and the use of that data to individually target users based on that behavioural data. According to the Norwegian Data Protection Authority whose original order resulted in the Europe-wide ban, the definition is as follows:

“Behavioural Advertising includes targeting ads on the basis of inferences drawn from observed behaviour as well as on the basis of data subjects’ movements, estimated location and how data subjects interact with ads and user-generated content.”

This information consolidated is the core mechanism for Facebook’s extremely granular targeting of ads placed on Facebook and Instagram based on their algorithm’s inferences taken from that type of data collected from the users of Meta services. Any Meta user (ie. Facebook, Instagram) may take any number of actions both on the platform and across other websites, interacting with advertisements, pages, and organic posts. All of that information is used by Meta to build one-of-a-kind user profiles to deliver an extremely personalized advertising experience.

What is not included in the scope of the ban?

Data voluntarily submitted by Meta users to the platform is not included in the ban. For example, details submitted in the ‘about’ section of a Facebook user profile as outlined below:

“The order does not in any way ban Meta from offering the Services in Norway, nor does it preclude Meta from processing personal data for advertisement purposes in general. Only (…) as defined above (…) Practices such as targeting ads based on information that data subjects have provided in the “About” section of their user profile, or generalized advertising, is out of the scope of this order.

For example, the order does not itself prevent an advertising campaign on Facebook which, based on profile bio information, targets ads towards females between 30 and 40 years of age residing in Oslo and who have studied engineering.”

Meta has been ordered to cease all behavioural advertising practices and the tech giant has been receiving fines of $ 1 million crowns per day for breaching the order with regard to users privacy. At the time of writing this memo, Meta has remained steadfast in its position that the ban will not affect services and that advertisers are not required to take action, however, while continuing to operate they risk running afoul of GDPR regulation and may face larger fines. Meta argues that their business is being unjustly targeted and intends to challenge the ruling.

2. How this may affect advertisers

While Meta has not made any explicit changes to their behavioural targeting practices they have rolled out a new subscription service in which users within the EEA are invited to either,

1. Opt out of all ads by purchasing a subscription to their new ad-free service for approx. $9.99 a month, or
2. Continue with regular ads ‘as-is’ meaning their data will continue to be used for behavioural advertising.

It is not yet known whether this adjustment will be acceptable to the EDPB but at this point, all behaviour-based advertising remains banned. It is also important to note that while Meta is the first to be restricted in its privacy and targeting practices, a new international tech ecosystem with regards to data privacy is emerging in Europe and we anticipate further changes as more countries and platforms follow suit. 

Meta is being forced to change their business model and rely solely on the GDPR pillar of “informed consent” to process behavioural data as opposed to their previous argument of “legitimate interest” which argued the organization’s income relied on the data collection to operate their services therefore they were entitled to collect it. However, Meta is now being required to prove that users are knowingly and willingly consenting to the use of their tracked behaviour, on and off-platform, in the ad targeting process.

3. How advertisers can protect themselves

Given the changing nature of advertising, this is an opportunity to optimize your organization’s advertising programs. The following details DS’ recommendations to benefit you as a client to not be so reliant on the behavioural advertising Meta offers that is now no longer considered acceptable in the EEA.

• Diversify platforms and objectives
  • Incorporating other digital advertising platforms in your ad plan allows you to not depend as heavily on Meta. DS recommends adjusting the ad plan and strategy to include potential X, LinkedIn, Snapchat, TikTok, Google, etc. 
  • Adding new objectives in your ad strategy to supplement your ad program and compensate for potential loss of data.
    • Running Pagelike campaigns on Meta to increase interaction and traffic on your official page can help grow your audience of both paid advertising and organic posting in a more compliant way.
• Email lists as preemptive measures
  • Manual audience creation through the acquisition of consented Hard-IDs will become increasingly more valuable to offset targeting potentially becoming difficult. Advertisers should adjust their programs to ensure they are regularly collecting the consented email addresses and details of their own engaged users to add to a contact list that they administer. These contacts can more safely be used to remarket on Meta but also over email and on other platforms. 
• Explicit consent to receive your content
  • By proactively optimizing your own consent journey within your ad program, advertisers can further protect themselves while the validity of Meta’s consent-based system is being called into question.
    • Leaving the platform, your landing pages can be equipped with pixels and cookies which are allowed with explicit, mandatory consent as per each advertiser’s upfront privacy policy and can be used for thoughtful advertising.
    • To comply with GDPR each contact would need to accept cookies before their engagement to be used in retargeting.

Further options DS has provided to clients

Data Sciences has used our wealth of experience to help international clients navigate data protection and privacy regulation while acquiring the insights they need from various assessments and restructuring of data systems since the EU adopted General Data Protection Regulation (GDPR) in 2018 to the ongoing Meta regulations. Our clients include various organizations working with highly sensitive data protected under GDPR jurisdiction that prioritize data security and wish to expand globally. These clients have asked us for products and solutions to increase the safety of their data collection, analysis, and advertising practices including;

• Full GDPR audit of entire systems
  • DS has overseen rigorous reviews of our client’s systems to preemptively discover and solve potential breaches and tighten security.
• Invention of a new Serverless Landing Page
  • DS designed a unique serverless web page designed to ensure more security by limiting unnecessary data collection, transfer and storage. This product is a customizable, dynamic page you can use for audience capture that exists only as long as it is opened on the user’s device limiting unnecessary data storage and transfer.  
  • This solution ensures that no data being transmitted remains on any user’s device based outside the EU.
• Online Post-Advertisement Engagement Surveys
  • DS has been continuously improving our post-advertising surveys to collect demographic and qualitative insights into ad audiences’ opinions and segments.
  • We have also been able to give clients more control over improving their own consent journey so as not to rely as heavily on advertising platforms’ policies (like Meta). This means carefully collecting explicit advertising and data collection consent from those who choose to submit survey answers as well as maintaining the anonymity of users as needed.