Meta has run afoul of Norwegian Data Protection Authority, with the latter banning the company’s behavioral advertising and threatening a $100,000-a-day fine.
Norway’s regulatory agency took issue with Meta’s practice of tracking user activity far beyond the data users voluntarily provide:
Meta tracks in detail the activity of users of its Facebook and Instagram platforms. Users are profiled based on where they are, what type of content they show interest in and what they publish, amongst others. These personal profiles are used for marketing purposes – so called behavioural advertising. The Norwegian Data Protection Authority considers that the practice of Meta is illegal and is therefore imposing a temporary ban of behavioural advertising on Facebook and Instagram.
The Norwegian Data Protection Authority cites a decision by the Irish Data Protection Commission in December 2022 that Meta’s behavior is illegal. Despite Meta changing some of its practices, the Court of Justice of the European Union recently found that Meta’s behavior is still not legal. Norway’s ban goes into effect August 4 and lasts for three months, or until Meta complies with the law. If Meta fails to comply, the company faces a fine of up to $100,000 per day.
The regulator makes clear that it is not opposed to targeted advertising, as long as such advertising is based on data users provide, not based on surveillance of their activity:
The Norwegian Data Protection Authority does not ban personalised advertising on Facebook or Instagram as such. The decision does not for example stop Meta from targeting advertising based on information a user put in their bio, such as place of residence, gender and age, or based on interests a user has provided themselves. Nor does the decision stop Meta from showing behavioural advertising to users who have given valid consent to it.
The regulator acknowledges that it would normally be the Irish Data Protection Commission that would address such issues but says the urgency of the situation necessitated taking action:
As Meta has its European headquarters in Dublin, it is normally the Irish Data Protection Commission that supervises the company in the EEA. The Norwegian Data Protection Authority can nevertheless intervene directly against Meta when there is an urgent need to act, and in such cases we can issue a decision which is valid for a period of three months. We consider that the criteria for acting urgently in this case are fulfilled, in particular because Meta has recently received both a decision and a judgment against them to which they have not aligned themselves with. If we don’t intervene now, the data protection rights of the majority of Norwegians would be violated indefinitely.
The decision is the latest issue for the social media giant as regulators around the world begin to scrutinize Big Tech’s use of consumer data.