Targeting Meta - When behavioural advertising goes wrong

Meta highlights the need for careful consideration when it comes to picking a lawful basis for processing personal data under the UK or EU GDPR – your organisation will want to avoid the costly Meta mistakes!

What's happened?

Meta has come under fire from its Irish regulator, the Data Protection Commission (DPC), in relation to behavioural advertising. The DPC has fined Meta Platforms Ireland Limited (Meta) €390 million for breaches of the EU GDPR relating to its Facebook and Instagram services.

Meta had changed its Terms of Service in advance of the EU GDPR coming into force in May 2018. The key change was to the ‘legal basis’ that Meta relied on to process personal data for its personalised services, including behavioural advertising. Meta no longer sought to rely on user consent, instead stating that the processing was necessary to perform the contract with users.

If users wanted to continue to use Facebook and Instagram, they would need to accept the new Terms of Service. If a user declined, they could no longer access the apps.

The complainants argued that the ‘performance of a contract’ legal basis was not valid for behavioural advertising, and that Meta essentially “forced” users to consent to such processing if they wanted to use the apps. 

Meta’s response was that personalised services, including personalised ads, are central to the Facebook and Instagram service, and to the contract it has with its users. In a statement, Meta said “Facebook and Instagram are inherently personalised, and we believe that providing each user with their own unique experience – including the ads they see – is a necessary and essential part of that service”.

The DPC did not agree. After referring the matter to the European Data Protection Board, the DPC concluded that Meta must obtain user consent to serve personalised ads.  It could not rely on the ‘performance of a contract’ legal basis. 

It also found that Meta had breached its obligations in relation to the fair and transparent processing of users' personal data.


Behavioural advertising makes up the vast majority of Meta’s profits, allowing advertisers to display highly relevant ads to users based on their interests. 

Asking for each user’s consent will reduce the pool of users to which Meta can serve personalised ads and will impact profits in the EU. Unsurprisingly, Meta said in a statement that it intends to appeal the DPC decision and fine. 

The DPC has given Meta three months to bring its data processing operations into compliance with the EU GDPR.  Meta will be under pressure to find a solution that protects its profits while complying with the DPC decision. 

All businesses that engage in behavioural advertising in the EU will need to pay close attention to this landmark EU GDPR decision.  

Although the fine has been imposed under EU law (which is separate to English law post-Brexit), businesses operating in the UK market should also take note, as the UK GDPR currently largely mirrors the EU GDPR. 

This fine is one of a long string of fines for Meta, having been fined over €1 billion for EU GDPR breaches. These eye watering fines are enough to have an impact despite Meta’s huge profits, and mark a continuation of an aggressive approach by EU regulators. 

It is highly likely that this attitude will remain, and we will be seeing further large fines as we move through 2023.    

Key points for organisations

  • Organisations need to carefully assess the legal basis that they will rely on for each of their personal data processes – especially when it comes to aspects such as direct marketing and personalised advertising. 
  • Consent options need to be provided where appropriate, taking into account the requirements for clarity and granularity.
  • Organisations must also be transparent with users in privacy notices, so that it's clear which data is being collected and for which purposes. 
  • Organisations should embrace the undertaking of Data Protection Impact Assessments (DPIAs) to carefully consider and address issues associated with such personal data processing activities.  

How we can help

  • We can assist with UK/EU GDPR compliance activities – ranging from assistance with new processes to full organisational compliance activities
  • We can assist with completing Data Protection Impact Assessments (DPIAs)
  • We can assist with preparing privacy notices, cookies notice, as well as consent wording requirements
  • We can assist with other IT, Data Protection and Cyber law aspects as well.

Mills & Reeve’s national IT, data protection and cyber law teams can assist your organisation with all of these and other legal requirements.  

Please feel free to get in touch to arrange an initial consultation call.

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.

Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R


Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.


Mills & Reeve system for employees.