Meta/Facebook’s approach to GDPR compliance is largely insufficient, according to a new ruling by the Court of Justice of the European Union.
“Meta cannot simply bypass the GDPR with some paragraphs in its legal documents. This will mean that Meta has to seek proper consent and cannot use its dominant position to force people to agree to things they don’t want.”
Sorry about that - GDPR is short for General Data Protection Regulation, and it’s basically an EU regulation determining what businesses are allowed to do with the data of their users.
What businesses are allowed to do with user data boils down to pretty much nothing without consent: Individuals need to have control over their data and have it removed if they feel like it, you can’t just ship user data out of the EU just like that, you can’t store user data without explicit consent, etc. It caused a huge shock in European industry when it was first passed, as basically not a single company was meeting the standards of what we now refer to as being GDPR compliant. I had a friend working in some random flower shop who got a bunch of extra work because their repeat customer programme was suddenly becoming illegal.
The case before the CJEU - the Court of Justice of the European Union - revolved around the terms and conditions of Facebook. Meta did not want to conventionally comply with GDPR because it turns out users will generally refuse to give consent if you go ahead and ask them. Insted they came up with a dumb loophole: the ads were framed as part of their service, and their terms of service obliged Facebook to serve people ads that would otherwise have been in breach with GDPR.
Predictably, the European court was not convinced by their “loophole”, and basically ruled that Meta has to comply with GDPR like anyone else.
I hope that clarified a little! :)