[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"blog-slug_blog_3_1":3,"blog-slug_blog_meta-targeted-advertising-not-gdpr-compliant_1000_1":40},{"article":4,"articles":15,"meta":33,"languages":39},{"id":5,"title":6,"excerpt":7,"locale":8,"slug":9,"authorSlug":10,"automaticTranslated":11,"publishedAt":12,"updatedAt":13,"doFollowLinks":11,"showIndex":11,"showCallToActions":11,"articleType":14},3060,"The EU wants to kill cookie banners","The EU wants to end annoying cookie pop-ups by letting users set their consent once in their browser. If passed, websites will have to respect those choices.","en","the-eu-wants-to-kill-cookie-banners-by-moving-consent-to-your-browser","iron-brands",false,"2025-11-20T05:40:14.356Z","2025-11-20T06:13:15.812Z","blog",[4,16,26],{"id":17,"title":18,"excerpt":19,"locale":8,"slug":20,"authorSlug":10,"automaticTranslated":11,"publishedAt":21,"updatedAt":22,"ctaTitle":23,"ctaDescription":24,"doFollowLinks":11,"showIndex":25,"showCallToActions":11,"articleType":14},3019,"Google is tracking you (even when you use DuckDuckGo)","Google tracks users even on DuckDuckGo via Analytics and embeds. A new study shows how deep Google’s web tracking really goes.","google-is-tracking-you-even-when-you-use-duck-duck-go","2025-07-14T08:56:41.709Z","2025-07-14T11:26:01.386Z","If you care about privacy, you don't use Google Analytics","Ditch the tracking, keep the insights. Try Simple Analytics.",true,{"id":27,"title":28,"excerpt":29,"locale":8,"slug":30,"authorSlug":10,"automaticTranslated":11,"publishedAt":31,"updatedAt":32,"doFollowLinks":11,"showIndex":11,"showCallToActions":11,"articleType":14},3018," German court rules Meta’s tracking tech violates GDPR","German court rules Meta’s tracking tech violates GDPR, allowing lawsuits without proof of harm. Big risks ahead for sites using Meta pixels.","german-court-rules-meta-s-tracking-tech-violates-gdpr","2025-07-10T08:20:51.111Z","2025-07-10T12:16:26.327Z",{"pagination":34},{"page":35,"pageSize":36,"pageCount":37,"total":38},1,3,362,1084,{},{"article":41},{"contentHtml":42,"question":43,"content":44,"inlineMedia":45,"id":47,"title":48,"excerpt":49,"locale":8,"slug":50,"authorSlug":51,"automaticTranslated":11,"publishedAt":52,"updatedAt":53,"doFollowLinks":11,"showIndex":25,"showCallToActions":25,"articleType":14,"languages":54},"\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"269\">As the \u003Ca referrerpolicy=\"strict-origin-when-cross-origin\" href=\"https://www.wsj.com/articles/metas-targeted-ad-model-faces-restrictions-in-europe-11670335772?utm_source=simpleanalytics.com\" target=\"_blank\" rel=\"noopener nofollow\">Wall Street Journal\u003C/a> reported, the European Data Protection Board found that \u003Cstrong>Meta has been illegally profiling users for targeted advertising\u003C/strong> on its platforms. The decision can be appealed but is unlikely to be overturned. No information about sanctions is available at the moment, but given the amount of personal data involved, we might see \u003Cstrong>a\u003C/strong> \u003Cstrong>hefty fine\u003C/strong>.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"269\">The decision stems from a complaint filed in 2018 by privacy NGO \u003Ca referrerpolicy=\"strict-origin-when-cross-origin\" href=\"https://noyb.eu/en/noyb-win-personalized-ads-facebook-instagram-and-whatsapp-declared-illegal?utm_source=simpleanalytics.com\" target=\"_blank\" rel=\"noopener nofollow\">noyb\u003C/a> and practically overturns a previous ruling by the Irish data protection authority (DPC). While the decision has yet to be published, the picture is fairly straightforward since some information about the complaint has been publicly available for a long time.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"269\">In this blog, we will explain the deal with Meta and why it’s a \u003Cstrong>consequence of a broader problem with the business model behind social media\u003C/strong>.\u003C/ContentEditable>\n\u003Cp>\u003Cimg class=\"mx-auto rounded-lg\" src=\"https://assets.simpleanalytics.com/gifs/its-bigger-on-the-inside.gif\" />\u003C/p>\n\u003Col class=\"counters\">\u003Cli>\u003CNuxtLink to=\"#the-decision\">The decision\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#data-is-not-a-commodity\">Data is not a commodity\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#update\">Update\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#conclusions\">Conclusions\u003C/NuxtLink>\u003C/li>\u003C/ol>\u003CCtaOne />\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"269\">Let’s dive in!\u003C/ContentEditable>\n\u003CContentEditable  id=\"the-decision\" parent=\"\" tag=\"h2\" :articleId=\"269\">The decision\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"269\">To be clear, \u003Cstrong>the EDPB did\u003C/strong> not \u003Cstrong>say that targeted advertising on social media platforms is in and of itself illegal\u003C/strong>. The Board found that Meta was profiling users illegally because it was \u003Cstrong>abusing a specific legal basis\u003C/strong> under the GDPR- the performance of a contract. This might seem like a minor detail, but it isn’t. Let’s unpack the issue.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"269\">As we explained \u003CNuxtLink to=\"/blog/gdpr-101-legal-bases\"  >on our blog\u003C/NuxtLink>, under the GDPR, every data controller needs a \u003Cstrong>legal basis\u003C/strong> to process data- that is, a justification such as the data subject’s consent or a legal obligation. The GDPR includes a closed list of six legal bases, each with its own requirements.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"269\">Since the GDPR’s entry into force in 2018, Meta has been using \u003Cstrong>the performance of a contract\u003C/strong> as a legal basis for serving users with personalized advertisements based on their online activity. By doing so, Meta was essentially claiming that personalized advertising is an essential part of their contract with the user (that is, the terms of service for Facebook and Instagram). Noyb claimed that Meta was abusing the legal ground of the contract and took legal action in 2018, filing the complaint that led to the EDPB’s decision.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"269\">The ruling itself is absolutely unsurprising. European case law has long clarified that the legal ground of contract only covers processing activities which are strictly necessary to the performance of the contract. This is obviously not the case with targeted advertising. Additionally, the EDPB itself clarified in its guidelines that contract is not a suitable legal basis for online behavioral advertising.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"269\">But why couldn’t Meta just rely on a different legal basis? It’s a bit complicated, so we’re going to keep things short and sweet here and include some more details in the notes. In a nutshell, \u003Cstrong>not relying on contract would have forced Meta to collect user consent instead\u003C/strong>. This is a tricky proposition because a user could just refuse targeted advertising or opt out of it. As Internet users become more and more privacy-aware, this could \u003Cstrong>severely impact advertisement revenue\u003C/strong> for the company.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"269\">\u003Cem>(Note: Meta is still not relying on consent for profiling. See the updates below for more details)\u003C/em>\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"269\">Bottom line, Meta circumvented the rules and got away with it for four years.\u003C/ContentEditable>\n\u003CContentEditable  id=\"data-is-not-a-commodity\" parent=\"\" tag=\"h2\" :articleId=\"269\">Data is not a commodity\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"269\">Meta is not the only big tech company struggling with the GDPR. For instance, \u003Ca referrerpolicy=\"strict-origin-when-cross-origin\" href=\"https://thehackernews.com/2022/07/tiktok-postpones-privacy-policy-update.html?utm_source=simpleanalytics.com\" target=\"_blank\" rel=\"noopener nofollow\">TikTok got in trouble with the Italian DPA\u003C/a> because of legal bases not long ago. Google Analytics is also having its fair share of troubles and getting practically banned in several Member States, for different reasons (we wrote about this on our \u003CNuxtLink to=\"/blog/the-complete-overview-from-101-noyb-complaints-to-banning-google-analytics\"  >blog\u003C/NuxtLink>).\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"269\">The core of the issue is that the GDPR (and the EU data protection framework in general) \u003Cstrong>treats privacy and data protection as fundamental rights\u003C/strong>, whereas social networks (and many other tech companies) embody a surveillance-centered business model that \u003Cstrong>treats personal data as a commodity\u003C/strong>.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"269\">These perspectives are \u003Cstrong>radically incompatible\u003C/strong>. From a purely economic point of view, profiling is actually necessary to the performance of the contract because it’s a crucial part of Meta’s business model: if the company couldn’t profit from the contract, it would not be able to provide the service, nor would it have any incentive to do so. But under the GDPR, privacy and data protection are non-negotiable rights. The processing of personal data cannot be justified just because it’s part of a business model, no matter how widespread and successful.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"269\">Some critics of the GDPR claim that the Regulation is impracticable and out of touch with a data driven economy, but this is not the case. European institutions are well aware of the crucial role of data. This is why the GDPR strives to strike a balance between data protection rights and other fundamental rights, including the freedom to conduct a business.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"269\">But the GDPR also \u003Cstrong>draws a line between a data-driven economy and a surveillance economy\u003C/strong>, and this line has been rightfully enforced against Meta.\u003C/ContentEditable>\n\u003CContentEditable  id=\"update\" parent=\"\" tag=\"h2\" :articleId=\"269\">Update\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"269\">There are quite a few updates, since we published this blog:\u003C/ContentEditable>\n\u003Cul>\n\u003Cli>the DPC issued a total €390M fines over Facebook and Instagram’s GDPR violations\u003C/li>\n\u003Cli>the EDPB settled a similar cases revolving against Meta-owned Whatsapp. The DPC fined Whatsapp for €5M only\u003C/li>\n\u003Cli>the EDPB ordered the DPC to further investigate Meta’s data processing operations. The DPC believes that the EDBP lacks the authority to do so and announced legal action against the order in the EU Court of Justice.\u003C/li>\n\u003Cli>the Amsterdam District Court held Meta's targeted profiling to be illegal in a recent class action (\u003CNuxtLink to=\"/blog/meta-s-privacy-fiasco-a-cautionary-tale-for-big-tech\"  >we discussed this case in detail\u003C/NuxtLink>)\u003C/li>\n\u003Cli>as of April 5, Meta is relying on the legal basis of \u003Ca referrerpolicy=\"strict-origin-when-cross-origin\" href=\"https://about.fb.com/news/2023/01/how-meta-uses-legal-bases-for-processing-ads-in-the-eu/?utm_source=simpleanalytics.com\" target=\"_blank\" rel=\"noopener nofollow\">legitimate interest\u003C/a> for targeted advertising. noyb is \u003Ca referrerpolicy=\"strict-origin-when-cross-origin\" href=\"https://noyb.eu/en/meta-facebook-instagram-switching-legitimate-interest-ads?utm_source=simpleanalytics.com\" target=\"_blank\" rel=\"noopener nofollow\">not happy\u003C/a> with the new legal basis (rightly so, we believe) and intends to challenge it.\u003C/li>\n\u003C/ul>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"269\">€390M might look like a lot, but it really isn’t. The largest components of the fines revolves around a lack of transparency. The lack of a legal basis, which is arguably the biggest issue, cost Meta a total €120M between Facebook and Instagram’s violations. For comparison, the Belgian DPA fined Amazon for €746M over similar violations!\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"269\">It’s hard to say how the DPC’s legal action against the EDPB will play out, but it will surely increase the already alarming friction between the DPC and her European counterparts.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"269\">Last but not least, in an unrelated case revolving around data transfers, Meta was \u003Cstrong>fined for €1.2 billion\u003C/strong> (no, that's not a typo!) by the DPC and ordered to \u003Cstrong>suspend US data transfers\u003C/strong> for Facebook. This could result in a \u003Cstrong>Facebook blackout\u003C/strong> for Europe. Needless to say, \u003CNuxtLink to=\"/blog/meta-hit-with-record-breaking-1-3-billion-fine-over-facebook-data-transfers-to-the-us\"  >we discussed this important case in detail\u003C/NuxtLink>.\u003C/ContentEditable>\n\u003CContentEditable  id=\"conclusions\" parent=\"\" tag=\"h2\" :articleId=\"269\">Conclusions\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"269\">The EDPB’s decision shows once again that the GDPR can be an effective tool to enforce privacy against surveillance-based business models. But enforcement is only a part of the picture. Consumers are increasingly aware of privacy issues and companies are starting to see the value of good, privacy-friendly data governance.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"269\">A move towards privacy-minded tools can play a big part in building a surveillance-free Internet. With \u003CNuxtLink to=\"/\"  >Simple Analytics,\u003C/NuxtLink> we are trying to facilitate this. We believe that you can get insights from your web analytics, without the need to collect personal information or install cookies in your visitors’ computer.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"269\">We believe in an independent web that is friendly to website visitors. If this resonates with you, feel free to \u003CNuxtLink to=\"https://simpleanalytics.com/simpleanalytics.com\"  referrerpolicy=\"unsafe-url\" rel=\"\">give us a try!\u003C/NuxtLink>\u003C/ContentEditable>\n","Is Meta's targeted advertising GDPR compliant?","As the [Wall Street Journal](https://www.wsj.com/articles/metas-targeted-ad-model-faces-restrictions-in-europe-11670335772) reported, the European Data Protection Board found that **Meta has been illegally profiling users for targeted advertising** on its platforms. The decision can be appealed but is unlikely to be overturned. No information about sanctions is available at the moment, but given the amount of personal data involved, we might see **a** **hefty fine**.\n\nThe decision stems from a complaint filed in 2018 by privacy NGO [noyb](https://noyb.eu/en/noyb-win-personalized-ads-facebook-instagram-and-whatsapp-declared-illegal) and practically overturns a previous ruling by the Irish data protection authority (DPC). While the decision has yet to be published, the picture is fairly straightforward since some information about the complaint has been publicly available for a long time.\n\nIn this blog, we will explain the deal with Meta and why it’s a **consequence of a broader problem with the business model behind social media**.\n\n{% include gif.html slug=\"its-bigger-on-the-inside\" alt=\"its-bigger-on-the-inside\" width=\"500\" height=\"500\" color=\"#5a391b\" %}\n\n{{tableofcontents}}\n\nLet’s dive in!\n\n## The decision\n\nTo be clear, **the EDPB did** not **say that targeted advertising on social media platforms is in and of itself illegal**. The Board found that Meta was profiling users illegally because it was **abusing a specific legal basis** under the GDPR- the performance of a contract. This might seem like a minor detail, but it isn’t. Let’s unpack the issue.\n\nAs we explained [on our blog](https://www.simpleanalytics.com/blog/gdpr-101-legal-bases), under the GDPR, every data controller needs a **legal basis** to process data- that is, a justification such as the data subject’s consent or a legal obligation. The GDPR includes a closed list of six legal bases, each with its own requirements.\n\nSince the GDPR’s entry into force in 2018, Meta has been using **the performance of a contract** as a legal basis for serving users with personalized advertisements based on their online activity. By doing so, Meta was essentially claiming that personalized advertising is an essential part of their contract with the user (that is, the terms of service for Facebook and Instagram). Noyb claimed that Meta was abusing the legal ground of the contract and took legal action in 2018, filing the complaint that led to the EDPB’s decision.\n\nThe ruling itself is absolutely unsurprising. European case law has long clarified that the legal ground of contract only covers processing activities which are strictly necessary to the performance of the contract. This is obviously not the case with targeted advertising. Additionally, the EDPB itself clarified in its guidelines that contract is not a suitable legal basis for online behavioral advertising.\n\nBut why couldn’t Meta just rely on a different legal basis? It’s a bit complicated, so we’re going to keep things short and sweet here and include some more details in the notes. In a nutshell, **not relying on contract would have forced Meta to collect user consent instead**. This is a tricky proposition because a user could just refuse targeted advertising or opt out of it. As Internet users become more and more privacy-aware, this could **severely impact advertisement revenue** for the company.\n\n_(Note: Meta is still not relying on consent for profiling. See the updates below for more details)_\n\nBottom line, Meta circumvented the rules and got away with it for four years.\n\n## Data is not a commodity\n\nMeta is not the only big tech company struggling with the GDPR. For instance, [TikTok got in trouble with the Italian DPA](https://thehackernews.com/2022/07/tiktok-postpones-privacy-policy-update.html) because of legal bases not long ago. Google Analytics is also having its fair share of troubles and getting practically banned in several Member States, for different reasons (we wrote about this on our [blog](https://www.simpleanalytics.com/blog/the-complete-overview-from-101-noyb-complaints-to-banning-google-analytics)).\n\nThe core of the issue is that the GDPR (and the EU data protection framework in general) **treats privacy and data protection as fundamental rights**, whereas social networks (and many other tech companies) embody a surveillance-centered business model that **treats personal data as a commodity**.\n\nThese perspectives are **radically incompatible**. From a purely economic point of view, profiling is actually necessary to the performance of the contract because it’s a crucial part of Meta’s business model: if the company couldn’t profit from the contract, it would not be able to provide the service, nor would it have any incentive to do so. But under the GDPR, privacy and data protection are non-negotiable rights. The processing of personal data cannot be justified just because it’s part of a business model, no matter how widespread and successful.\n\nSome critics of the GDPR claim that the Regulation is impracticable and out of touch with a data driven economy, but this is not the case. European institutions are well aware of the crucial role of data. This is why the GDPR strives to strike a balance between data protection rights and other fundamental rights, including the freedom to conduct a business.\n\nBut the GDPR also **draws a line between a data-driven economy and a surveillance economy**, and this line has been rightfully enforced against Meta.\n\n\n## Update\nThere are quite a few updates, since we published this blog:\n\n- the DPC issued a total €390M fines over Facebook and Instagram’s GDPR violations\n- the EDPB settled a similar cases revolving against Meta-owned Whatsapp. The DPC fined Whatsapp for €5M only\n- the EDPB ordered the DPC to further investigate Meta’s data processing operations. The DPC believes that the EDBP lacks the authority to do so and announced legal action against the order in the EU Court of Justice.\n- the Amsterdam District Court held Meta's targeted profiling to be illegal in a recent class action ([we discussed this case in detail](https://www.simpleanalytics.com/blog/meta-s-privacy-fiasco-a-cautionary-tale-for-big-tech))\n- as of April 5, Meta is relying on the legal basis of [legitimate interest](https://about.fb.com/news/2023/01/how-meta-uses-legal-bases-for-processing-ads-in-the-eu/) for targeted advertising. noyb is [not happy](https://noyb.eu/en/meta-facebook-instagram-switching-legitimate-interest-ads) with the new legal basis (rightly so, we believe) and intends to challenge it.\n\n€390M might look like a lot, but it really isn’t. The largest components of the fines revolves around a lack of transparency. The lack of a legal basis, which is arguably the biggest issue, cost Meta a total €120M between Facebook and Instagram’s violations. For comparison, the Belgian DPA fined Amazon for €746M over similar violations!\n\nIt’s hard to say how the DPC’s legal action against the EDPB will play out, but it will surely increase the already alarming friction between the DPC and her European counterparts.\n\nLast but not least, in an unrelated case revolving around data transfers, Meta was **fined for €1.2 billion** (no, that's not a typo!) by the DPC and ordered to **suspend US data transfers** for Facebook. This could result in a **Facebook blackout** for Europe. Needless to say, [we discussed this important case in detail](https://www.simpleanalytics.com/blog/meta-hit-with-record-breaking-1-3-billion-fine-over-facebook-data-transfers-to-the-us).\n\n## Conclusions\n\nThe EDPB’s decision shows once again that the GDPR can be an effective tool to enforce privacy against surveillance-based business models. But enforcement is only a part of the picture. Consumers are increasingly aware of privacy issues and companies are starting to see the value of good, privacy-friendly data governance.\n\nA move towards privacy-minded tools can play a big part in building a surveillance-free Internet. With [Simple Analytics,](https://www.simpleanalytics.com/) we are trying to facilitate this. We believe that you can get insights from your web analytics, without the need to collect personal information or install cookies in your visitors’ computer.\n\nWe believe in an independent web that is friendly to website visitors. If this resonates with you, feel free to [give us a try!](https://simpleanalytics.com/simpleanalytics.com)\n",{"data":46},null,269,"Meta's targeted advertising not GDPR compliant","The European Data Protection Board found that Meta has been illegally profiling users for targeted advertising on its platforms","meta-targeted-advertising-not-gdpr-compliant","carlo-cilento","2022-12-10T00:00:00.000Z","2023-08-15T11:49:49.969Z",{"en":55,"de":56,"fr":58,"it":60,"es":62,"nl":64},{"slug":50},{"slug":57},"metas-gezielte-werbung-nicht-gdpr-konform",{"slug":59},"la-publicite-ciblee-de-meta-n-est-pas-conforme-au-gdpr",{"slug":61},"la-pubblicita-mirata-di-meta-non-e-conforme-al-gdpr",{"slug":63},"la-publicidad-dirigida-de-meta-no-cumple-el-gdpr",{"slug":65},"meta-s-gerichte-reclame-is-niet-gdpr-conform"]