Facebook parent company Meta this week was fined 390 million euros, or more than $414 million, by European Union regulators in a major decision around its online ad targeting and privacy policies.
It's one of the more significant findings so far under EU's General Data Protection Regulation – and could potentially have implications for how the company operates in the U.S. – including its controversial practices in the healthcare space.
Meta had added a clause to its user terms of service contract when GDPR, which assures individuals that they have the right to reject the collection and processing of personal data for ad targeting purposes, came into effect on May 25, 2018.
The company says the clause justifies the collection and use of its user's personal data as necessary for performance.
The EU does not agree – and with its decision social media users across the affected Meta platforms must give consent for data tracking. The decision regarding a separate complaint of privacy violations on WhatsApp has been delayed until later in the month.
"We strongly believe our approach respects GDPR, and we’re therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines," Meta said in a
statement
in its Facebook newsroom.
According to Odia Kagan, partner and chair of GDPR compliance and international privacy for Fox Rothschild LLP, the decision means:
The company can no longer rely on a legal basis of contractual necessity to run behavioral ads and will instead have to ask users for their consent.
Within three months, Meta must enable users to have a version of its social media apps that does not use personal data to surface ads.
The company must allow users to withdraw consent at any time, and it may not limit the service if users choose to do so.
Meta may still use nonpersonal data to personalize ads or to ask users for consent to ads with a yes or no choice.
Data tracking by contractual necessity
With the company also fighting lawsuits in the United States, the decision may have implications for U.S. healthcare policy in
light of the company's U.S. healthcare data privacy lawsuits
.
The foundation of the global giant's social media data consent approach under GDPR relies on the concept of contractual necessity, and
according to GDPR.EU
, an entity is only allowed to process data under six instances, like when:
"Processing is necessary to perform a task in the public interest or to carry out some official function. (e.g. You’re a private garbage collection company.)"
Meta said its services must have the data or the experience won't be unique enough, which is the personalization the company's advertisers are generally after.
"Facebook and Instagram are inherently personalized, and we believe that providing each user with their own unique experience – including the ads they see – is a necessary and essential part of that service," the company said in the statement.
Consumer concerns about the company's privacy tracking in the U.S. can be addressed by Apple users. According to
coverage
by 9to5mac.com in 2022, Meta took issue with Apple's Ask App Not to Track which arrived with iOS 14.5 and is used across iPhones and iPads.
That feature, according to the report, shook up the mobile ad industry which cited a loss of returns to advertisers.
But Kagan said that some privacy laws in the United States have taken the same approach to contractual necessity as GDPR.
"This decision reflects a longstanding discussion in the EU regarding the scope of contractual necessity and the concept of consent," she said in an email to
Healthcare IT News.
"This is an interesting discussion to follow for the US too. Under the new U.S. laws consent is required in certain cases, for example, in Colorado, when processing sensitive information. These laws have, essentially, copy-pasted the definition of consent under GDPR."
Active acknowledgment is not the nationwide protocol
Kagan also noted that in the draft Colorado CPA regulations, the state cited the example of Datatilsynet's, Norway's data protection authority – the decision on the scope of consent in a complaint against the website Grindr, which resulted in a fine of $7.1 million in 2021, according to Tech Crunch's
report
.
"Under GDPR you cannot condition the provision of a service on consent to something that is not required for the service. That is a big conceptual change from the consent traditionally used in the US which is an active acknowledgment," she said.
Adtech snares healthcare organizations in its data privacy challenge
Last year, hundreds of U.S. hospitals were identified as tracking HIPAA-protected patient data in
a lawsuit against Meta Platforms alleging unlawful collection of patient data
.
Despite U.S. laws typically allowing acknowledgment as consent for data collection, protected data is a separate issue.
The John Doe plaintiff who was a patient at Baltimore-based Medstar Health System filed the class-action complaint against Meta in the U.S. District Court for the Northern District of California. Since then, a number of lawsuits have named several major U.S. health systems as defendants or codefendants for allegedly tracking patient data on portals and healthcare websites.
"When a patient communicates with a healthcare provider's website where the Facebook Pixel is present on the patient portal login page, the Facebook Pixel source code causes the exact content of the patient's communication with their healthcare provider to be redirected to Facebook in a fashion that identifies them as a patient," according to the Doe v Meta Platforms, Inc.
court documents
.
Kagan, who closely observes the unfolding challenges to data tracking, said that Meta will appeal the decision in the Irish Courts both "on the substance and the level of fines imposed."
Andrea Fox is senior editor of Healthcare IT News.
Email:
afox@himss.org
Healthcare IT News is a HIMSS publication.