Meta Wants EU Users To Apply For Permission To Opt Out of Data Collection

Meta announced that starting next Wednesday, some Facebook and Instagram users in the European Union will for the first time be able to opt out of sharing first-party data used to serve highly personalized ads, The Wall Street Journal reported. The move marks a big change from Meta's current business model, where every video and piece of content clicked on its platforms provides a data point for its online advertisers. Ars Technica reports: People "familiar with the matter" told the Journal that Facebook and Instagram users will soon be able to access a form that can be submitted to Meta to object to sweeping data collection. If those requests are approved, those users will only allow Meta to target ads based on broader categories of data collection, like age range or general location. This is different from efforts by other major tech companies like Apple and Google, which prompt users to opt in or out of highly personalized ads with the click of a button. Instead, Meta will review objection forms to evaluate reasons provided by individual users to end such data collection before it will approve any opt-outs. It's unclear what cause Meta may have to deny requests.

A Meta spokesperson told Ars that Meta is not sharing the objection form publicly at this time but that it will be available to EU users in its Help Center starting on April 5. That's the deadline Meta was given to comply with an Irish regulator's rulings that it was illegal in the EU for Meta to force Facebook and Instagram users to give consent to data collection when they signed contracts to use the platforms. Meta still plans to appeal those Irish Data Protection Commission (DPC) rulings, believing that its prior contract's legal basis complies with the EU's General Data Protection Regulation (GDPR). In the meantime, though, the company must change the legal basis for data collection. Meta announced in a blog post today that it will now argue that it does not need to directly obtain user consent because it has a "legitimate interest" to collect data to operate its social platforms. "We believe that our previous approach was compliant under GDPR, and our appeal on both the substance of the rulings and the fines continues," Meta's blog said. "However, this change ensures that we comply with the DPC's decision."

Don't forget

[Malays2 bowman]

- Frequent warnings about their hearing being important.

- To take a break every 10 minutes

Pefereably full view modal dialog boxes that interferes with the controls every 10 or 20 minutes.

Fuck Meta

[Anonymous Coward]

EU should fuck Meta over with GDPR to set a right example.

Re:Fuck Meta

[Z00L00K]

"Opt Out" might even be illegal. It has to be "Opt In".

Re:Fuck Meta

[gweihir]

"Opt out" _is_ illegal. So is "opt in" hidden somewhere in the TOU. People need to very explicitly consent specifically to collection of personalized data after being told what specifically it is used for and who it is shared with. Nothing else is legal. Oh, and if it is privileged data, such as medical data (and guessing somebody may be pregnant, for example, already qualifies), then that consent has to be in written form on paper.

Re:

[Okind]

"Opt out" _is_ illegal. So is "opt in" hidden somewhere in the TOU. People need to very explicitly consent specifically to collection of personalized data after being told what specifically it is used for and who it is shared with. Nothing else is legal. Oh, and if it is privileged data, such as medical data (and guessing somebody may be pregnant, for example, already qualifies), then that consent has to be in written form on paper.

Very much this, except that the rules for sensitive data such as medical information, race (images!), religion, sexual preference, location, etc. are even more severe.

For starters, you're not allowed to collect/use it unless you can prove that you cannot provide a necessary service without it. And it has to be necessary from the point of view of the data subject. This pretty much excludes all forms of marketing, and makes sensitive personal data a big no-go for Big Surveillance (like Meta, Google, etc.).

Re:

[gweihir]

Yes. The only valid reason a service provider has to store such data is with consent of the appropriate form and if it is needed for the service the user requested. That does indeed rule out all marketing. This limit does apply to all personally identifiable data and all tracking though, not only to especially sensitive data. Also, data stored must be deleted after the legal retention requirements are over. If somebody did not actually buy good or services, that is pretty much immediately after. If somebody

Meta is still breaking the GDPR

[bagofbeans]

https://noyb.eu/en/meta-facebo... [noyb.eu]

As the Wall Street Journal reports, Meta (Facebook and Instragram) is switching from an illegal contract to equally illegal basis "legitimate interests" for advertisement, after noyb won a series of complaints against them. noyb will take imminent action, as the clear case law and guidance does not allow a company to argue that its interests in profits overrides the users' right to privacy.

The old saying

[Malays2 bowman]

They call it the golden rule because those who have the gold makes the rules.

Applies mostly in America.

Re:

[gweihir]

I hope they do. There is a reason I am a noyb member. These enterprises need to be kicked, kicked and kicked again. Time for a EUR 500M fine.

Re:

[Opportunist]

There simply is no "legitimate interest" for any kind of personal information. At least not in the form presented by various webpages.

Re:

[AmiMoJo]

Facebook/Meta isn't the first to try this "legitimate interests" argument for advertising data. It really needs a high level ruling to make it clear that it doesn't work. Your business may depend on ads to make money, but targeting them by harvesting and abusing personal data can never be a legitimate interest because you can provide either non-targeted ads or use other metrics, like page content, to target.

"It reduces our profits" is not a legitimate reason to process personal data in this way.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[AmiMoJo]

We really need to see some big files if they don't follow the rulings. Current law allows for 4% of global turnover, which would be a little under $5bn for Meta.

Actually illegal that way

[gweihir]

The GDPR mandates "default no" for all data collection. They need to get _explicite_ permission and it _cannot_ be hidden somewhere in the TOU or the like. Otherwise collecting any personalized data is flat-out illegal.

Re:

[pjt33]

And you can't change your justification from consent to legitimate interest when the courts say you didn't have consent and grandfather in the data already collected. The court should send bailiffs to supervise the deletion of the data and collect affirmations under pain of perjury from senior executives that it has been deleted and won't be recovered.

Re:

[gweihir]

Indeed. Enforcement with real teeth would be nice. Unfortunately, the Irish Data Protection Authority (responsible here) is utterly corrupt and only does things when forced to.

Re:

[Errol backfiring]

For those who wonder, Consent must be

• Voluntary (and "if you do nothing, you agree" is not seen as voluntary). It also means that giving consent must be as easy as refusing it. This makes the vast majority of cookie walls illegal.
• Informed (you must be told what you consent to)
• Specific (every use of the data needs a different consent)

You do not need consent for use of data necessary to perform the service itself. As an example, if you order something in a web shop, the web shop does not need consent to

Re:

[gweihir]

Yep, nice summary.

Re:

[MS]

All correct. In fact there are online-shops in the EU without cookie-consent-banner, simply because they do it the right way and don't need it. Session cookies are no problem and do not imply prior consent. Fonts, jQuery and the likes may be stored locally (instead of delivering it from the Google-cloud), so no tracking cookies will be set and no personal data transferred outside the EU and no annoying consent-banner clutters the homepage.

Re:

[gweihir]

Session cookies are fine if they only contain personally identifiable data after the user entered it and cannot be used for tracking and have an effective lifetime of the overall interaction. Obviously you may store session information in cookies, in particular whether cookie consent has been given or not, but also everything that only applies to the session.

Re:

[Opportunist]

That's fine, that's what adblockers are for.

By Default

[thegarbz]

1. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
2. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.
3. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to a

Dear Chickens, please ask the fox to stop hunting

[nightflameauto]

Dear Chickens,
You may now ask the fox for permission to not be hunted in your own home. Please be advised that this request will be reviewed by the fox at his leisure, and may be denied based on whether or not he's actually hungry at that moment. The form to request permission to not be hunted will be available by your request to (hidden link deep within some hard to access page).

Seems like a real bit of trickery to me.

Well I'd like...

[TractorBarry]

Well I'd like "Meta", and all the other associated data thieves, to go die in a fire. Shame we can't all get what we want.

Thankfully the EU will just tell them go pound sand.