On October 7, 2024, the Court of Justice of the European Union (CJEU) delivered a landmark ruling that restricts Meta Platforms from using personal data collected from Facebook for targeted advertising indefinitely. The decision is a critical interpretation of the General Data Protection Regulation (GDPR), emphasizing the necessity for data minimization and limiting the duration and type of data used for advertising purposes. This ruling arises from a case filed by privacy activist Maximilian Schrems, who argued that Meta’s use of his data for personalized ads based on his sexual orientation was unlawful.
The CJEU’s ruling makes it clear that social networks cannot continually use personal data obtained from users for ad targeting without imposing necessary limitations. Specifically, the court stated that companies must ensure that personal data collected, whether from the platform itself or through third-party websites, is processed strictly for necessary purposes and within defined timeframes. This decision reinforces the principle that even with user consent, companies cannot exploit personal information without due consideration of privacy regulations.
Noyb, the privacy advocacy group co-founded by Schrems, welcomed the court’s decision, stating it aligns with the anticipated outcomes and will affect other online advertising companies lacking robust data deletion practices. They emphasized that the ruling underscores the importance of adhering to the data minimization principle, which restricts the use of personal data even when users consent to its use for targeted advertising. This principle applies across the board, indicating that indefinite use of personal data for advertising is not permissible.
In response to the ruling, Meta expressed its commitment to privacy, noting its ongoing efforts to embed privacy features into its products. However, the court’s decision poses challenges for Meta and similar companies relying heavily on targeted advertising strategies. As the digital advertising landscape evolves, this ruling will likely prompt companies to reassess their data handling practices to ensure compliance with stringent privacy laws, highlighting the broader implications for user privacy rights in the European Union and beyond.
