A multi-year competition challenge to Facebook (aka Meta), which saw Germany’s antitrust authority become a pioneering champion for privacy rights in 2019 after it sought to block the social media giant’s ‘superprofiling’ of users on the grounds that consentless cross-site tracking of users is an “exploitative abuse” of Facebook’s monopoly position, finally concluded Thursday with Germany’s federal competition regulator, Bundeskartellamt announcing the procedure’s end.
Who won? Meta dropped its appeal against the regulator’s order — and with the withdrawal of its legal army, the German Federal Cartel Office (FCO) has concluded its decision is final. So you have to say the FCO prevailed, even if the outcome still requires Facebook and Instagram users to step through various hoops to keep their information siloed from Meta’s ad targeting systems.
“As a result of our decision, Meta has made very significant changes to the way it handles user data,” said Andreas Mundt, president of the Bundeskartellamt in a statement. “The main change is that using the Facebook service no longer requires users to consent to Meta collecting a limitless amount of data and linking such data to their user accounts, even if these data are not even generated while using Facebook. This applies to Meta services such as Instagram or third-party websites and apps. This means that users now have much greater control over how their data are combined.”
Data combination may sound pretty innocuous. However, the practice allows tracking to turn into high-dimension profiling of individuals as, in Meta’s case, different types of web activity can be connected to the same Facebook/Instagram account user to build a more detailed picture and even infer intentions. (A basic example: A web user visits their doctor’s website. The same user, a few hours later, visits the website of an abortion clinic. If embedded in those sites Meta’s tracking pixels could connect the two. And if that sounds far-fetched, studies of trackers suggest it’s not.)
The operational concessions Meta has agreed to in order to close the FCO case include:
- A June 2023 announcement that Meta would introduce an Accounts Center where users of Facebook and Instagram can instruct the company to keep data collected from its different services separate — rather than this data being combined to deepen Meta’s ad-profiling of individual users as was previously the case.
- A cookie setting that allows Facebook and Instagram users’ data to decide whether they want to allow it to combine their data with other information Meta collects about them — via third-party websites where its tracking technologies are embedded or from apps using its “business tools” — or kept separate.
- A “special exception” for Facebook Login that allows people who use this Meta-provided method to sign in to other websites and apps to choose not to combine their Facebook data with information collected about them while they are using third-party services without having to lose access to Facebook Login (as was previously the case).
- The FCO said Meta has also agreed to limit its combination of Facebook and Instagram users’ data for security purposes. “Regardless of the user’s settings in Facebook or Instagram, Meta stores and combines usage data for security purposes,” it notes, adding that the concessions include this processing being done “only temporarily and for no longer than a standardized period of time defined in advance.”
- Meta has pledged to provide concise customer information about data combination settings. “To help Meta’s customers quickly find the relevant settings to prevent the unwanted combination of data by Meta, users who have agreed to data being combined in the past are shown prominent notifications when accessing Facebook. These notifications contain direct links to the newly designed consent options,” the FCO writes.
- Additionally, the company has agreed to include a prominent notice informing users about their options over its data combination at the beginning of its data policy — with a short explanation and links to the aforementioned Accounts Center and cookie settings.
The FCO said some of these changes have already been implemented, while others are slated to be rolled out “in the coming weeks”.
We’ve asked Meta to confirm whether changes will be implemented globally — or only inside the German market where the Bundeskartellamt has jurisdiction. (We previously understood that the Account Center would be rolled out globally.)
FCO spokesman, Kay Weidner, told us he was unsure whether all the measures would be applied globally, in Europe or only in Germany, saying they “may differ from measure to measure”.
“Our decision (and Meta’s agreements) are binding only for Germany but at least some of the measures [have] nevertheless already been applied not only in Germany but also all over Europe as e.g. the Account Centre and probably also the Facebook Login exception,” he added.
“Intense discussions”
In its press release, the German authority said the changes were arrived at after “intensive discussions” with Meta. (Which is basically regulator code for ‘we had to drag this much out of them kicking and screaming’.)
Last year the FCO described prior offers from Meta as “seriously deficient”, including as a result of manipulative design choices that could have nudged users to make decisions that suited its commercial agenda, and against their own interests, since it said Meta was not providing information transparently or neutrally.
The watchdog seems to be happier — if not entirely content — with the final set of concessions from Meta.
“Altogether, these tools give users much greater control over the extent to which personal data from other Meta services and third-party apps and websites are linked to their Facebook account,” said Mundt.
But how much of a win is the FCO’s case really? Clearly, the wider regional war against Meta’s privacy-hostile business model goes on. So this is hardly the final word.
Just look at how Meta’s current offer to users in the European Union — since November 2023 — demands their consent to ad tracking or else people must pay it a monthly fee to access social networks that the company used to advertise under slogans such as “Facebook is free and always will be”.
This is the reality for Facebook and Instagram users in Europe despite the bloc’s General Data Protection Regulation (GDPR) setting a standard that states that consent must be informed, specific, and freely given to be legally valid.
However, the FCO proceeding does still mark an important victory in rolling back Meta’s privacy incursions — the FCO raising an objection on the company may have set the high water mark on Meta’s free-wheeling data slurping.
The multi-year battle has also clarified aspects of the legal landscape around surveillance-based ad business models and set up several arenas where Meta’s business model very much remains under regulatory attack.
Notably, a 2021 referral from German courts which were considering the FCO’s order to the EU’s Court of Justice led on, in July 2023, to a ruling that has limited the legal options for Meta’s tracking ads business in the region.
Ironically, Meta responded by switching from claiming a legitimate interest in this personal data processing to implementing a consent flow that demands users agree to be tracked or else pay it for an ad-free version of the service. So, in other words, Meta has shifted to yet another iteration of forced consent — instead of providing users with the free choice the GDPR envisages.
Grievances against Meta’s ‘pay or consent’ model in Europe now loop in regional data protection authorities, consumer protection watchdogs, and the European Commission — the latter has an open investigation of Meta under the bloc’s Digital Markets Act (DMA), a competition reform that took inspiration from the FCO’s pioneering superprofiling case.
So while the fight against Meta’s consentless surveillance goes on all over the region the German authority has succeeded in making some serious inroads into its business model.
Some of these cuts even have the potential to finish the job, too — if, for example, the European Commission follows through and enforces the DMA’s requirement on Meta not to force users to agree to their data being combined. (The bloc has already said it suspects Meta’s ‘pay or consent’ model of being non-compliant with the DMA.)
“The European Commission… now has the power to take action against combining data across different services of so-called gatekeepers if users have not given their valid consent; this is set out in Article 5(2) of the Digital Markets Act (DMA), which draws on the issues underlying the Bundeskartellamt’s Facebook decision,” the FCO observes in its press release.
“In applying the General Data Protection Regulation, data protection authorities can check the extent to which consent is in fact freely given and whether data processing, including within individual services, is excessive. Consumer protection rules could also be applied to how Meta designs its user dialogues,” it adds, pointing out all the other watchdogs that could pick up the baton and enforce the law on Meta as it did.
While we wait for further enforcement on the tech giant’s user-hostile business model, one — hopefully lasting — legacy for the FCO case is that it has helped change the conversation around competition and privacy by underscoring how an abuse of privacy can be horrible for competition, too; just another “exploitative abuse” of a monopoly position that shouldn’t be tolerated.
Let’s hope that perspective sticks.
Meta was contacted with questions.