A multi-year battle challenge to Facebook (aka Meta), where Germany's antitrust authority in 2019 became a pioneering champion for privacy rights when it attempted to curb the social media giant's 'superprofiling' of users by blocking, since it was an "exploitative abuse" of its monopoly position, the cross-site tracking of users without consent. The procedure between Germany's federal competition regulator, Bundeskartellamt, finally concluded Thursday with the announcement that the battle is over.
Winner? Meta has withdrawn its appeal of the order issued by the regulator — and with that withdrawal of its legal army, the German Federal Cartel Office (FCO) has declared its decision final. So you have to say the FCO prevailed, even if the outcome still requires Facebook and Instagram users to step through various hoops to keep their information siloed from Meta's ad-targeting systems.
As a consequence of our decision, Meta has made very important changes in its practices related to user data, said Andreas Mundt, president of the Bundeskartellamt in a statement. The key difference is that users do not have to agree for Meta to collect unlimited amounts of data linked to their user accounts related to activities on the website or service, even when such data are not generated while using Facebook. This applies to Meta services, like Instagram or to third-party websites and apps. That means that users now have much greater control over how their data are combined."
Data combination may sound pretty innocuous. But the practice allows tracking to turn into high-dimension profiling of individuals as, in Meta's case, different kinds of web activity can be linked to the same Facebook/Instagram account user to build a more complete picture and even infer intentions. (A simple example: A web user goes to her doctor's website. Hours later, that same user goes to an abortion clinic website. If Meta's tracking pixels were planted on those sites, it could link the two together. And if that sounds crazy talk, studies of trackers suggest it's not.
The concessions on operational issues Meta agreed to as part of closing the FCO case include:
Meta said in an announcement made in June 2023 that it would introduce an Accounts Center where users of Facebook and Instagram could instruct the company to treat data the company collects from its different services separately - rather than this data combining to deepen Meta's ad profiling of individual users as had been previously the case.
It is a cookie choice that allows users of Facebook and Instagram to establish whether they wish to enable it to pool that information with other personally identifying data Meta collects about them — via third-party websites where its tracking technologies are embedded or from apps using its "business tools" — or segregate the data.
In short, a "special exception" would be created just for Facebook Login; those using the Meta-provided method of signing in to other websites and apps would have the ability to decide not to combine their Facebook data with other information collected about them while they are using third-party services, without losing access to Facebook Login - as was the case before.
The FCO said Meta has also agreed that it will limit its combination of data from Facebook and Instagram users for security purposes. "Regardless of what settings the user activates in Facebook or Instagram, Meta stores and combines usage data for security purposes," it says, noting that the concessions include that this processing be done "only temporarily and for no longer than a standardized period of time defined in advance.".
Meta has promised to deliver brief customer information about the settings about data combination. "In order to enable Meta's customers to quickly find the appropriate settings that minimise, as far as possible, unwanted combinations of data by Meta, users who consented to the combination of data previously are presented with prominent notifications each time they open Facebook. The notifications contain direct links to the newly designed consent options," writes the FCO.
And it agreed to display a prominent notice at the top of its data policy about its users' options with respect to its practice of merging data, including a short explanation and links to accounts and cookie settings described above.
The FCO stated that some of these are already under way; others will be implemented "in the coming weeks.".
We asked Meta to clarify whether the updates will be released globally — or just in Germany, where the Bundeskartellamt has jurisdiction. We were previously told that Account Center would be rolled out generally.
FCO spokesperson Kay Weidner said he didn't know if all of the measures would roll out globally or in Europe or just in Germany, saying they "may differ from measure to measure."
"Our decision (and Meta's agreements) are only binding for Germany but at least some of the measures [have] nevertheless already been applied not only in Germany but all over Europe as e.g. the Account Centre and probably also the Facebook Login exception," he added.
"Intense discussions"
In its announcement, the German regulator said the terms resulted from "intensive discussions" with Meta. (Translation: "we had to drag this much out of them kicking and screaming.")
Last year the FCO said previous offers from Meta were "seriously deficient", partly because of its manipulative design choices that could have nudged users into decisions in line with its commercial agenda rather than their own, since it claimed Meta was not offering information transparently or neutrally.
The regulator seems to be content — if not entirely — with the final set of concessions Meta made.
Altogether, these tools put users much more in control of what personal data from other Meta services and third-party apps and websites are connected to their Facebook account, " said Mundt.
But how strong of a victory is the FCO's case actually? Clearly, the broader regional campaign against Meta's privacy-antagonistic business model continues. So this certainly isn't the last word.
Simply look at how Meta now requires consent from users in the European Union to allow ad tracking or else people have to pay a monthly fee to access social networks that the company used to advertise as "free" under slogans like "Facebook is free and always will be.".
This is the reality for Facebook and Instagram users in Europe, even though a bloc policy like GDPR sets a standard stipulating that consent must be informed, specific, and freely given to be legally valid.
But the FCO proceeding does still represent a significant win in the rolling back of Meta's privacy incursions — the FCO objection to the company may have marked the high water mark for Meta on its freewheeling data slurping.
The multi-year fight has also clarified aspects of the legal landscape around surveillance-based ad business models and set up several arenas where Meta's business model very much remains under regulatory attack.
A referral in 2021 by German courts, which were reviewing the FCO's order to the EU's Court of Justice, led on, in July 2023, to a ruling that has limited the legal options for Meta's tracking ads business in the region.
Irony here is that Meta responded by flipping from a claim of legitimate interest in this personal data processing to the deployment of a consent flow that forces users to agree to be tracked or pay it for an ad-free version of the service. In short, it has flipped to yet another version of forced consent — rather than offering the free choice the GDPR envisions.
Grievances against Meta's "pay or consent" model in Europe now loop through regional data protection authorities, consumer protection watchdogs, and the European Commission. The latter keeps an open investigation of Meta under the bloc's Digital Markets Act (DMA), a competition reform that took inspiration from FCO's super-profiling pioneering case.
So while the battle against Meta's consentless surveillance continues raging throughout all of the region, the German authority has here made some serious inroads into its business model.
Some of them may even get the job done: Provided, that is, the European Commission will actually apply the DMA mandate on Meta not to be able to compel users to accept their data becoming aggregated. (The bloc has already said it suspects Meta's "pay or consent" model of being noncompliant with the DMA.)
Thus, the European Commission … receives new competencies to act against the combination of different services of so-called gatekeepers if users have not provided their valid consent; this is outlined in Article 5(2) of the Digital Markets Act (DMA), which relates to the issues underlying the Bundeskartellamt's Facebook decision, the FCO observes in its press release.
This will help data protection authorities check the extent of which consent is in fact freely given and whether data processing, including within individual services, is excessive. Consumer protection rules could be applied to how Meta designs its user dialogues," it adds, pointing out all the other watchdogs that could pick up the baton and enforce the law on Meta as it did.
While we wait to see further enforcement on the tech giant's user-hostile business model, one — hopefully lasting — legacy for the FTC case is that it has helped change the conversation around competition and privacy by underscoring how an abuse of privacy can be horrible for competition, too; just another "exploitative abuse" of a monopoly position that shouldn't be tolerated.
Let's hope that perspective sticks.
Meta was contacted with questions.