Patrick Walsh

Meta Amasses $1B In GDPR Fines and Still Undeterred... For Now

Oh, Meta, I imagine that after 2022, you feel like the whole world is against you and the road ahead is bleak.

And you should.

GDPR fines are getting real

The European Union privacy law, the General Data Protection Regulation (GDPR), was passed in 2018. For the first three years, not much happened. Facebook was hit with some tiny fines, but they were cumulatively under a million euros.

But that started to change in 2021 and accelerated in 2022 as GDPR enforcement gained steam.

GDPR fines against Meta in 2021 and 2022 total almost $1 billion euros

In the last year and a half, Meta was fined due to two data breaches, the poor handling of children’s data, and for misleading statements around how they use the data they collect. These five fines add up to €972 million euros, which is over a billion U.S. dollars.


GDPR still catching up to FTC

But though a billion dollars is a lot of money, it’s nothing compared to the FTC’s 2019 settlement of $5 billion. That settlement was 18 times higher than any other the FTC has ever managed. Unfortunately, despite that settlement, almost nothing has changed with Meta’s business model.

Some context: comparing fines to revenue

Meta’s revenues over the previous four quarters are US$118 billion. So compared to that, the GDPR fines so far are a drop in the bucket. Even the GDPR fines plus the FTC fine is only about 5% of revenue.

Now let’s look instead at profits. Meta’s net income over the previous four quarters is US$28.9 billion. The fines over this time period were only $1 billion so we’re still only talking about a 3.4% hit.

Meta's income statement for previous 5 quarters

So have these various attempts to protect consumers and their privacy served to incentivize privacy or data protection for Meta? No. Not even a little bit. Put yourself in their shoes: if you had the choice of making $29 billion at the cost of $1 billion (ignoring the ethical questions for a moment), wouldn’t you?

Profit from tracking: Apple’s wee little change

In January of 2022, Apple released their App Tracking Transparency feature, which forces app developers to disclose how they’re using the data they acquire and lets users opt-out of activity tracking across other companies’ apps and websites.

Animation of disabling the global app tracking setting

More specifically, it gives iOS users the ability to withhold their device ID from the Facebook app. And they can turn off tracking globally so they don’t even get prompted per app.

The iOS device ID is used by Facebook to correlate the information that they learn about people from many different sources and to know that the person buying Widget X over there is you.

Consumers have opted out in droves this year and the consequence has been a $12.8 billion dollar hit to Meta’s revenue. That’s about 10.8%, but it only affected a small slice of their tracking: iPhone users on their phones instead of computers. Nothing changed for their Android users or desktop users.

But this is still a substantial amount of money, so it’s no wonder they’ve been trying to work around the limitation and track users anyway. Never mind that such workarounds are deceptive and illegal.

Global perspective on dollar amounts

To put all these billions into perspective, 2022 saw a record breaking Black Friday in which consumers globally purchased $9 billion worth of goods and services. Think about that. Apple wiped out more than a global Black Friday from Meta simply by giving users the chance to stop being tracked across apps.

And that’s still only a small dent in their revenue.

The coming metabomb

Meta has built a lot of implied consent into its service. If you use any of their services, like Facebook and Instagram, you automatically consent to being tracked and getting personalized ads based on that tracking data.

European Union regulators are getting ready to drop the hammer on this business practice, according to a leak of a ruling from the European Data Protection Board (EDPB) reported on by the Wall Street Journal.

If the decision happens and it sticks, Meta will be required to allow European users to opt out of personalized ads. Meta will also get hit with new fines when the decision is finalized.

Even more interesting is that California’s new privacy laws also require large companies to allow users to opt out of “cross-contextual behavioral advertising.” Which ultimately means that Meta will likely have to offer these options to everyone.

All about the money

Without a doubt, Meta will appeal, and if they can’t win, they’ll drag out the process for as long as they can. Because every day they can track people, they make $323 million dollars. Once they’re forced to let people opt out of tracking, their revenue will plummet.

So does Meta need to rethink their business model? Yes. But not because of fines. Fines are a cost of doing business. They’re an increasing number of drops in the bucket, but the incentives to tracking still far outweigh the disincentives.

But if they are forced to allow opt-out, their business could implode and with it the many advertising companies trying to do the same thing could go down with them. It’s the first time in years there’s been real hope for better privacy on the Internet. Now we just need to get businesses to better protect our data.

More great reads