Facebook’s parent company Meta was this week fined 390 million euros by European Union regulators, or more than $414 million, in a key decision around privacy and targeting policies. online advertising.
This is one of the more significant findings to date under the EU’s General Data Protection Regulation – and could have implications for the way the company operates in the US – including activities that cause harm. Controversy in healthcare.
Meta added a clause to the user service terms contract when GDPR, assuring individuals that they have the right to opt out of the collection and processing of personal data for ad targeting purposes, has effective May 25, 2018.
The company says the provision justifies the collection and use of users’ personal data as necessary for performance.
The EU disagrees – and with its decision, social media users on the affected Meta platforms must consent to data tracking. The decision regarding a separate complaint about a privacy violation on WhatsApp has been delayed until the end of the month.
“We strongly believe that our approach respects the GDPR, therefore, we are disappointed by these decisions and intend to appeal both the content of the ruling and the fine,” Meta said. in a statement on its Facebook newsroom.
According to Odia Kagan, partner and international privacy and GDPR compliance president of Fox Rothschild LLP, this decision means:
- The company can no longer rely on the legal basis of contractual necessity to run behavioral ads and will have to ask users for consent instead.
- Within three months, Meta must allow users with a version of the social media application that does not use personal data to display ads.
- The company must allow the user to withdraw consent at any time and may not limit the service if the user chooses to do so.
- Meta may still use non-personal data to personalize ads or ask users to agree to ads with a yes or no choice.
Data tracking according to the necessity of the contract
With the company also battling lawsuits in the US, the decision could have implications for US healthcare policy due to healthcare data privacy lawsuits in the US. United States of the company.
The foundation of the GDPR global giant social media data consent approach is based on the concept of contractual necessity and under the GDPR.EU, an entity is only allowed to process data in six cases. , as when:
“Disposal is necessary to perform a task in the public interest or to perform some official function. (e.g. You are a private garbage collection company.)”
Meta says its services must have data, otherwise the experience won’t be unique enough, which is the way of personalization that the company’s advertisers often pursue.
“Facebook and Instagram are inherently personalized, and we believe that providing each user with their own unique experience – including the ads they see – is a necessary and essential part of the service. there,” the company said in the statement.
Consumer concerns about corporate privacy tracking in the United States can be addressed by Apple users. As reported by 9to5mac.com in 2022, Meta was having issues with Apple’s Do Not Track Requests App that ships with iOS 14.5 and is used on iPhones and iPads.
According to the report, that feature has shaken the mobile advertising industry, which has resulted in a loss of profits for advertisers.
But Kagan says that some privacy laws in the United States have taken a similar approach to contractual necessity as GDPR.
“This decision reflects a long discussion in the EU about the necessary scope of contract and the concept of consent,” she said in an email to Healthcare IT News.
“This is also an interesting discussion to watch for the US. Under new US law, consent is required in certain cases, such as in Colorado, when processing information. These laws essentially copied the definition of consent under the GDPR.”
Positive confirmation is not a nationwide protocol
Kagan also noted that in Colorado’s draft CPA regulation, the state cited the example of Datatilsynet, Norway’s data protection agency, deciding on the scope of consent in its complaint against the Grindr website , resulting in a $7.1 million fine in 2021, as reported by Tech Crunch.
“Under GDPR, you can’t condition the provision of a service based on consent to something that’s not mandatory for the service. It’s a big conceptual change from the consent traditionally provided. use in the United States, which is a positive endorsement,” she said.
Adtech traps healthcare organizations in data privacy challenge
Last year, hundreds of US hospitals were identified as tracking HIPAA-protected patient data in a lawsuit against Meta Platforms alleging illegal collection of patient data.
Although US law generally allows confirmation as consent for data collection, protected data is a separate matter.
Plaintiff John Doe, a patient of Baltimore-based Medstar Health System, filed a class-action lawsuit against Meta in the United States District Court for the Northern District of California. Since then, several lawsuits have singled out several major US health systems as defendants or accomplices for allegedly tracking patient data on healthcare portals and websites. .
“When a patient communicates with a healthcare provider’s website where the Facebook Pixel shows up on the patient portal login page, the Facebook Pixel source code makes the patient’s correct communication with the provider their healthcare providers are redirected to Facebook in a manner that identifies them as patients,” according to court documents Doe v Meta Platforms, Inc.
Kagan, who closely observes the ongoing challenges to data tracking, said that Meta will appeal the decision in the Irish Court both “in terms of the content and the amount of fines imposed.”
Andrea Fox is the senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS.
