In a significant ruling, Europe’s top court has declared that Meta Platforms must limit its use of personal data harvested from Facebook for targeted advertisements, even if users give their consent. The decision could have far-reaching consequences for ad-driven companies operating in the European region.
The Court of Justice of the European Union (CJEU) stated on Friday, "An online social network such as Facebook cannot use all of the personal data obtained for the purposes of targeted advertising, without restriction as to time and without distinction as to type of data."
The court emphasized that social networks like Facebook cannot indefinitely continue to use personal data for ad targeting. To comply with the General Data Protection Regulation (GDPR) data minimization requirements, limits must be established on the usage of such data.
Under Article 5(1)(c) of GDPR, companies are required to limit data processing to what is strictly necessary. This prevents personal data collected—whether through the platform or external third parties—from being aggregated and processed for targeted advertising without time-bound restrictions.
The case was initially filed in 2014 by privacy activist and noyb co-founder Maximilian “Max” Schrems, who claimed that Facebook targeted him with personalized ads based on his sexual orientation.
"The fact that a person has made a statement about his or her sexual orientation on the occasion of a public panel discussion does not authorize the operator of an online social network platform to process other data relating to that person's sexual orientation, obtained from partner third-party websites and apps, to offer personalized advertising," the CJEU clarified.
Noyb, in a statement, welcomed the ruling, saying the judgment also applies to any other online ad companies that do not adhere to strict data deletion practices.
"Meta and many players in the online advertisement space have simply ignored this rule and did not foresee any deletion periods or limitations based on the type of personal data," the Austrian non-profit said.
The ruling reaffirms the GDPR’s principle of data minimization, which restricts the use of personal data for advertising. It applies regardless of the legal basis for processing, meaning even users who consent to personalized ads cannot have their data used indefinitely.
In response, Meta said it has made considerable efforts to "embed privacy" into its products. The company added, "Meta does not use special categories of data that users provide to personalize ads, and advertisers are not allowed to share sensitive data."
This development comes as Texas Attorney General Ken Paxton filed a lawsuit against ByteDance-owned TikTok, accusing it of violating child privacy laws under the Securing Children Online Through Parental Empowerment (SCOPE) Act. The lawsuit alleges that TikTok does not provide sufficient parental tools to control the privacy and account settings of minors aged between 13 and 17.
TikTok, in its defense, stated it disagrees with the allegations and maintains that it provides robust safeguards for teens and parents, including features like family pairing.
