European regulators ruled that Meta cannot deliver targeted advertising without obtaining valid user consent, striking down the company's claim that advertising is necessary for performing its contract with users.

The Legal Basis Problem

Meta had relied on "contractual necessity" as its legal basis for processing personal data for targeted advertising, arguing that personalized ads were an essential part of the social media service. The Irish DPC, guided by the European Data Protection Board, rejected this argument. Targeted advertising is not necessary for providing a social media service, and therefore requires a different legal basis -- in practice, consent.

The Impact

This ruling forced Meta to fundamentally reconsider how it operates in Europe. The company must either obtain valid consent for targeted advertising (which many users would refuse) or find alternative revenue models. The total fines for these violations reached EUR 390 million.

Industry-Wide Implications

The ruling clarifies that social media platforms and other free services cannot claim that surveillance-based advertising is a necessary part of their service contract. Any platform relying on similar legal reasoning should reassess its position.