Meta Can’t Use Sexual Orientation to Target Ads within the EU, Court Rules

Europe’s most famous privacy activist, Max Schrems, landed another blow against Meta today after the EU’s top court ruled the tech giant cannot exploit users’ public statements about their sexual orientation for online advertising.

Since 2014, Schrems has complained of seeing advertising on Meta platforms targeting his sexual orientation. Schrems claims, based on data he obtained from the company, that advertisers using Meta can deduce his sexuality from proxies, such as his app logins or website visits. Meta denies it showed Schrems personalized ads based on his off-Facebook data, and the company has long said it excludes any sensitive data it detects from its advertising operations.

The case started with Schrems challenging whether this practice violated Europe’s GDPR privacy law. But it took an unexpected turn when a judge in his home country of Austria ruled Meta was entitled to use his sexuality data for advertising because he had spoken about it publicly during an event in Vienna. The Austrian Supreme Court then referred the case to the EU’s top court in 2021.

Today, the Court of Justice of the European Union (CJEU) finally ruled that a person’s sexual orientation cannot be used for advertising, even if that person speaks publicly about being gay.

“Meta Platforms Ireland collects the personal data of Facebook users, including Mr. Schrems, concerning those users’ activities both on and outside that social network,” the court said. “With the data available to it, Meta Platforms Ireland is also able to identify Mr. Schrems’ interest in sensitive topics, such as sexual orientation, which enables it to direct targeted advertising at him.”

The fact that Schrems had spoken publicly about his sexual identity does not authorize any platform to process related data to offer him personalized advertising, the court added.

“Now we know that if you’re on a public stage, that doesn’t necessarily mean that you agree to this personal data being processed,” says Schrems, founder of the Austrian privacy group NOYB. He believes only a handful of Facebook users will have the same issue. “It’s a really, really niche problem.”

The CJEU also ruled today Meta has to limit the data it uses for advertising more broadly, essentially setting ground rules for how the GDPR should be enforced. Europe’s privacy law means personal data should not be “aggregated, analyzed, and processed for the purposes of targeted advertising without restriction as to time and without distinction as to type of data,” the court said in a statement.

“It’s really important to set ground rules,” says Katharina Raabe-Stuppnig, the lawyer representing Schrems. “There are some companies who think they can just disregard them and get a competitive advantage from this behavior.”

Meta said it was waiting for the CJEU’s judgment to be published in full. “Meta takes privacy very seriously and has invested over 5 billion Euros to embed privacy at the heart of all of our products,” Meta spokesperson Matt Pollard told WIRED. “Everyone using Facebook has access to a wide range of settings and tools that allow people to manage how we use their information.”

Schrems has been a prolific campaigner against Meta since a legal challenge he made resulted in a surprise 2015 ruling invalidating a transatlantic data transfer system over concerns US spies could use it to access EU data. His organization has since filed legal complaints against Meta’s pay-for-privacy subscription model and the company’s plans to use Europeans’ data to train its AI.

“It’s major for the whole online advertisement space. But for Meta, it’s just another one in the long list of violations they have,” says Schrems, of this latest ruling. “The walls are closing in.”