A pizza shop needs your address to deliver your pizza. A chat app service needs your selfie if you want to send it to friends. But do internet giants like Facebook and Google really need a list of websites you recently visited?
A battle is looming in Europe over what information Facebook Inc., Alphabet Inc.’s Google and other companies can demand from you. It boils down to what they really need to know—a debate that could end up in courts for years with the potential to weaken either the European Union’s new data-privacy law or the business models of ad-reliant giants like Facebook and Google.
The EU’s new privacy law, which goes into effect on May 25, forbids companies from forcing users to turn over personal information as a condition of using their services. Does that mean you can simply say, “No, thanks,” to any data collection and still use Facebook? Not exactly.
. . . .
There are many exceptions in which companies can still collect data, such as when that information is necessary to fulfill a contract with you. That has set the stage in Europe for a battle over what is truly necessary, and when consent is “freely given,” regulators and privacy lawyers say.
“The crux of this argument is going to be the legitimacy of the behavioral advertising business model,” said Omer Tene, vice president and chief knowledge officer for the International Association of Privacy Professionals. “Behavioral advertising” is the name for the business, worth tens of billions of dollars a year, that allows companies to show users targeted advertising based on their internet activity.
In recent weeks, Facebook has continued work to comply with the new law—called the General Data Protection Regulation, or GDPR—in part by asking users in the EU to opt in to being shown targeted advertising using data gathered from their activity, such as web browsing or purchasing information. But when it comes to authorizing Facebook to collect that data, the company now gives users a stark choice: agree to its new terms of service or delete their accounts.
“If you don’t accept these, you can’t continue to use Facebook,” a pop-up says of the company’s terms and conditions.
Facebook says the data it collects is necessary to fulfill its contract with users to provide “a personalized experience.” The company says it offers prominent options to control how that data is used, but that as a data-driven business, it needs to collect information about its users to function.
“There are certain elements of the service which are core to providing it and which people can’t opt out of entirely, like ads,” said Stephen Deadman, Facebook’s global deputy chief privacy officer. “There’s no point in buying a car and then saying you want it without the wheels. You can choose different kinds of wheels, but you need wheels.”
. . . .
In the policy, Google justifies much of that data collection under another method in GDPR called “legitimate interest.” Companies’ use of that justification is also likely to spark legal scrutiny, lawyers and privacy experts say.
. . . .
“Processing of your information for the purposes of personalized content and ads is a necessary part of the services we provide,” the policy explains.