Facebook and Instagram users in the European Union objecting to Meta’s behavioral advertising can easily ask for their data not to being used for its consentless tracking-and-profiling thanks to a free tool provided by privacy rights not-for-profit, noyb.
According to noyb, an online form Meta is planning to offer EU users wanting to exercise their legal right to opt out of its ads processing is not at-all straightforward — no surprise there! — hence why the group has created a super-simple way for them to obtain their rights under the bloc’s General Data Protection Regulation (GDPR).
Users can lodge their objection via noyb’s tool either by logging into Facebook (i.e. to verify their account); or just by providing noyb with the email they use for the service; or objecting via their own own email client.
Once they’ve confirmed they want noyb to help them opt out of Meta’s processing (i.e. by consenting to its data processing for this limited purpose), the tool generates an email on their behalf that noyb sends to Meta’s data protection officer asking for it to stop processing their data for ads.
The GDPR states that individuals have an absolute right to object to the processing of their personal data if it is for direct marketing purposes — meaning there are no grounds for the request to be refused. There is also no required format for these objections to be lodged — so if Meta intends to comply with the GDPR it cannot ignore emails from users asking for it to stop processing their data.
Here’s the link to the tool noyb has created for opting out.
You can also see a preview of the objection letter it sends to Meta on your behalf.
The letter asks Meta for confirmation of compliance with the objection within five working days, and emphasizes that the user does not wish to be referred to “any links, online forms or other ways to exercise my rights” (a common delaying tactic used to frustrate individuals’ data protection rights), emphasizing: “I would have to treat such a reference as a refusal to comply with my clear request.”
Per the GDPR, data processors must comply with a right to object “without undue delay” — or, typically, at the latest a month after receipt of a request. So Meta should be acting on any such opt-out requests that it receives stat. Or it’ll be risking fresh complaints and privacy enforcement.
The European rights group was behind a successful challenge to the legal basis Meta has claimed for tracking and profiling users which led to the tech giant finally being hit with a $410 million penalty at the start of this year — along with an order to fix its violations of the GDPR within three months.
Meta is due to start applying a new privacy policy in the EU from tomorrow, following the aforementioned GDPR decision that found its claim of contractual necessity to be a bogus basis for behavioral advertising. And it has suggested it will apply some alternative form of ad targeting for users who opt out — such as contextual targeting, which does not rely on tracking and profiling individuals.
The GDPR breach finding means Meta currently lacks a lawful basis for the processing under the bloc’s rules. Hence why it’s being forced to switch legal bases — and it is planning to claim a so-called “legitimate interest” (aka LI) to process people’s data for microtargeting under the incoming regional policy. This is its response to the three month deadline imposed by EU regulators to bring its ads processing into compliance with the GDPR. So essentially Meta was forced to do something.
Data protection experts suggest LI is (also) extremely unlikely to fly as a valid legal basis for Meta’s surveillance ads. But even to be able to claim it’s relying on this basis it needs to provide users with a way to opt out of the ads processing since the regulation demands it offer a right to object to LI-based processing. Which means this is already far more than the privacy-hostile tech giant has offered before. (tl;dr: Privacy enforcement works!)
Thing is, this being Meta, the company doesn’t seem keen for EU users to exercise their legal right to object to its ads processing.
noyb has provided a link to what it describes as “the hidden and complex Facebook opt-out form” which Meta appears to be planning to use to obfuscate this privacy choice from users.
The form deploys classic dark pattern design (aka sludge) to bury the key choice, deploying a series of nested menus replete with irrelevant info, tedious drop-downs and other hidden options (i.e. which only appear if you select a specific choice), larded with reams more extraneous information that’s designed to steer users away from the salient right Meta does not want them to exercise.
Eventually, after a lot of tedious clicking around trying to find the legally mandated objection option, TechCrunch arrived at vague wording stating: “I still have a question on how to exercise my privacy rights”. Clicking on this brought up yet another menu asking for country of residence — seemingly in order, finally, to be able to file a request. However — at the time of writing — the pre-populated list Facebook offered us did not feature any EU Member States.
(We can only hope Meta will have fixed that by the time the new privacy policy goes into effect tomorrow. Or, er, it’s yet another dark pattern to try to circumvent EU rights — literally by preventing users from stating they reside in the region… )
Either way, it’s a lot quicker and easier to use noyb’s tool to opt out of Meta’s privacy violating ads. (Here’s that link again.)
You could also just manually send an email to Meta asking for it to stop processing any of your personal data — “for alleged ‘Legitimate Interests'” — assuming you can find an email address for Meta’s DPO (data protection officer) buried somewhere on their website.
The standard EU privacy experts suggest Meta should be providing is to ask users for up front consent to ads processing. And complaints over its attempt to ram a surveillance ads business through an LI basis will surely fast follow its latest legal ground switcheroo. But, in the meanwhile, EU users can at least ask Meta for their opt out.
Commenting in a statement, noyb’s founder and chair, Max Schrems, said: “These moves by Facebook are just laughable and embarrassing. You have to find each element in their privacy policy that you disagree with and explain why Meta’s assessment is wrong in your individual case. Their assessment, however, is not published. It’s not far from saying you can only opt-out ever second Monday from 8am to 9am.”
“Our form turns the table: Meta has to argue why they have an overriding interest — not the user,” he added. “Users can now opt out of data processing, and Facebook must process this objection without delay. We want to make it as easy as possible for those affected to exercise their fundamental rights.”
Any Facebook users in the US wishing they had such a choice should get on the phone to their representatives in Congress and tell them to pass comprehensive federal privacy legislation ASAP.
Using Facebook in the EU? Here’s how to opt out of its creepy ads by Natasha Lomas originally published on TechCrunch
from https://ift.tt/dOjA6IR
via Technews
No comments:
Post a Comment