In 2025, we have compiled some of the fines, ongoing legal proceedings, and other updates to explain in a simple way what is happening with this company that we all use.
emember that Meta Platforms Inc. is the parent company that controls Facebook, Instagram, WhatsApp, and Messenger, so yes… this definitely affects you!
Last November, Meta was fined €800 million for violating competition rules and breaching the EU’s antitrust regulations. This is the largest fine ever imposed on Mark Zuckerberg’s company by the European Commission.
The Commission's investigation has confirmed that Meta holds a dominant position in the personal social networking market across the entire European Economic Area (EEA), as well as in national markets for online advertising on social networks. Specifically, the Commission found that Meta was abusing its dominant positions in violation of Article 102 of the Treaty on the Functioning of the European Union.
Meta was tying its classified ads service, Facebook Marketplace, to its social network, Facebook. Additionally, the company was unilaterally imposing unfair trading conditions on other online classified ad providers that advertise on Meta’s platforms, particularly its most popular social networks, Facebook and Instagram.
The European Commission has also ordered Meta to put an end to this conduct and to refrain from repeating the infringement or adopting practices in the future with a similar purpose or effect.
Meta must minimize its use of personal data
On Friday, October 4th, 2024, the Court of Justice of the European Union (EUCJ) fully upheld an individual's lawsuit against Meta regarding its Facebook service. The plaintiff claimed that the platform was showing him ads related to his sexual orientation, even though he had never shared that information with the platform.
The case revolved around whether making personal information public through another channel gives the platform permission to process that data for personalized advertising purposes. The court ruled that the use of personal data for online advertising must be "minimized" and that public data can only be processed for its originally intended purposes.
This ruling means that Meta can no longer use data collected since 2004 indefinitely for advertising, regardless of user consent. Additionally, the court rejected the idea that public criticism of data management allows the processing of personal information. This decision protects the right to privacy and prevents people from losing data protection simply for speaking publicly about illegal data processing.
Here is a summary of the fines Meta has faced:
Meta was fined €91 million by the Irish Data Protection Commission (DPC) in October 2024 for storing certain Facebook user passwords in plain text within its internal systems. (Proper security measures require at least basic cryptographic protection, obviously.)
This incident, which occurred in 2019, represented another violation of General Data Protection Regulation (GDPR) rules, specifically Article 5(1)(f), which states that personal data must be processed in a manner that ensures appropriate security. This includes protection against unauthorized or unlawful processing and accidental loss, destruction, or damage.
Graham Doyle, Deputy Commissioner of the DPC, highlighted the seriousness of Meta’s mistake in storing passwords in plain text, emphasizing the risks of potential misuse. A Meta spokesperson stated that the company took "immediate action" after discovering the error in its password management processes and worked constructively with the DPC throughout the investigation.
Meta has not only received the largest fine for GDPR violations since its enforcement but also holds the record for the highest number of major fines.
Meta’s controversy regarding Artificial Intelligence (AI) focused on its intention to process EU/EEA user data to train AI models using public content from Facebook and Instagram. This raised concerns about privacy and GDPR compliance, leading an NGO to file 11 complaints with data protection authorities (one of them in Spain!).
In response, the European Data Protection Board (EDPB) issued several resolutions:
Due to all these regulatory changes, Meta has had to adjust its products to comply with European regulations.
In the past six months, Meta has modified Facebook metrics, removing demographic data such as age and gender for privacy reasons. It has also focused on individual post metrics, limiting historical data to 90 days and excluding certain ads. This impacts total reported clicks and engagement.
To separate organic and paid engagement, users must now connect specific advertising accounts. These changes affect analytics platforms like Sprout Social and Hootsuite, which can no longer access certain page-level engagement metrics.
