The 390 million euros ($414 million) from Irish regulators is the latest significant punishment to hit the company, which is dealing with the fallout from a range of privacy and data scandals.
The fine relates to two cases that could together change the way that Meta does business on Facebook and other products such as Instagram.
The watchdog fined Meta 210 million euros for violations of the European Union's strict data privacy rules involving Facebook and an additional 180 million euros for breaches involving Instagram.
Meta said it was “disappointed” by the decision and intends to appeal against “both the substance of the rulings and the fines”.
It's the commission's latest punishment for Meta for data privacy infringements, following four other fines for the company since 2021 that total more than 900 million euros.
The decision stems from complaints filed in May 2018 when the 27-nation EU's privacy rules, known as the General Data Protection Regulation, or GDPR, took effect.
Two complainants had argued that Meta Ireland was “forcing” them to consent to their personal data being used for behavioural advertising and other services by making the use of its social medias conditional on accepting its terms of service. They argued that was in breach of those GDPR rules.
Previously, Meta relied on getting informed consent from users to process their personal data to serve them personalized, or behavioral, ads. When GDPR came into force, the company changed the legal basis under which it processes user data by adding a clause to the terms of service for advertisements, effectively forcing users to agree that their data could be used. That violates EU privacy rules.
The Irish watchdog initially sided with Meta but changed its position after the draft decision was sent to a board of EU data protection regulators, many of whom objected.
In its final decision, the Irish watchdog said Meta “is not entitled to rely on the ‘contract’ legal basis to deliver behavioral adverts on Facebook and Instagram."
Meta said in a statement that “we strongly believe our approach respects GDPR, and we’re therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines.”
The Irish watchdog is Meta’s lead European data privacy regulator because its regional headquarters is in Dublin.
Additional reporting by agencies