The judgement could significantly affect how Meta and other ad-funded social networks operate in the region. Limits on how long personal data can be kept must be applied to comply with data minimisation principles in the bloc's General Data Protection Regulation (GDPR).
Breaches of the regime can lead to fines of up to four percent of global annual turnover, which, in Meta's case, could cost it billions more in penalties.
The original challenge to Meta's ad business dates back to 2014 but was not fully heard in Austria until 2020.
The Austrian Supreme Court referred several legal questions to the CJEU in 2021. Some were answered via a separate challenge to Meta/Facebook in a July 2023 CJEU ruling -- which struck down the company's ability to claim a "legitimate interest" to process people's data for ads.
The CJEU has now dealt with the remaining two questions, which is more bad news for Meta's surveillance-based ad business. Limits do apply.
In a press release, the CJEU summarised this component of the judgement: "An online social network such as Facebook cannot use all of the personal data obtained for targeted advertising, without restriction as to time and without distinction as to type of data."
The ruling looks vital because of how ad businesses like Meta function. The more of your data they can grab, the better -- as far as they are concerned. In 2022, an internal memo penned by Meta engineers likened its data collection practices to tipping bottles of ink into a vast lake and suggested the company's aggregation of personal data lacked controls and did not lend itself to being able to silo different types of data or apply data retention limits.
Meta claimed that the document "does not describe our extensive processes and controls to comply with privacy regulations." How exactly the adtech giant will need to amend its data retention practices following the CJEU ruling remains to be seen. But the law is clear that it must have limits.
"Advertising companies must develop data management protocols to delete unneeded data or stop using them gradually," Noyb suggests.
The court also considered a second question concerning sensitive data that has been "manifestly made public" by the data subject and whether sensitive characteristics could be used for ad targeting because of that, reports TechCrunch. The court ruled that it could not, maintaining the GDPR's purpose limitation principle.