Germany’s competition authority ruled on Thursday that Facebook cannot gather and combine personal data across platforms and websites unless users give permission, a decision that could have wide-ranging implications on the company’s ability to target advertising.
The agency said Facebook had exploited its dominant position in Germany by presenting people with an all-or-nothing choice: submit to unlimited data collection by the company or simply not use the service. The practice, the agency said, had enabled Facebook to collect data about its users’ activities on millions of other websites, helping the social network become a worldwide powerhouse of personalized advertising.
The competition regulator ruled that Facebook would now have to obtain users’ permission before merging data from other sites. The company is also prohibited from combining information from users’ Facebook accounts with data from their accounts on Facebook-owned services like Instagram and What’s App without the users’ permission.
“In future, Facebook will no longer be allowed to force its users to agree to the practically unrestricted collection and assigning of non-Facebook data to their Facebook user accounts,” Andreas Mundt, president of the competition authority, the Federal Cartel Office, said in a statement on Thursday.
“The combination of data sources,” the cartel authority said, “substantially contributed to the fact that Facebook was able to build a unique database for each individual user and thus to gain market power.”
Facebook said it disagreed with the ruling and that German authorities had underestimated the competition the company faced in the country. It will have one month to appeal and four months to send remedies to the Federal Cartel Office.
European authorities have become the world’s leading regulators of the technology industry. Officials like Margrethe Vestager, the European Union’s antitrust chief and a frequent Silicon Valley antagonist, have argued that regulators need to guard against the amassing of data in ways that allow companies to accumulate power and stifle competition.
German officials have been among the most aggressive on this front. They have raised concerns about data privacy while also pushing for a global minimum tax on technology companies.
The focus of the ruling on Thursday was on data that Facebook collects outside its primary social network. The company has been able to monitor users’ activity on third-party sites through its “Like” and “Share” buttons, and through a tracking service called Facebook Pixel.
“By combining data from its own website, company-owned services and the analysis of third-party websites, Facebook obtains very detailed profiles of its users and knows what they are doing online,” Mr. Mundt said in a release.
The authority said Facebook’s management of information like this violated data protection rules. “In the authority’s assessment, Facebook’s conduct represents above all a so-called exploitative abuse,” the regulator’s statement said.
Yvonne Cunnane, head of data protection at Facebook in Ireland, and Nikhil Shanbhag, a director and associate general counsel, said in a statement on Thursday that combining information across its services helped protect its users.
“Using information across our services helps us to protect people’s safety and security, including, for example, identifying abusive behavior and disabling accounts tied to terrorism, child exploitation and election interference across both Facebook and Instagram,” their statement said.
“Popularity is not dominance,” they said.