Meta Platforms may not generally store data transmitted by bild.de

A German Bild reader has won a costly victory against Meta Platforms at Stuttgart Regional Court. The Facebook operator must pay 300 euros in damages for the unauthorized storage of personal data, plus 227 euros in pre-trial legal fees; however, the plaintiff must bear 90 percent of the legal costs. This is a significantly higher amount. The case decided at first instance (case no. 27 O 190/23) centers on the Meta Business Tools, which Meta uses to harvest data on many websites and apps.

The plaintiff is a German consumer and has had a Facebook account since 2009; he has neither consented to the use of his data for personalized advertising nor to the merging of data from third-party websites and apps (so-called offsite data) with his Facebook account. Nevertheless, Meta has been storing such data about the German for years, albeit separately from his account. The data company claims never to have received the lawyer's request to delete the data. In his lawsuit, the German man demanded at least 5,000 euros in damages.

He regularly visits the website bild.de, and occasionally paypal.com, jameda.de, shop-apotheke.de, eventim.de, ikea .de, zalando.de and netflix.com. They all integrate Meta Business Tools, which include invisible Meta Pixel, the "App Events via Facebook" SDK, the Conversions API and App Events API. Meta uses these to harvest data that is generated during interactions with the respective websites ("events"). This data ends up at Meta, even if the respective user does not use a Meta service such as Facebook or Instagram.

False consent is controversial

Meta bases its legal admissibility on the consent to data transfer obtained from the respective website or app operator. The fact that Meta takes an honest approach and only wants data to be transmitted if the data subject has given their consent raises "considerable doubts" at the Stuttgart Regional Court. On the one hand, Meta advertises that it collects data via its Conversions API even if the data subject has not given their consent. On the other hand, it uses a trick to bypass the browser setting that excludes third-party cookies. With the Meta Business Tools, two Facebook cookies are smuggled onto the user's computer in such a way that they appear like cookies from the server actually accessed.

However, the question of effective consent to data transfer is not relevant, says the Regional Court of Stuttgart. The lawsuit is not about the transfer to Meta in cooperation with third parties, but about the subsequent storage at Meta by Meta alone. This is a separate case of data processing. And there was clearly no consent for this. Finally, the plaintiff did not allow the merging with his Facebook account or the use for advertising purposes. Meta did not put forward any other storage purposes necessary for the fulfillment of the contract.

Meta's defense "absurd"

"The storage is also not necessary to safeguard the legitimate interests of the defendant", the court stated. Meta argued that it stores the off-site data to protect the security of its servers and to ensure that criminals do not exploit the business tools for spam, scraping or IT attacks. The court makes short work of this: "It seems downright absurd that the defendant would therefore have to dispose of data stored by it in order to combat the misuse of this very data, which the defendant does not need at all and with which it – since it is data collected on third-party websites and apps – has nothing to do at all, unless it is allowed to use the data for personalized advertising."

"If a Facebook user refuses to consent to the use of off-site data for personalized advertising, the only lawful course of action (...) is to delete the data," clarifies the Regional Court of Stuttgart, "Why the defendant does not delete the data nevertheless remains unclear."

The court does not address other claims made by the plaintiff, such as a lump-sum penalty for future infringements by Meta. It also does not address the astonishing idea that Meta should only be allowed to delete the unlawfully stored data at the plaintiff's request. In addition, the claimed damages of at least 5,000 euros are far too high for the Regional Court of Stuttgart. Although the plaintiff had proven minor immaterial damage, damages should not be used for retaliation or prevention. Therefore, damages of only 300 euros were appropriate. As the plaintiff did not prevail with the majority of his claim, he has to bear 90 percent of the costs of the legal dispute, Meta only ten percent. Both parties have the right to appeal against the decision of Stuttgart Regional Court.

Empfohlener redaktioneller Inhalt

Mit Ihrer Zustimmung wird hier eine externe Umfrage (Opinary GmbH) geladen.

Umfragen immer laden Umfrage jetzt laden

Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (Opinary GmbH) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.

(ds)