Case summary 10 October 2024

Facebook; Implementation of the Bundeskartellamt’s decision of 6 February 2019 (Abusive

business terms due to inappropriate data processing)

Sector: Social networks

File number: B6-22/16

Date: 10 October 2024

I. Introduction

In its decision of 6 February 2019 the Bundeskartellamt prohibited Facebook Inc. (now: Meta Platforms
Inc.) from using business terms which make the use of the Facebook social network conditional on the
combination of data collected while using other group-owned services or third-party websites and apps
(together: “off-Facebook data”) with Facebook user accounts (“on-Facebook data”), where the data can
be used (for details see case summary of 15 February 2019).

In the course of an effortful negotiation and implementation process and based on this decision, the
Bundeskartellamt has achieved a significant improvement in users’ freedom of choice. Facebook users
based in Germany now have extensive options for controlling the extent to which their data generated
while using Facebook are combined with data from other sources. It was important to the
Bundeskartellamt to ensure that Meta establishes consent processes which give Meta users a genuine
choice as to the combination of data. In this respect, Meta has created easy-to-find areas for these
consent processes by introducing the Accounts Center for combining and separating Meta services and
the option of managing cookies and similar technologies for collecting data on third-party websites and
apps (business tools control). In this context the Bundeskartellamt also worked towards coherent user
guidance in which the essential options are clearly distinguishable and easily accessible (see II.). In view
of the measures taken and taking into account Meta’s willingness to accept that the decision becomes
final by withdrawing its pending appeal, and in view of the changed legal framework, the
Bundeskartellamt decided within the scope of its discretion that, on this basis, it no longer sees any
reason to take enforcement action (see III.). However, this does not mean that there is no further
potential to improve the specific design of the users’ options for choice (see IV.). The Bundeskartellamt's
decision not to pursue enforcement measures also has no precedent effect for other legal regimes (see
V.).

Given a certain degree of similarity between the issues raised by competition law and data protection
law, the Bundeskartellamt regularly exchanged views with the data protection authorities during the
proceeding. In addition, the Bundeskartellamt was supported on technical issues by the Federal Office
for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI). The Federation of
German Consumer Organisations (Verbraucherzentrale Bundesverband, vzbv) was also involved in the
proceeding as a third party.

II. The measures taken by Meta

As a result of the measures taken by Meta users now effectively have the option to limit the amount of
their usage data which Facebook stores and uses to display personalised ads, to the service they are
using. In particular, Meta has introduced an Accounts Center for managing the various Meta services
and a special workflow (business tool control) for managing data from third-party websites and apps.

2
The following overview illustrates the options available to users for restricting the linking of their data:

Minimum data protection settings:

Maximum data protection settings:

*© Olena / Adobe Stock

Meta explicitly points out these options to users in various ways.

3
Accounts Center

On the one hand, Meta has introduced a so-called Accounts Center (see the Bundeskartellamt’s press
release of 7 June 20231). In the Accounts Center user accounts for the Meta services Facebook,
Instagram and Meta (Quest) can be linked2; this makes it possible to specify uniform settings for these
services and to extend the functionalities, in particular the cross-service posting of messages. If accounts
are linked, the user data assigned to the respective accounts are combined as well, inter alia for
advertising purposes. Conversely, accounts can also be removed in the Accounts Center. However, once
data have been combined, this cannot be undone. Users should be aware of this. Ultimately, however,
users can decide for themselves whether they wish to link the accounts of one Meta service (for
example Facebook) with the data of another Meta service (for example Instagram) or keep their
accounts, and thus their usage data, separate.

Adding accounts Removing accounts

1
Available at
https://www.bundeskartellamt.de/SharedDocs/Meldung/EN/Pressemitteilungen/2023/07_06_2023_Meta_Da
ten.html?nn=55030.
2
WhatsApp is managed by Meta as a separate service, so that data from this service are not combined with data
from the services mentioned above.
4
Business tools control (“cookies”)

On the other hand, in what Meta refers to as “cookie” settings (menu item “manage cookies”), users can
ensure that their data generated when using a Meta service are not combined with data Meta receives
by using its so-called business tools. Business tools are technical tools such as Meta Pixel or the
Conversions API, which are used to analyse the actions of website visitors and send personal usage data
to Meta. Meta makes these tools available to third parties, who then incorporate them into their app or
website. In this way, Meta’s business tools are very widely used. In Facebook’s or Instagram’s “cookie”
settings, Meta’s business tools are labelled as “optional cookies” that users can accept or reject.

[…]

[…]

[…]

5
Rejecting these “cookies” technically means that data transmitted via the business tools are not added
to a specific user profile, but will be deleted.

Facebook Login

Until recently, Facebook users wishing to use Facebook Login had to consent to their data being
combined with all data from third-party websites or apps. It is now possible to decline such combination
of data made possible by business tools in the settings and still use the Facebook Login on third-party
websites or in third-party apps. The Bundeskartellamt had deemed this change necessary, as it is
problematic with regard to the voluntary nature of consent to data processing if users can only accept
or decline a bundle of very different data processing purposes in their entirety.

Prominent notices

Meta's customers are to be given the opportunity to quickly access the relevant settings that can be
used to prevent the combination of data if this is not wanted. As already described, users who have
consented to the combination of data in the past will be shown prominent notices when accessing
Facebook, each containing direct links to the newly designed selection tools. Meta has already started
informing its customers or will do so shortly. The notice about the changes to the settings in the
Accounts Center (see illustration below) was displayed by Meta from the end of August until the
beginning of September 2024 and will remain visible in the notification area for up to 60 days; in
addition, a reminder email will be sent to users who have not interacted with the notice (by clicking it
away or clicking on the notice) within 30 days. The notice about changes to the “cookie settings” (see
illustration below) has started to appear on 7 October 2024 as a pop-up window when accessing
Facebook or Instagram up to three times at intervals of at least seven days.

6
Notice about the Accounts Centre Notice about “cookie settings”

[…]

[…]

7
Data protection signpost

Users can also easily find the main setting options elsewhere. To implement the Bundeskartellamt’s
decision Meta has now added a clearly visible information box to its data policy, which leads directly to
the control points “Accounts Center” and “cookie settings” (business tool control), which are relevant
for data protection.

Consent which has been given can also be revoked relatively easily. However, data that have been
combined will not be separated again. It was important to the Bundeskartellamt to ensure that Meta
explicitly points this out before consent is given.

Exceptions for limited purposes

Meta also combines data beyond the service in question without consent. In this context Meta has
clarified that this combination is only carried out for three narrowly defined purposes: First, the
combination of data within the context of so-called operational logging is intended to ensure the
smooth functioning of Meta services. Second, Meta combines data for so-called family analytics, that is
the preparation of data for reporting obligations and the creation of user statistics. Third, the
combination of data beyond the Meta service in question is intended to contribute to a higher level of
security (for example by blocking the Instagram and Facebook accounts of persons who have violated
the law). Under no circumstances may the data in question be combined with the respective user profile
for advertising purposes. They are generally deleted at the latest after a uniformly predetermined time
period (security purposes, operational logging) or data can only be accessed for a uniformly
predetermined number of days (family analytics). The Bundeskartellamt’s proceeding did not involve
8
the examination under data protection law as to the legal basis of these data processing activities and
whether they comply with the requirements set by the GDPR.

Design of user guidance

Upon the Bundeskartellamt’s request Meta finally redesigned its entire user guidance to make it clearer
and more comprehensible. The Bundeskartellamt criticised phrases or types of user guidance which, in
its view, were not transparent or even led users (by means of so-called “deceptive design patterns” to”)
to consent to far-reaching combinations of personal data. The following list includes some examples of
improvements implemented by Meta upon relevant suggestions provided by the Bundeskartellamt:

• Functional improvements: First, clearly worded questions allow users to quickly understand
what decision they are making when they click on the slider contained in the “cookie settings”
(see illustration on page 5).
Second, the slider is initially in the privacy-friendly “off” position when users call up the settings
menu.
• More precise wording: The items to be combined are no longer referred to as “information”, but
as “personal data” or “information about your activities”, which is a much more accurate
description. It is also clearly communicated that information from third-party sources will be
linked to the Facebook account if the user selects a certain setting.
• Although Meta does not use the term “cookie” in a technical sense, the term is explained in a
prominent place on the website; the aspect of data combination can also be found at important
stages of Meta’s settings dialogues so that users should generally be able to assess the
dimension of the risk to their informational self-determination they take by giving their consent.

• More neutrally phrased statements: For example, the positive phrase “relevant ads” or “more
relevant ads” was replaced by “ads […] based on information we gain and store from your
activities on websites and in apps of other companies”. Furthermore, there is no longer any
mention of an “improved user experience” when users accept the “optional cookies”.

9
 • Shorter click paths: For example, the accounts displayed in the accounts center each contain a
button labelled “remove account” so that the process of separating accounts can be initiated
more swiftly, if required (see illustration on page 4).
• At some points, links to explanatory texts were added so that users can find out more about key
terms.
• More balanced presentation of information: For example, when removing accounts from the
Accounts Center, the warning notice “Are you sure you ...?” was replaced by “Would you like to
...?”. Similarly, the warning notice formatted as a heading “[account name] will lose access to
these and all other linked functions: […]” was replaced with a descriptive text placed below a
heading concerning the removal of the account with the statement that access to linked
functions will be lost.

III. Waiving of enforcement measures and withdrawal of the appeal

Due to the measures taken by Meta to comply with the Bundeskartellamt’s decision of February 2019,
the decision is implemented to an extent that makes it appear opportune from a discretionary point of
view not to enforce the decision any further. In particular, the core problem under competition law was
mitigated, namely that the social network Facebook could only be used if Meta was also given the
possibility to receive data about users via websites and apps outside of Facebook’s services and link
these data to the respective Facebook user account. It also had to be taken into account that the
decision has become final due to Meta’s withdrawal of the pending appeal in the proceeding before the
Düsseldorf Higher Regional Court.

To the extent that shortcomings remain (see IV. below) and in view of the decision’s limited (antitrust)
regulatory content, the decision of 6 February 2019 now appears less suitable for enforcement
measures than other rules and instruments that have been introduced in the meantime. In its para. 4,
the decision expressly prohibited Meta from making the use of the Facebook service dependent on the
user’s consent to the combination of Facebook (profile) data with data from third-party sources, but did
not spell out the requirements for effective consent any further. With the entry into force of the
General Data Protection Regulation and the Digital Markets Act (DMA3) further authorities have come
onto the scene, which can appropriately assess and, if necessary, sanction Meta’s behaviour and its EEA-
wide effects on the basis of the relevant legal regime. In this process, further developments in Meta's
ecosystem that have taken place since 2019 can also be taken into account accordingly. While Article
5(2) DMA is aimed at situations such as the very case at hand and, among other provisions, contains a

3
Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on
contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828
(Digital Markets Act), OJ EU L 265 of 12 October 2022, p. 1, fully applicable since 25 June 2023.
10
directly applicable provision prohibiting so-called gatekeepers from combining data without effective
consent, the GDPR not only contains provisions on the effectiveness of consent (under data protection
law), but also explicit provisions on information obligations and data minimisation.

IV. Potential for optimisation

With regard to a free and informed decision by users on whether they want to use Facebook “in
isolation” or allow additional linking of data for advertising purposes, as was the subject matter of the
decision of 6 February 2019,4 the Bundeskartellamt assumes that enforcement action need not be
taken. Notwithstanding, the transparency and comprehensibility of user dialogues could be further
improved.

Ambiguity of the term “cookie” used in the settings

The “cookie” settings on Facebook are not just about the acceptance of cookies5 in the traditional sense.
In fact, Meta refers to a variety of different technologies as “cookies”, such as the Meta Pixel or the
Software Developer Kit (SDK) for Meta app events. Technically, these tools have completely different
characteristics from cookies. The main thing they have in common is that they allow data from third-
party websites or apps to be sent to Meta. Ultimately, it is not a question of allowing the use of such
“cookies”, but of controlling the combination of Facebook (profile) data with data that Meta receives via
its business tools. In general, users must be made sufficiently aware that acceptance results in the
permanent addition of personal data from third-party sources to an individual advertising profile; a
mere reference to the personalisation of the advertising displayed is not sufficient as this does not make
the scope and permanent nature of the data collection clear to users. Doubts remain in this respect.

Overloading user dialogues with irrelevant information

Mixing texts on so-called “required” cookies (which cannot be de-selected) and “optional” cookies
harbours the risk of confusing users. They do not have any choice to decline “required” cookies, i.e.
certain data links, but must accept them. It would therefore be logical not to display the information on

4
This does not mean that the consent mentioned in this case summary also fulfils the strict requirements for
consent under data protection law; in particular, it is questionable whether the consent referred to here could
be considered to have been given as a “specific, [...] indication” of the user’s wishes (Article 4 no 11 GDPR).
Nevertheless, this consent is an effective means for users wishing to use a service “in isolation”, i.e. without
further enriching the user (advertising) profile by linking it to third-party data.
5
Cookies are small files that store certain information about visits to websites, such as form data or search
terms, thus enabling user behaviour on the internet to be logged (see Federal Office for Information Security,
Preventing the Use of Cookies and Fingerprints, available at
https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Informationen-und-
Empfehlungen/Cyber-Sicherheitsempfehlungen/Updates-Browser-Open-Source-Software/Der-
Browser/JavaScript-Cookies-Fingerprints/javascript-cookies-fingerprints_node.html).
11
required cookies or, at best, to set a link. The current way in which such information is presented can
result in users not declining optional “cookies” because they consider them necessary, for example for
security reasons. Although Meta has clarified the texts it originally used in several places, there is no
strict separation between the combination of data requiring consent and the unavoidable combination
of data not requiring consent that is irrelevant in this decision-making situation.

Granularity of the selection options

Sometimes users are confronted with selection options that do not allow for a differentiated decision.
Users wishing to link their Facebook and Instagram accounts in order to select uniform settings or cross-
postings must also allow their data to be combined for advertising purposes and product improvement.
This approach could give rise to concerns under data protection law as it is doubtful whether users can
make a voluntary decision as to the purposes that go beyond the extension of functionality. Based on
the decision of 6 February 2019, however, the Bundeskartellamt was primarily concerned with assessing
whether users can freely decide to use the Facebook social network in isolation and reject the
combination with “off-Facebook” data. As things currently stand, the Bundeskartellamt considered this
to be generally realistic as users do not have to accept any significant disadvantages when data are not
combined. However, if in future core functions of a service should only become accessible via linked
accounts, this might have to be assessed differently.

User guidance

When users decide whether or not to accept “optional cookies”, it is problematic that the different
colour schemes (see illustration on page 5) implicitly encourage users to rather click on the more
prominently coloured button.

Exceptional areas

It cannot be ruled out that in exceptional areas the combination of data without consent and the
duration of data storage (see page 8) go beyond what is permissible under data protection law.

V. No precedent effect for other legal regimes

In its assessment under competition law the Bundeskartellamt’s decision also uses the principles of data
protection law as set out in the GDPR6 as a benchmark for the appropriateness of the data processing

6
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of
individuals with regard to the processing of personal data, on the free movement of such data and repealing
Directive 95/46/G (General Data Protection Regulation), OJ EU L 119 of 4 May 2016, p. 1, in force since 25 May
2018.
12
terms stipulated by Meta in its role as a dominant provider in the market.7 This means that Meta’s
measures were assessed based on the basic principles of data protection law as part of the authority’s
assessment under competition law, but for example not necessarily all criteria for consent in line with
the GDPR had to be met. From a competition law perspective, the data protection aspects that have a
noticeable impact on competition or the economic behaviour of the affected parties are of particular
importance. The assessment standard under competition law may therefore differ from the standard
under data protection law in terms of scope and focus. The termination of the Facebook proceeding has
no precedent effect for other legal regimes to which Meta’s data processing terms are also subject. The
fact that the Bundeskartellamt is not taking any enforcement action based on its decision of February
2019 does not mean that Meta’s behaviour is completely unobjectionable in view of Meta’s obligations
under competition law, data protection law, consumer protection law and the DMA. Rather, the
measures taken by Meta were deemed to be a sufficiently effective “package” to allow the
Bundeskartellamt to close the case against Meta at its discretion. Other authorities may now be able to
achieve further improvements for users of Meta services based on their respective powers of
intervention. The European Commission, for example, has already initiated proceedings against Meta’s
ad-free subscription model as, according to the Commission’s preliminary findings, this model fails to
comply with the Digital Markets Act.8 The Consumer Association of North Rhine-Westphalia also takes a
critical view and has filed a complaint against Meta’s “pay or consent” model with the Cologne Higher
Regional Court.9

In its proceeding, the Bundeskartellamt solely focused on the combination of data that extended
beyond Facebook, i.e. the combination of data from the Facebook user profile and from other Meta
services or third-party sources (apps and websites of other companies). From the perspective of data
protection law (such as the principle of data minimisation), it would make sense to examine not only
this external relationship, but also the “internal relationships”, i.e. the collection of data and deletion
periods within individual Meta services.

The Bundeskartellamt’s proceeding therefore does not mark an end point, but rather functions as a
starting point for other players for fully enforcing Meta’s obligations from other regulatory areas and
possibly achieving further improvements for the users of Meta’s services.

7
Bundeskartellamt, decision of 6 February 2019, case no B6-22/16, paras. 526 ff., available at
https://www.bundeskartellamt.de/SharedDocs/Entscheidung/EN/Entscheidungen/Missbrauchsaufsicht/2019/
B6-22-16.pdf?__blob=publicationFile&v=1.
8
See https://ec.europa.eu/commission/presscorner/detail/en/ip_24_3582.
9
See https://www.verbraucherzentrale.nrw/pressemeldungen/presse-nrw/klage-gegen-payorconsentmodell-
von-meta-95258 (in German).
13
Background information:

On 6 February 2019 the Bundeskartellamt issued a decision prohibiting Meta (formerly Facebook) from
combining user data from different sources without the users’ consent. Meta appealed this decision to
the Düsseldorf Higher Regional Court (OLG Düsseldorf). On 26 August 2019, the court ordered the
suspensive effect of the appeal at Meta’s request. On 23 June 2020 the Federal Court of Justice revoked
this decision at the Bundeskartellamt’s request and denied Meta’s request to order the suspensive
effect of its appeal. On 24 March 2021 the Düsseldorf Higher Regional Court referred certain questions
to the Court of Justice of the European Union (CJEU) and suspended the proceeding until the CJEU’s
decision. Among other things, the CJEU was supposed to clarify whether the Bundeskartellamt can also
apply GDPR provisions when weighing interests in decisions under competition law. The European Court
of Justice ruled in favour of this in its decision of 4 July 2023 (case C-252/21). In view of the discussions
between the parties, the proceeding before the Düsseldorf Higher Regional Court was no longer actively
pursued and has now ended with Meta withdrawing its appeal.

14