European regulators have laid down one of the biggest challenges so far to the multibillion-dollar business model of Facebook owner Meta, analysts said on Thursday.
The Silicon Valley titan was handed a 390-million-euro ($413-million) fine on Wednesday as part of a years-long tussle with the European Union over data privacy.
But more significantly, European regulators dismissed the legal basis Meta had used to justify gathering users' personal data for use in targeted advertising.
Meta makes its money from highly targeted ads, a system made possible only by understanding the behaviour of its users intimately.
"Meta and its investors should be ready: the privacy invasive targeted-ads business model is slowly but surely ending," Estelle Masse of NGO Access Now told AFP.
"Privacy-friendly solutions will need to be found quickly or else their revenue could plummet."
"This could be a major gut punch to Meta," said Dan Ives of Wedbush Securities, adding that the move could shave off between five and seven percent from its ad revenues.
However, Meta has disputed the decision and promised to appeal.
Ives said Wall Street traders were not worried about the short-term impact because they were hoping the appeal process "will continue to kick the can down the road".
- 'Existential question' -
The fine was ultimately imposed by the Irish Data Protection Commission (DPC) because Meta -- along with other US tech firms -- has its European headquarters in Dublin.
But the ruling was made by regulators from across the EU, who decided that Meta's attempt to classify advertising as a necessary part of its contract with users was invalid.
Another possible workaround, the idea that data usage for ads might constitute a "legitimate interest" of the company, has already been dismissed.
Analysts agree that Meta will ultimately be forced to introduce a clear "yes/no" button for users to choose if they consent to their data being used for advertising.
"We see no other possible bases than consent," Paul-Olivier Gibert of AFCDP, a French association, told AFP.
If significant numbers opt out, it could be disastrous for the firm.
Gibert pointed out that Meta is particularly exposed by the crackdown on targeted ads.
Rivals like Google and Apple, he noted, control operating systems and Amazon has many revenue streams.
But Meta has control of fewer elements and so has fewer opportunities for profit.
"There is an existential question for Meta," he said.
- 'Only the start' -
Wednesday's decision came four-and-a-half years after the complaint was first lodged by NOYB, an Austrian activist group.
They have been filing cases across the European Union since the bloc passed its massive data protection law, the GDPR, in 2018.
The case was tossed around between European authorities, with the Irish DPC proposing much lighter punishments.
NOYB founder Max Schrems said the DPC had "dragged out the procedure" for years.
"It is overall the fourth time in a row the Irish DPC got overruled," he said in a statement.
Abraham Newman of Georgetown University wrote on Twitter that Europe's privacy system had unleashed a powerful dynamic for regulators.
Firstly by allowing cases to be brought by NGOs not just individuals, paving the way for NOYB's central role in the drama.
And then by creating a network of national regulators, meaning Ireland was forced to follow the opinion of its peers elsewhere.
"This dynamic will likely play out again and again," Newman wrote.
"As a result, we have only started to see the real impact of European privacy rules."