In April 2023, the European Union fined Meta, the parent company of Facebook and Instagram, €200 million for violating the Digital Markets Act (DMA). This penalty was imposed due to Meta's 'pay or consent' model for personalized advertising, which did not allow users to opt for an experience using less personal data. As a result of this investigation, the European Commission announced in December 2025 that starting in January 2026, Meta will implement a significant change in its advertising policy. EU users will have the choice to consent to share all their personal data for highly personalized ads or to opt-out for a less personalized ad experience requiring the sharing of less personal data. This measure is seen as a necessary response to ensure user choice and compliance with the DMA, allowing for a better balance of user privacy and the needs of advertisers. Meta initially began offering the option for less personalized ads in late 2024 after the EU investigation commenced. The effectiveness of this new policy will be monitored by the European Commission, which plans to gather feedback from Meta and other relevant stakeholders to assess compliance with DMA regulations and curb any potential violations. This move highlights ongoing tensions between US tech firms and European regulators concerning digital regulations and user protection.

The history of EU regulations on data privacy has evolved significantly, reflecting the increasing importance of data protection in the digital age. The journey began with the Council of Europe’s Convention 108 in 1981, which sought to establish a basic standard for the protection of personal data. This was one of the first international legally binding treaties in the field of data privacy and aimed to protect individuals' rights while allowing for data movement across borders. It laid the groundwork for national data protection laws within EU member states, emphasizing principles such as data quality, purpose limitation, transparency, and the rights of individuals. As technology evolved, the need for more robust data protection laws became apparent. This spurred the European Union to undertake comprehensive legislative efforts in the 1990s, culminating in the Data Protection Directive 95/46/EC, which was adopted in 1995. This directive aimed to harmonize data protection laws across Europe and introduced key principles such as the requirement for data processing to be lawful and fair, the necessity of obtaining consent from individuals, and granting individuals rights to access and rectify their data. The directive served as the primary legal framework for data protection in the EU for over two decades, shaping the data privacy landscape and influencing legislative frameworks worldwide. However, as the digital economy expanded, the limitations of the Data Protection Directive became evident. The rise of big data, social media, and cloud computing raised new challenges regarding privacy and security. In response, the EU introduced the General Data Protection Regulation (GDPR) in May 2018, marking a significant overhaul of data privacy regulation. The GDPR strengthened individuals' rights, including the right to be forgotten and the right to data portability, and enforced stricter obligations on organizations handling personal data. It also introduced substantial penalties for non-compliance, thereby enhancing the accountability of data controllers and processors. GDPR represented a shift from a regulatory approach focused primarily on protecting data to one that emphasizes the protection of individuals’ rights and interests in relation to their personal information. Since the enforcement of GDPR, the European Union has continued to adapt its approach to data privacy in response to technological advancements and global data flows. Ongoing discussions have explored additional regulations to address emerging challenges, such as artificial intelligence and data-sharing mechanisms that balance innovation with privacy protection. As nations globally are influenced by GDPR, the EU’s leadership in data privacy regulation remains critical. Continued vigilance in updating and enforcing data privacy regulations will be essential to ensure that individual rights are upheld in an era of rapid technological change, securing a standard that not only protects European citizens but also informs global practices in data protection.