Water Cooler
Back to All Articles

Meta Was Fined for Violating GDPR—Serving a Reminder That You Should Incorporate Compliance in Your Digital Strategy

On May 22, 2023, Meta (the owner of Facebook and Instagram) was fined a record $1.3 billion for violating the European Union’s data protection rules, known as The General Data Protection Regulation, or GDPR.

GDPR is a set of data privacy rules designed to “harmonize” data privacy rules across all EU countries while providing more protection and rights to individual users. It came into effect on May 25, 2018, and has some stringent rules for collecting, using, and storing personal information.

A common misperception is that GDPR compliance is only relevant for European organizations, but it has broader implications. Companies that do business in the European Union, have customers in the EU, or process the personal data of a person in EU territory may be subject to the GDPR.


The emergence of the GDPR was driven by growing public concern about issues like data breaches, profiling and targeted advertising. Data breaches, like the notable Cambridge Analytica scandal, exposed how personal information of millions was misused without consent. This raised alarm bells and highlighted the need for stricter regulations to protect individuals’ privacy. Additionally, the practices of building and selling profiles of individuals’ data, and using that data for targeted advertising led to worries about privacy invasion and manipulation. Without the GDPR, the average layperson had limited understanding or transparency into the scope of personal data being held or traded by companies, and limited legal authority to challenge how their personal data was being used, protected or shared.


Prior to GDPR, both the EU and U.S. already had regulations about data and personal information. So, what was different this time?

GDPR has enforcement abilities that rightfully make any international marketer do a double take. The penalties for breaking the rules can be as high as four percent of a company’s annual revenue. And in some instances, this could mean millions, or even billions, of dollars.


When navigating GDPR, there are many aspects that marketers should take into account, including:

  1. Users should know exactly what they are going to receive in return when they give up their contact information or other personal data.
  2. Users should be able to find out what companies have collected about them and have control over whether it is kept.
  3. Companies that collect personal data from users should be more transparent about what they collect, why they collect it, and how long they keep it.


Nearly twenty years ago, back when luminaries like Seth Godin were laying the groundwork for modern marketing, there was a different name for it. I’ll let Seth explain:

“Permission Marketing is personal, anticipated, relevant. It turns strangers into friends and friends into lifetime customers.”

“Permission Marketing is just like dating … the Permission Marketer knows that the first date is an opportunity to sell the other person on a second date. Every step along the way has to be interesting, useful and relevant.”

“Nothing good is free, and that goes double for Permission. Acquiring solid, deep permission from targeted customers is an investment.”

That’s right. What we call content marketing today was, in a simpler time, called Permission Marketing, as in earning the trust of your audience to gain their permission to deliver valuable content.

For too many companies, “content marketing” has degraded into thinly disguised push marketing. Instead of offering anything of value, the focus has become driving sales over building relationships. It’s no wonder, then, that audiences are tuned out and wary of engaging.

Today’s marketers could go a long way towards repairing their broken relationship with prospects by going back to the original concept.


Instead of focusing on list growth and playing a mass numbers game with lead conversion, marketing organizations should take a deep breath … and slow down a bit. In the long term, quality wins over quantity every time, and customers do business with brands they have a good relationship with, not the ones that push the most sales messages.

hand with growing fine

GDPR, with its emphasis on clear, jargon-free language and active opt-ins, created an opportunity for companies to go back to the drawing board and re-emphasize Seth Godin’s three points on Permission Marketing:


This is a dangerous term to start with because its meaning has become twisted over time to be more related to inserting a contact’s name in mass emails or showing ads based on a person’s identified preferences.

Instead, marketers need to find their altruistic impulses and focus on delivering value at each point of communication instead of self-centered sales messages. That value needs to be of personal interest to your audience. But this is vastly different than merely identifying an audience of “tech enthusiasts” or “frequent travelers” to serve ads to.

So, what do your prospects value? Whether talking to businesses or consumers, we’re all human. And humans are driven by certain common needs and wants.

A couple of years ago, researchers at Bain & Company put together a hierarchy of what customers want. They call it the Elements of Value and it is organized pretty much like Maslow’s Hierarchy of Needs.


elements pyramid

The different levels of the pyramid represent an increasing depth of connection between a customer and brand, with icons showing attributes of value at each.

Using the attributes above, relate them back to your product or service. How can you grow your relationship by delivering content that helps the person become more fulfilled through interaction with your brand?


Connected to personalization is the relevance of your content, or what I like to call the “who cares?” factor. There are companies today whose approach to lead nurturing is to acquire a contact and then blast them with a series of emails and ads that talk about themselves. Wrong move.

Instead, every time you consider a piece of content to put in front of your buyers, put yourself in their shoes first. Ask, “so what?” If you were your customer, in their busy life full of distractions, would you care about that content? If the answer is no, keep looking for something better.

No, your contacts don’t care whether you have many different services, that you really want them to contact you, and so on. Talk about what your audience cares about. Give them something interesting, educational, even fun to engage with.


Lastly, once you have the first two items above nailed down, you can achieve this one. Anticipation in this context means that your audience is not just tolerating your content but looking forward to receiving it. This is the content marketer’s state of nirvana.

We’ve all experienced that feeling of having a message put in front of you that you don’t necessarily want, but you don’t feel strongly enough to do anything other than ignore it. Don’t be that brand.

Back when Seth Godin coined these three attributes of Permission Marketing, he was probably thinking mainly of email marketing or perhaps blogging. Content delivery now can take many different forms, but the idea is the same.

Does anticipation mean that you need to publish on a set schedule? It can’t hurt, but it’s better to be good than be on time.

Wherever your audience likes to engage, they should be excited to see your content.


Instead of blasting messages out to a mostly disinterested audience, GDPR provides the opportunity to do things differently. The fact that users have to actively opt in to receive a clearly defined set of content means they won’t join your lists unless what you have is truly compelling.

It’s time to focus on what your audience wants to read, see, and experience—from the start. Or you’ll lose them.


Lose them? That’s right. One part of GDPR that we haven’t touched on is its concept of periodic “re-opt-ins.” In other words, if your contacts haven’t interacted with your brand in a decent amount of time, they need to be purged from your contact lists.

This is tied to a related rule that was mentioned earlier: personal data can’t simply be stored forever. Each organization needs to decide how long it will retain its data records and back that decision with a rationale of why it is in the contact’s (not yours!) best interest to have that period of data retention.

In other words, if your brand isn’t connecting enough to get repeated interaction over time, your contact lists will fade away.


We recommend working with a pro team like Element as well as a legal advisor. At Element, we’ve audited many client websites for any data privacy compliance issues. This includes cookie compliance software implementation, adding specific language to privacy policies, and providing additional information required on your website for it to adhere to EU standards.

Have questions? Get in touch with us.


In the end, marketers have been presented with a choice. We can keep going the way things have been and lose credibility and relevance with our audience. We can ignore regulations, stubbornly refuse to provide what users really want, and risk hefty fines.

Or we can ensure we adhere to GDPR and accept it as a necessary evolution of marketing and privacy—one that helps us develop mutual trust with our audiences.

All quotes by Seth Godin from Permission Marketing, 1999

This blog was originally published in June 2018 but was updated to include coverage of the May 22, 2023 Meta fine.


Be the most enlightened person around the water cooler.