German court rules Meta tracking technology violates European privacy laws
179 comments
·July 10, 2025dabedee
VikingTechGuy
In Germany consumers are opted in by default, unlike all other European Countries.
This is also why there currently are class action lawsuits against X and Tiktok based in Germany with claims of damages of EUR 500 and EUR 2000.
hsbauauvhabzb
Sounds like something someone could commoditise. 2500 free euro! Sign here!
oytis
AFAIK that business model already works with rental contracts.
rglullis
It definitely does for canceled/delayed flight tickets. Some years ago we had a flight that was canceled in the last minute by TAP and we missed one day from our trip. We got 600€ back from each ticket just by signing up to a website and sending the ticket receipts.
piva00
In Sweden I've seen quite a few businesses sprung up for that, collecting overpaid rent through a legal firm.
Completely agree that if it's a similarly straightforward process there will be businesses offering to litigate on the users' behalf and collect a fee, I'd be jumping on it if I only had to file a report and wait for the work to be done to collect a couple thousand €.
lauritz
It should be noted that this may not stand on appeal. The full decision is not yet available. All we know is from the press statement.
For example, the court ruled that the plaintiff is entitled to these damages without even hearing them personally on what kind of injury they sustained. This is an interesting direction, and we will see how it is argued in the decision itself. I would assume this could be something that Meta challenges on appeal.
Another way to go would be to argue that this lawsuit involves unresolved questions of EU law that need to be addressed by the ECJ.
In either case, this verdict will create some legal uncertainty in the short term, and I assume many people will sue---but we shall see what happens on appeal and perhaps at the ECJ, which will perhaps be a couple of years out.
fauigerzigerk
What I don't understand is the responsibility of Facebook vs the operator of the website where the tracking takes place. I thought that under GDPR it was the responsibility of the website to get consent from users before passing on data to ad networks.
mpweiher
Both are liable. From TFA:
"The court’s decision exposes all websites and apps using tracking technology to significant lawsuits, experts said."
fauigerzigerk
Only if the ruling holds up on appeal. What I'm wondering is whether it will hold up.
cess11
What do you mean by website as a "place"? I'm not so sure the GDPR mentions tracking. Here's what the court said was relevant:
"Meta, Betreiberin der sozialen Netzwerke Instagram und Facebook, hat Business Tools entwickelt, die von zahlreichen Betreibern auf ihren Webseiten und Apps eingebunden werden und die Daten der Nutzer von Instagram und Facebook an Meta senden. Jeder Nutzer ist für Meta zu jeder Zeit individuell erkennbar, sobald er sich auf den Dritt-Webseiten bewegt oder eine App benutzt hat, auch wenn er sich nicht über den Account von Instagram und Facebook angemeldet hat. Die Daten sendet Meta Ireland ausnahmslos weltweit in Drittstaaten, insbesondere in die USA. Dort wertet sie die Daten in für den Nutzer unbekanntem Maß aus."
fauigerzigerk
I mean that under GDPR, website owners as data controllers must get user consent before embedding third party tracking technologies on their websites to pass on data to Facebook.
It doesn't matter whether GDPR mentions any specific word. What matters is what the technologies referred to by the word "tracking" actually do. And what they do clearly requires consent under GDPR.
The paragraph you posted implies (but does not explicitly state) that Facebook's ability to identify individual users would still be noncompliant even if the website has received consent from the user to embed Facebook's technology. Or does the court blame the website's noncompliance on Facebook?
alkonaut
Can't some shady legal firm now just dig out who is in the exact same situation as this user, and sue on behalf of them, keeping (say) 10%? I'd be happy to let them.
But in the end this kind of thing shouldn't be regulated by lawsuits from individuals. The fines as I remember it can be up to 4% global annual revenue and it's about time someone actually handed a fine of 4% global annual revenue to a company the size of Meta, so companies finally realize that the law isn't just a recommendation.
lauritz
There are (non-shady) firms that do exactly this for other areas (flight compensation, most notably).
There are some issues with contingency fees in German legal professional law. However, it can be argued that suing for these 5,000 EUR is just "collections", so it may be allowed.
The risk lies elsewhere: As I outlined in another comment, there is reason to believe that this may not stand on appeal, or at least that other courts in other parts of Germany may decide differently. As a result, it takes a lot of capital to keep all of these lawsuits going until the Federal Court of Justice or the ECJ have decided and there is legal certainty.
pedro_caetano
My understanding is that there is no 1-to-1 European equivalent to class action lawsuits in the USA.
There is a EU directive that allows for "representative action" but it's much narrower scope compared to what Americans are familiar with in class action.
Garlef
Yes. But there's law firms who streamline such individual processes if the business case is actually large enough.
For example there's a law that says the airline needs to pay you 400€(?) if your flight is delayed by more than 2h if it's due to the airlines fault.
There's a company that handles these cases for 130€.
That's 270€ you get and you just need to enter some data.
SSLy
or you can enter the same data into form provided by the airline. I did it once to SN and they paid up just fine.
pjc50
Pedantry: the EU doesn't have a unified legal system.
veunes
Yeah, class action-style suits are probably coming, especially now that this ruling sets a precedent
ekunazanu
AFAIK Germany (and most European countries) has civil law, so court rulings probably won't have as much of an impact as it would in countries like the US
alkonaut
Once it reaches the highest court, it will set precedent. So there is no real difference in the end it just takes more time because no precedent is set in a lower court.
oblio
> AFAIK Germany (and most European countries) has civil law
Most of the world, actually. Pure common law systems are just in CANZUKUS (and a few dozen of other minuscule former British colonies).
jxjnskkzxxhx
You guys remember how 5+ years ago, an headline like this on HN would invariably prompt cries from the Americans that this was just the Europeans finding excuses to take advantage and steal from poor innocent American companies. How the mood has changed on this huh. I'm glad to see the European approach vindicated, even if at times not strong enough.
lompad
And not only are those cries wrong, reality is quite the opposite. The vast majority of fines are towards european businesses. Big Tech aren't the only ones who violate data privacy standards all the time. [0] You just don't read about those here, so people like to just assume those fines don't exist.
Additionally, it helps to actually learn how the current law developed - it primarily was modeled after the german Bundesdatenschutzgesetz, which was put into law in a modern form in the 90s, long before FAANG.
[0] see the tracker: https://www.enforcementtracker.com/
octo888
Worth noting the tracker does not track which fines are currently being contested (in an obvious manner). i.e. do not assume all the fines you see there have actually been paid
Though probably safe to assume the smaller fines against smaller companies with smaller lobbying^H^H^H^H^H^H legal teams most likely have :-)
rafaelmn
I went to the site and sorted by fine - I needed to go to the bottom of second list to find a non US company ? By the time I get to pages that are mostly non US companies the fines are two orders of magnitude smaller and dropping fast - do you have any aggregate view to compare ? I would not be surprised at all that indeed most of the fines were towards US companies in total amount.
const_cast
IME as an American, US companies play much more fast and loose with laws. Especially tech, which has "disrupt first, ask questions later" approach to ethics.
oblio
I saw TikTok at #3 and #5, Enel (Italian) at #15, Vodafone at #19 (British) and starting at around #21 the list is basically dominated by European companies.
Speaking from personal experience, American companies, especially the big ones, tend to treat everyone else as "Americans that they don't know they're American yet" or alternatively "slightly dumb Americans".
At least for one of them, yeah, they apply the legal laws, but the general decisions are taken in the US with little regard for local "non-impeding laws", I would call them. "Impeding laws" would be laws that would block the launch of something (for example they wouldn't attach an AR-15 to every product sold). "Non-impeding laws" would for example be, labor laws. They just assume that what works in the US sort of works everywhere else and deal with the consequences along the way.
FranzFerdiNaN
Its because American companies are much larger than most European companies in terms of revenue. And because the impact of their infringements are much larger due to the nature of their business. If Bumfuck LLC from Sweden with maybe a 1000 customers fucks up they arent impacting millions of users, unlike when Google or Meta does things.
Raed667
I was surprised to see doctors and even a bakery on the list!
delusional
One of the earliest enforcement actions was against a mailing list. If I remember it was because it CCed all the participants instead of BCCing them.
riffraff
5 years? I think it was last week.
detaro
[flagged]
BoorishBears
[flagged]
bigyabai
Then leave. Take your big, beautiful American business and walk it the fuck out of the European economic zone. It's that easy!
That said... it will be awfully hard for Americans to wriggle their way out of the $125 billion annual trade deficit they run with the EU. If the US stops trading to defend "principled" economic development, then the citizens will be paying down America's debt with their income taxes.
No biggie. It's only like ~$800/taxpayer/year when you run the numbers.
BoorishBears
[flagged]
gdwatson
As an American, my reservations about European privacy laws are related to jurisdiction, and none of them applies here. I welcome this decision.
phendrenad2
No no, you misunderstand. Over here in America we have given up on fighting it and prefer to let mega-corps like Google and Meta own the advertising space. Smaller companies quickly moved to a subscription model, at least until the EU finds a way to make money illegal.
apples_oranges
Americans are still asleep at 7GMT ;)
andsoitis
> cries from the Americans that this was just the Europeans finding excuses to take advantage and steal from poor innocent American companies
Spotify found in violation of EU data protection laws by Stockholm Court - https://www.investing.com/news/stock-market-news/spotify-fou...
Or what about Enel (Italian): https://www.reuters.com/business/energy/italy-regulator-fine...
Or Criteo (French): https://techcrunch.com/2023/06/22/adtech-giant-criteo-his-wi...
H&M (Swedish) fined for breaking GDPR over employee surveillance: https://www.bbc.com/news/technology-54418936
etc.
null
juliangmp
I really hope it turns into a class action because I'd so wish to be part of it
null
subscribed
Can't wait for this to hit the fan: https://wire.com/en/blog/metas-stealth-tracking-another-eu-w...
elAhmo
And, just like always, nothing meaningful will be done.
veunes
Interesting that the court emphasized identifiability even without logging in. That cuts right through the usual "anonymous tracking" defense a lot of companies hide behind
VikingTechGuy
You can read full analysis here:
https://www.linkedin.com/pulse/5000-pixel-tracker-why-latest...
In Germany consumers does not need to file a lawsuit, they are included by default, which is very different than all other European countries.
VikingTechGuy
You can scan any website or ecommerce solution and see which 3rd parties they load before consent using this free privacy scanner -> https://privacyscanner.aesirx.io/
VikingTechGuy
73% of Danish Business Websites Found in Violation of GDPR Consent Rules. After scanning 36,496 company domains in Denmark, we found that over 73% load trackers before consent - including Google Tag Manager, Google Analytics, Facebook, and even third-party CMPs.
Thinggaard
Wild numbers that prove that something needs to be done about the problems
msgodel
There's a very easy solution to this: ban 3rd party tracking altogether. Then there wouldn't be any confusion.
This Leipzig ruling is notable, but the practical impact may be more limited than the €5,000 figure suggests. While the court explicitly said users don't need to prove individual damages to sue, European class action mechanisms are still quite different from US-style litigation.
Germany doesn't have the same litigation incentive structures as the US - no contingency fees, loser-pays costs, and relatively limited collective redress options. Most German consumers aren't going to file individual €5,000 lawsuits over tracking pixels, especially given the legal costs and time involved.
Personally, I hope this gets picked up by a consumer protection organization or a well-funded litigation group. Germany has been gradually expanding its collective action framework, but it's still primarily driven by qualified entities rather than individual plaintiffs.