Meta was recently slammed with a $414 million fine from the Irish Data Protection Commission for its usage of user data for targeted advertising – a decision that could spell trouble for the ad-revenue-reliant company.

According to the ruling from the European Data Protection Board, Meta subsidiaries Facebook and Instagram were both found to be in violation of E.U. General Data Protection Regulations – garnering $222.5 million and $191 million in penalties, respectively.

What did Meta do?

Essentially, instead of offering users the option to accept or decline personalized ads based on their online activity, the company smuggled a clause consenting to its personalized ads into its Terms and Conditions. Since users are unable to use the service at all unless they agree to having their web activity tracked, this amounts to forced consent under GDPR rules, according to the recent decision.

This means that Meta can no longer depend on its contracts to serve targeted advertisements based on tracked user activity.

The DPC related:

“Meta Ireland is not entitled to rely on the ‘contract’ legal basis in connection with the delivery of behavioral advertising as part of its Facebook and Instagram services, and that its processing of users’ data to date, in purported reliance on the ‘contract’ legal basis, amounts to a contravention of Article 6 of the GDPR.”

The ruling has been a few years in coming – though complaints were initially filed on May 25, 2018, it wasn’t until a month ago that the European Data Protection Board announced its decision.

What the ruling means for Meta

Consumers have been heartened by increased privacy protections in recent years, such as those included in the lates iOS Apple update requiring apps to request permission before tracking users. But for Meta, these trends have translated into significant ad revenue loss. Just last year, Meta was ordered to dole out $725 million in a class-action settlement over the company’s disclosure of user data to Cambridge Analytica.

Now, the company has a mere three months to update its data processing operations to comply with the GDPR ruling. And while Meta continues to defend its data-usage practices, current trends suggest that its ad-revenue-reliant business model is not long for this world.