In a blow to the US social network, Meta will only be able to serve ads based on personal data with users’ consent, a person familiar with the matter said on Tuesday, following a privacy ruling by European Union privacy regulators.

The Irish Data Protection Authority oversees Meta, as its European headquarters are in Dublin. It has one month to issue a decision based on a binding decision of the European Data Protection Board (EDPB).

The person said that the EDPB might ask the Irish agency to impose a fine because of the issue’s sensitivity. Big Tech’s targeted advertising model, data collection, and use have drawn regulatory scrutiny worldwide.

The company’s shares were down 6.2% in mid-term trading. Google, Snap and Pinterest, which rely on digital advertising, fell 2.2%, 8% and 4%, respectively. The Irish case against Meta has been sparked by a 2018 complaint by Austrian privacy campaigner Max Schrems.

“They don’t have a yes/no option for personalised ads and only transpose the consent clause in the terms and conditions. It is not only unfair, but it is clearly illegal as well. We are not talking about any other company are doing, you know, who has so arrogantly tried to sidestep the GDPR,” Schrems said. The EDPB’s ruling means Meta must allow users to have all versions of the app that don’t use personal data to serve ads. In contrast, he said that companies will still be allowed to use non-personal data to personalise ads or ask for user consent.

The G27’s landmark privacy rule, the General Data Protection Regulation, came into force in 2018. A Meta spokesman said Meta is engaging with Irish agencies.

The spokesperson said, “GDPR allows for several legal bases for data processing beyond consent or performance of a contract. Under the GDPR, there is no hierarchy among these legal bases, and no one is superior to another.”

Apple’s new privacy rules banning digital advertisers from tracking iPhone users have also hurt Facebook’s parent company.

An EDPB spokesman declined to provide details of the decision taken. The agency said the move came after other national regulators disagreed with the Irish agency’s draft decision.

Its draft decision on Meta’s parent Facebook and Instagram focused on the legality and transparency of handling behavioural advertising. In contrast, its decision on WhatsApp focused on the lawfulness of processing to improve the service.

“The DPC is currently unable to comment on the content of the decision. We have one month to adopt a binding decision from the EDPB, and details will be published at that time,” the Irish Data Protection Commission said.