Targeted advertising’s days may be numbered. The Wall Street Journal and Reuters report that the European Data Protection Board has ruled that Meta cannot continue targeting ads based on user’s online activity without affirmative, opt-in consent. This ruling is based on the European Union’s General Data Protection Regulation (GDPR). This is a big step in the right direction: voluntary opt-in consent should be the baseline requirement for any data collection, retention, or use. And we should take a step further: online behavioral advertising should be banned.

The ruling is not final, or even public. The Board has sent the matter back to Ireland’s Data Protection Commission to issue an order, and reportedly to assess fines. Meta can still appeal. If the decision is finalized and enforced, Meta will need to change its surveillance and consent practices, and ads on Facebook and Instagram will start working significantly differently. Meta would have to seek affirmative consent from users before sending them targeted ads based on surveillance of their online behavior. Meta could pivot to “contextual ads” based only on the content a user is currently interacting with.

The surveillance-based advertising in question here involves how people use Meta’s own apps. Since 2020, Meta has offered settings to opt out of ad targeting based on information from other apps, websites, and businesses that Meta knows you have visited. Meta tracks its users off-site through tools like Facebook Login, Facebook’s tracking Pixel, social widgets such as Like and Share buttons, and other less visible features for developers. But Meta offers its users no similar option to opt out of ad targeting based on what users click, like, watch, and interact with on Facebook, Instagram, and other Meta properties.

The company should be offering all of its users an affirmative, opt-in consent option—and not track its users, either on-site or off-site, unless they opt in. Instead, Meta stuck language about its ad targeting practices into its platforms’ Terms of Service. Then Meta claimed that this means that, when someone uses Facebook or Instagram, they’ve supposedly “consented” to the use of their information to target ads. This sleight of hand takes advantage of the GDPR concept of “contractual necessity,” in which the GDPR allows data processors to collect and use information as necessary to deliver services for which the data subject contracted. One canonical example is that if you ask a company to send you a package, it can collect your address and use it to send you the package, even without separate explicit consent.

This week’s ruling stems from a complaint filed by EU-based NOYB (short for “none of your business”) in 2018 against Meta. At the time, Ireland’s privacy regulator sided with Meta. Now the European-wide Data Protection Board has revisited the issue.

This is an important step in the right direction. No company—Meta included—should be able to side-step consent with Terms of Service trickery, and users should be able to affirmatively decide whether or not their information is used for ad targeting. Opt-in consent to collect, retain, or use a person’s data is at the core of the GDPR, and of EFF’s recommendations for any consumer data privacy legislation.

This is not the only recent blow to Meta’s ad business. Last year, Apple introduced AppTrackingTransparency, which requires mobile apps on iOS to obtain the user’s express permission before tracking them across other apps. Sure enough, when given a clear choice, most people prefer that their personal devices not enable around-the-clock surveillance of their every click and swipe, and Meta lost both advertising revenue and a source of valuable ad targeting data.

Ad tracking, profiling, and targeting violates privacy, warps technology development, and has discriminatory impacts on users. Online behavioral advertising should be banned outright. Until then, moves like the European Data Protection Board’s send a clear message to platforms and advertisers that neither regulators nor users are willing to tolerate this extractive business model.