Meta thrives on ad targeting, but it may have to tone down its use of the technology in Europe. The Wall Street Journal sources claim the EU’s European Data Protection Board (EDPB) has ruled that Meta can’t require users to accept personalized ads. You could opt out of targeted ads on Facebook or Instagram if you’d rather not have the social networks track your activity. You can already decline customized ads using data from third-party apps and sites.

The board’s decision wouldn’t directly force Meta to change. Rather, it would ask Ireland’s Data Protection Commission to apply matching orders. As Meta’s European operations are officially based in Ireland, the company would have to comply.

Both data boards acknowledged that there had been decisions, but didn’t comment on what they entailed. We’ve asked Meta for comment. A spokesperson for the social media giant said it was “too early to speculate,” and that the EU might still offer legal backing for targeted ads. The company argued that it had “fully” engaged with the Data Protection Commission’s inquiries.

If the EU does restrict Meta’s personalization, it could have a significant impact on the company’s bottom line. With fewer users willing to accept targeted ads, there may be fewer people clicking those ads and encouraging advertisers to spend more on campaigns. Meta was already worried about Apple’s App Tracking Transparency, and warned that it might cost $10 billion in sales when it launched in 2021. The reported European measure could also prove costly, especially as it would affect Android and the web.

The EU might not be very sympathetic, as its officials have penalized Meta more than once for purported privacy violations. It faced a $402 million fine in September over allegedly illegal child privacy settings on Instagram, and just last month received a $277 million fine for supposedly inadequate safeguards against data scraping. That’s on top of an investigation into possible collusion with Google on display ads. Simply speaking, the Union is determined to prevent Meta’s data from trading hands without consent.

Update 3:33PM ET: Meta has shared its full statement, which you can read below.

“This is not the final decision and it is too early to speculate. GDPR allows for a range of legal bases under which data can be processed, beyond consent or performance of a contract. Under the GDPR there is no hierarchy between these legal bases, and none should be considered better than any other. We’ve engaged fully with the DPC on their inquiries and will continue to engage with them as they finalise their decision.”