A German appeals court on April 13, 2026, confirmed a judgment ordering Meta Platforms Ireland Limited to pay €1,500 in non-material damages to an Instagram user whose personal data was collected and transmitted through Meta Business Tools embedded on third-party websites – without a valid legal basis under the General Data Protection Regulation. The ruling, issued on April 13, 2026, by the 10th Civil Senate of the Oberlandesgericht Dresden (case reference 10 U 475/25, originating from Landgericht Dresden case 3 O 2204/23), follows an oral hearing held on March 2, 2026, and represents the latest in a series of German court decisions holding Meta accountable for its cross-site tracking infrastructure.

The case matters to the advertising industry precisely because it targets the technical plumbing that powers personalized advertising at scale: the Meta Pixel, the Conversions API, and the broader suite of tools Meta provides to third-party websites and app operators for event measurement and audience building.

What the Business Tools actually do

According to the court documents, the Business Tools in question operate by capturing data from users who visit third-party websites and apps – including email addresses, telephone numbers, first names, last names, dates of birth, gender, and location – and transmitting that data to Meta’s servers. The data can be transferred either directly or in hashed form. According to the ruling, contact details undergo SHA-256 hashing before transmission, following a specification prescribed by Meta itself. The company then runs a matching procedure that aligns the hashed data against its internal user identification systems. After matching, the contact data is deleted, but event data combined with matched user IDs is retained and made available for Meta’s designated advertising purposes.

The Conversions API – which the industry commonly abbreviates as CAPI – sits at the heart of this process. Unlike the client-side Pixel, which runs in a browser and can be blocked by ad blockers or restricted by browser privacy settings, the Conversions API operates server-to-server, transmitting data from the website operator’s own infrastructure directly to Meta. According to the court, the plaintiff argued that this architecture is technically invisible to the user: the Beklagte – Meta – does not disclose on which third-party pages its Conversions API is active, meaning users have no realistic way to know when data collection is happening. Even when users refuse cookies on third-party sites, according to the Dresden court’s findings, data transmission to Meta can still occur.

So-called Standarddaten – default data categories – are always collected, according to the plaintiff’s submissions in the case, regardless of whether the third-party website operator explicitly decides to transmit them. This effectively removes meaningful control from both users and, to some degree, from the publishers operating those sites.

The plaintiff and the facts of the case

The plaintiff, whose identity is redacted in the published judgment, has been using Instagram exclusively for private purposes since February 1, 2020, under a private username. According to the judgment, the plaintiff opted for the free, advertising-supported model and has not subscribed to Meta’s paid, ad-free tier, which became available in October 2023. By accepting Instagram’s terms of service – including a version dated January 15, 2024 – users agree to a privacy policy and a cookie policy that in turn authorize data processing for personalized advertising purposes.

Meta’s business model, according to the court, involves providing advertisers with targeted, personalized advertising against payment. According to the judgment, approximately 3.9 billion people currently use Meta’s products, as stated by Meta itself. This scale means the Business Tools infrastructure operates across an enormous surface area of the web, collecting data wherever third-party operators have embedded the Pixel or connected the Conversions API.

The plaintiff argued that the data processing through Business Tools violated GDPR because it lacked a lawful basis, failed to satisfy data minimization requirements, and resulted in a loss of control over personal data that caused genuine non-material harm. The plaintiff specifically pointed to the fact that the Conversions API is technically invisible – users do not know it is running – and that Meta’s failure to disclose which third-party sites carry the API compounds the loss of transparency.

How the courts ruled

The Landgericht Dresden delivered its first-instance judgment on March 14, 2025, which the plaintiff then appealed. The Oberlandesgericht Dresden on April 13, 2026, partially upheld the appeal, confirming the award of €1,500 in non-material damages under Article 82 of the GDPR. According to the judgment, the Streitwert – the notional value of the dispute for cost purposes – was set at €9,000. Litigation costs were offset between the parties, and the judgment is provisionally enforceable without security. Revision to the Bundesgerichtshof – Germany’s federal civil court – was not admitted.

The court found that Meta qualifies as a joint controller with third-party website operators under Article 26 GDPR for the data collection that occurs on third-party sites. It also confirmed that Meta bears sole controller responsibility under Article 4(7) GDPR for processing that continues after the initial collection and matching steps. The analysis draws on the same legal framework that underpinned the earlier February 2026 Dresden ruling against Meta, which similarly awarded €1,500 per affected user and was reported by PPC Land.

The court referenced the judgment of the OLG Munich of November 18, 2025 (case 14 U 1068/25 e) as a comparable decision that also resulted in a conviction of Meta for violations of the data minimization principle, though the Munich court awarded only €500 in non-material damages at first instance and did not establish an abstract legal rule covering the case. The Dresden Senate considered the legal questions at issue – particularly whether Meta can rely on Article 6(1)(f) GDPR’s legitimate interest provision for Business Tools processing, and under what conditions a loss of control constitutes non-material damage within the meaning of Article 82 GDPR – to have been sufficiently resolved by the Court of Justice of the European Union. No conflicting appellate or supreme court authority requiring referral existed, the Dresden court concluded.

The legitimate interest question

Central to the case is Article 6(1)(f) GDPR, which permits data processing without consent where the controller can demonstrate a legitimate interest that overrides the data subject’s interests and fundamental rights. Meta argued that the Business Tools processing satisfies this test. The court disagreed, finding that the processing lacks adequate legal justification and that the plaintiff’s interests outweigh Meta’s commercial objectives in this configuration.

The plaintiff’s legal team, BK Automotive Rechtsanwaltsgesellschaft mbH, argued that applying the Meta Business Toolstracking framework to the plaintiff amounts not only to a GDPR violation but also to a loss of control that causes the plaintiff genuine anxiety and uncertainty – qualifying as non-material harm under the GDPR. The court accepted this framing, treating the loss of control as the operative injury rather than requiring proof of specific financial loss or identifiable downstream harm.

Context: a German litigation wave

The April 13 ruling arrives within a broader pattern of German courts systematically testing Meta’s advertising infrastructure against GDPR requirements. The Leipzig District Court awarded €5,000 to a Facebook user on July 4, 2025, relying exclusively on Article 82 GDPR rather than national personality rights law – an approach that the Leipzig 5th Civil Chamber explicitly chose to create a more portable European legal framework for damages. The Leipzig ruling was the first to set a compensation floor of €5,000 for the generalized impact of Business Tools violations on an average, attentive data subject.

The OLG Dresden had already confirmed a separate Business Tools ruling in February 2026, awarding €1,500 per user and establishing that Meta’s arguments about legitimate interest and data minimization do not withstand appellate scrutiny. The April 13 ruling follows the same doctrinal path.

Outside Germany, the Austrian Supreme Court issued a landmark judgment in November 2025 ordering Meta to provide comprehensive access to all personal data collected from privacy advocate Max Schrems, rejecting Meta’s trade secret arguments and confirming that Article 15 GDPR creates enforceable rights to detailed information about every aspect of data processing. The Austrian court also confirmed that €500 represents a realistic baseline for non-material damages for violations common to nearly any Meta user. In Spain, a Madrid court ordered Meta to pay €479 million in November 2025 for unfair competition violations stemming from illegal data processing that gave the platform competitive advantages against Spanish digital publishers.

A research report published by EU DisinfoLab in November 2025, covered by PPC Land, mapped how German courts are deploying GDPR, the Digital Services Act, and competition law to probe platform algorithms. The Leipzig ruling against Meta’s Pixel and SDKs featured prominently in that analysis as one of four landmark German cases testing algorithmic accountability.

Why this matters for advertisers

The Business Tools that German courts have now repeatedly found to violate GDPR are the same infrastructure that underpins performance measurement and audience building for millions of advertisers running campaigns on Facebook and Instagram. The Meta Pixel and the Conversions API are central to retargeting campaigns, lookalike audience construction, and conversion optimization – all core components of standard digital advertising practice.

German courts are establishing that data subjects can claim between €500 and €5,000 in non-material damages for Business Tools violations, depending on the court and the specific facts. Aggregated across a user base that, according to Meta’s own submissions in the Dresden case, numbers approximately 3.9 billion people globally, the financial exposure from private litigation is theoretically very large. In practice, individual claims must still be litigated one at a time unless class action mechanisms develop, but the case law is accumulating quickly enough that specialized law firms are treating it as a structured litigation programme.

The BEUC analysis published in March 2026 concluded that Meta’s January 2026 iteration of its consent mechanism still violates the DMA, the GDPR, and the Unfair Commercial Practices Directive. The BEUC specifically found failures on data minimization, informed consent, and freely given consent under GDPR, and on interface design and transparency requirements under DMA Articles 5(2) and 13. That analysis adds regulatory pressure on top of the private litigation wave.

According to the Dresden court, Meta did not deny that the contested data processing took place even where users had opted against the use of their data for personalized advertising delivery. This detail is significant: the court found that the technical operation of the Business Tools framework continued regardless of user consent choices on Meta’s own platforms. The Conversions API, in particular, operates at the server level, meaning that browser-based consent signals – cookie banners, opt-out toggles – do not automatically prevent data transmission.

For advertisers using server-side tracking, this creates a compliance dimension that goes beyond simply accepting Meta’s terms of service. Under the joint controller provisions of Article 26 GDPR, website operators who deploy the Conversions API bear shared responsibility for ensuring that the data transmitted to Meta rests on a lawful basis. The Dresden court confirmed that this joint responsibility attaches to website operators alongside Meta itself.

Meta, in a brief statement noted in the case record, indicated disagreement with the Dresden decisions and stated it would consider further legal steps.

• May 25, 2018: GDPR takes effect across the European Union
• November 2023: Meta launches its pay-or-consent subscription model in the EEA; BEUC and 19 member organizations file a complaint with the CPC-Network
• July 4, 2025: Leipzig District Court awards €5,000 to a Facebook user for Business Tools GDPR violations under Article 82 GDPR
• August 17, 2025: Hamburg Data Protection Authority and German court proceedings confirm Meta AI training includes children’s data
• November 18, 2025: OLG Munich delivers judgment in case 14 U 1068/25 e, convicting Meta for data minimization violations and awarding €500 in non-material damages
• November 19, 2025: Madrid court orders Meta to pay €479 million for GDPR-based unfair competition violations against Spanish publishers
• November 24, 2025: EU DisinfoLab publishes research mapping German courts’ enforcement of GDPR, DSA, and competition law against major platforms
• November 26, 2025: Austrian Supreme Court issues final judgment ordering Meta to provide full data access to Max Schrems and confirming €500 as a baseline for non-material damages
• February 3, 2026 (oral hearing date): OLG Dresden delivers first confirmed Business Tools appeal ruling, awarding €1,500 per user
• March 2, 2026: Oral hearing in the current case before the OLG Dresden (10 U 475/25)
• March 17, 2026: BEUC publishes analysis finding Meta’s January 2026 consent flow still violates DMA, GDPR, and Unfair Commercial Practices Directive
• April 13, 2026: OLG Dresden issues judgment in case 10 U 475/25, confirming €1,500 in non-material GDPR damages against Meta for Business Tools tracking of an Instagram user

Summary

Who: Meta Platforms Ireland Limited (defendant and appellee), an unnamed private Instagram user (plaintiff and appellant) represented by BK Automotive Rechtsanwaltsgesellschaft mbH, and the 10th Civil Senate of the Oberlandesgericht Dresden.

What: The Dresden Higher Regional Court on April 13, 2026, confirmed a ruling ordering Meta to pay €1,500 in non-material damages under Article 82 GDPR for processing an Instagram user’s personal data through Meta Business Tools – including the Conversions API and Meta Pixel – on third-party websites without a valid legal basis. The court found Meta to be a joint controller under Article 26 GDPR alongside third-party website operators, and a sole controller under Article 4(7) GDPR for subsequent processing. Revision to the Bundesgerichtshof was not admitted. The Streitwert was set at €9,000.

When: The judgment was issued on April 13, 2026, following an oral hearing on March 2, 2026. The first-instance judgment from the Landgericht Dresden was delivered on March 14, 2025. The case reference is 10 U 475/25 (2), originating from Landgericht Dresden case 3 O 2204/23.

Where: Oberlandesgericht Dresden, Germany. The judgment applies to processing of personal data by Meta Platforms Ireland Limited, which is registered at Merrion Road, Dublin 4 D04 X2K5, Ireland, and which serves as the EEA entity responsible for Facebook and Instagram.

Why: The court found that Meta’s Business Tools framework – specifically the server-side transmission of personal data including name, email address, telephone number, date of birth, gender, and location from third-party websites and apps to Meta’s servers – lacked a valid legal basis under GDPR. The processing continued regardless of the user’s consent choices, and the Conversions API operated in a manner that was technically invisible to the user. This loss of control constituted non-material harm under Article 82 GDPR sufficient to ground a damages claim of €1,500.