A notification appears in your Facebook feed. Meta will use your public posts to train its AI. Near the bottom, a hyperlinked word: “object”. You click through, fill in a form, and wonder whether that settles it.
For a UK services firm that relies on social media to reach clients, it rarely does. The opt-out is individual, per-account, and not unconditional. The useful work is understanding what is actually in scope, what objecting achieves, and what your data protection records should reflect.
What is Meta’s AI training data opt-out?
Meta is using public content from Facebook and Instagram posted by UK adults to train its generative AI models. It is relying on “legitimate interests” under UK GDPR as its legal basis rather than seeking explicit consent. An objection form is available for UK and European users, but the process is per-account, not organisation-wide, and Meta retains discretion over whether to honour each submission.
Meta’s current UK rollout follows a pause in mid-2024, when the Information Commissioner’s Office intervened over an earlier version of the plan. The ICO has confirmed it is monitoring Meta’s approach as notifications reach UK users. The equivalent EU rollout was halted entirely after the European Data Protection Board objected.
Privacy lawyers have questioned whether “legitimate interests” can sustain this use. In July 2023, the Court of Justice of the European Union ruled in Case C-252/21 that Meta could not rely on the same basis for behavioural advertising. That ruling creates a context in which AI training claims may face similar scrutiny from regulators and courts.
In practice, the objection process works as follows: UK users see an in-app notice and click the word “object”, which opens a pre-filled form. Since the ICO’s intervention, providing an explanation of how the processing affects them is now optional rather than mandatory. Meta says it will review each submission, but that review is discretionary rather than an unconditional opt-out.
Why does this matter for a UK services firm?
The content your firm publishes on social media, and the content your staff post under their own names when it references work, often includes information that is personal under UK GDPR. Client images, staff photos at a site visit, tagged testimonials, and location data from project posts are all potentially in scope. In sectors with regulatory obligations, the exposure is more significant still.
Ofcom’s 2023 research found that 71% of UK adults use Facebook and 49% use Instagram. For services firms, these platforms are often a primary channel for referral marketing, case-study visibility, and community presence. Withdrawing entirely is rarely commercially viable, which is why the workable strategy is reducing the sensitivity of what gets posted rather than exiting the platforms.
There are also client relationship considerations. Someone who gave consent to appear in a social post consented to that use. Their agreement does not automatically extend to AI training by a third party. If a client later discovers their image or story contributed to a commercial AI model, and your firm had the means to object and did not, the conversation is harder to have.
For firms in regulated sectors, FCA social media guidance and similar regulatory frameworks layer additional record-keeping obligations on top of GDPR. The question of what is posted publicly, and why, is already governed. Meta’s AI training adds one more reason to document the answers clearly.
Where will you actually encounter this?
Exposure comes through three channels. Your firm’s Facebook Page and Instagram Business account are the most visible: public posts, comments, and tagged images are in scope. Staff personal profiles are equally significant, because a public post by an employee referencing a client, showing a work site, or tagging colleagues is in scope even if the business did not publish it. Meta’s in-app AI features are the third route.
Meta has stated it does not use private messages or content from accounts set to restricted privacy for AI training. The difficulty is that many businesses set their Page content to public by default, and many staff operate personal profiles in public mode for professional visibility.
The in-app AI feature exposure is worth noting separately. If your team uses Meta’s AI assistant inside Messenger, Instagram, or WhatsApp Business, those interactions are governed by a broader data policy than standard published posts. The NCSC’s guidance on AI security recommends treating third-party AI tools as supply-chain components, which means asking what data is retained, for how long, and for what purposes.
A one-page inventory is a useful starting point: list your firm’s social accounts, their visibility settings, and the typical content type for each.
When should you act, and when can you hold off?
Act promptly when your feeds regularly feature identifiable individuals, particularly clients, or anything touching special-category data such as health information, ethnicity, or financial detail. If the ICO or a client ever questions how their data was handled, a documented assessment and timely objection submission puts you in a much stronger position than having no record of having considered the issue.
Prioritise accounts carrying the most sensitive content. That means owners and directors whose personal profiles are closely linked to the business brand, staff in regulated roles, and corporate accounts that routinely post identifiable client content or location data.
For each priority account, the practical steps are brief. Log in and follow the in-app notice to the “object” link, or use Meta’s web form directly. Complete the form and save a screenshot or PDF as a record. Calendar a follow-up in 30 to 60 days to confirm Meta’s response.
Under UK GDPR Article 21, individuals have a statutory right to object to processing based on legitimate interests, and the controller must stop unless it can demonstrate compelling grounds. If Meta declines an objection without satisfactory explanation, that outcome can be raised with the ICO.
One firm boundary to note: objecting does not undo prior AI training. The effect is on future use only. If older posts contain particularly sensitive material, deleting them is a prudent additional step, separate from the opt-out process.
What other data protection obligations connect to this?
Meta’s AI training sits within a broader UK GDPR obligation you already carry: keeping records that reflect how personal data flows through the platforms you use. Your Record of Processing Activities should note that public social media content is accessible to platform providers for their own purposes, including AI training. If your feeds regularly feature identifiable individuals, a short DPIA using the ICO’s free template is the proportionate next step.
Your privacy notice should tell clients and staff that social media platforms may use publicly visible content for their own purposes under their published terms. A short additional line in your existing customer privacy notice handles this. Staff social media policy should discourage employees from posting identifiable client detail or internal images without explicit permission.
Two further angles are worth keeping in mind. The CMA’s 2023 foundation model review flagged concerns that a small number of large platforms are accumulating data advantages that could affect market competition over time. For a services firm, content you post publicly may eventually contribute to AI models operating in your market. The useful guard is to keep proprietary client insight and commercially sensitive detail off public posts.
The NCSC recommendation to treat AI-enabled platforms as supply-chain components applies here too. A brief supplier assessment covering what Meta processes, under what legal basis, and what controls you apply is a proportionate, documented response that also strengthens your position with insurers if coverage questions ever arise.
