Meta created "localhost tracking" to identify users on mobile phones bypassing Android sandbox protections. It faces liability under GDPR, DSA, and DMA from least to most severe. GDPR requires consent for ad personalization and Meta violated data minimization and privacy by design. DSA prohibits personalized advertising from special categories of data and the penalty could reach 10% of turnover. DMA specifically prohibits combining personal data without explicit consent and carries a high financial risk. Meta was declared a VLOP and gatekeeper with previous violations. The "localhost tracking" technique combines data across services. 22% of most visited websites are affected, and billions of users were tracked without consent over 8 years (Yandex) and 9 months (Meta). GDPR, DMA, and DSA penalties can be imposed cumulatively with a combined theoretical maximum of €32 billion. Meta's long record of violations, lack of cooperation, and system impact led to this situation. Credit goes to those who revealed the scandal.