Websites that embed Facebook Like buttons must obtain consent from visitors prior to sending data to Facebook in their capacity as being jointly responsible for initial data processing.
To date, such Like buttons have transferred personal data automatically, even if the user isn’t aware of it, clicked on the plug-in or even had a Facebook account!
But the Court of Justice of the European Union (CJEU) has today ruled that website owners will need to adjust the function of the plug-ins in order to gain explicit permission from users that their data can be sent to Facebook.
The decision is the climax of a case brought by German consumer advocacy group Verbraucherzentrale NRW relating to German e-commerce retailer Fashion ID. It was asserted that visitors to the site had their data collected and passed to Facebook Ireland regardless of whether they had clicked on the Like button. Data sent included the IP address and browser string of any user who arrived on the website.
In what is likely to become a landmark ruling, the CJEU - Europe’s highest court - determined that:
- Fashion ID can be classed as a data controller jointly with Facebook Ireland in the first instance ie the point at which the data is gathered and sent to Facebook. As such it needs to inform users that data is being collected and to what use it will be put or provide a legitimate reason as to why it’s necessary for data to be gathered.
- It cannot, however, be considered to be a controller once that data has been passed to Facebook ie it has no say over what Facebook Ireland does with that data and how it processes or handles it.
- While Facebook is able to use collected data for its own commercial ends, the current processing is in the economic interests of both Facebook Ireland and Fashion ID and is mutually beneficial.
The ruling had been expected following last December’s non-binding opinion on the case from CJEU Advocate General Michal Bobek. Such opinions are seldom ignored when it comes to issuing a final ruling.
In his opinion, Bobek concluded that websites such as Fashion ID are making strategic business decisions when they decide to place a Like button on their pages. As such, he said, they need to accept mutual responsibility for the gathering of data. Bobelkwrote:
It thus appears that the defendant and Facebook Ireland co-decide on the means and purposes of the data processing at the stage of the collection and transmission of the personal data at issue. To that extent, the defendant acts as a controller and its liability is, to that extent as well, joint with that of Facebook Ireland.
He also rejected statements offered up by the European Commission that visitors to the site who did have a Facebook account might have previously provided data transfer consent, even if inadvertently:
Such an argument implies that upon opening a Facebook account, one accepts in advance any data processing with regard to any online activity of such ‘Facebook users’ by any third party having whatever connection with Facebook…In other words, accepting the Commission’s suggestion would in effect mean that by opening a Facebook account, a user has actually waived any protection of personal data online vis-à-vis Facebook.
The case was brought before the CJEU prior to the implementation of GDPR (General Data Protection Regulation) which is more robust in its user consent requirements than its predecessor legislation.
For its part, Facebook has issued a holding statement about this latest court ruling in which Associate General Counsel Jack Gilbert says:
Website plugins are common and important features of the modern internet. We welcome the clarity that today's decision brings to both websites and providers of plugins and similar tools. We are carefully reviewing the court's decision and will work closely with our partners to ensure they can continue to benefit from our social plugins and other business tools in full compliance with the law.
Is this the end of Like buttons? Of course it isn’t.
Is it another indicator that the ‘Wild West’ of the Internet and social media is being tamed? Quite probably it is.
Is it another timely reminder for all organizations, large or small, that senior level attention needs to be paid to responsibilities and regulations and liabilities around data collection? It is indeed. This is about managing exposure to risk. If there are joint responsibility and controllership, then as a third party organisation, you don’t just get to point the finger of blame at Facebook and walk away.
And it’s also another reminder - as if you should need it by now - of Facebook’s unreformed avaricious appetite for your data.