Do you use the Facebook Like button on your website? If you are, you need to pay close attention to the latest ruling from the Court of Justice of the European Union (CJEU). Websites using the Facebook Like button transfer data to Facebook. As such, the owner of any website using it is now a joint data controller, of that information, with Facebook.
The ruling is in response to a request from the Oberlandesgericht Düsseldorf (Germany). It was seeking clarity in a case brought by Verbraucherzentrale NRW e.V, a German consumer protection association against Fashion ID, a German online clothing retailer.
Fashion ID uses the Facebook Like button on its website. Its implementation means that every visitor to the site has personal data transferred to Facebook Ireland. This transfer does NOT require the user to click the Like button. It also means that visitors are unaware of the transfer and have no opportunity to withdraw their consent.
As such, the court decided that: “Fashion ID can be considered to be a controller jointly with Facebook Ireland in respect of the operations involving the collection and disclosure by transmission to Facebook Ireland of the data at issue.”
In a response to the ruling Jack Gilbert, Associate General Counsel, Facebook said: “Website plugins are common and important features of the modern Internet. We welcome the clarity that today’s decision brings to both websites and providers of plugins and similar tools.
“We are carefully reviewing the court’s decision and will work closely with our partners to ensure they can continue to benefit from our social plugins and other business tools in full compliance with the law.”
German data authorities already issuing advice
The use of Like buttons is commonplace on websites. Many sites use them as part of their social media promotions. Visitors who like a product, offer or piece of content can use the Like button to let other people know it is interesting. In and of itself, there is nothing wrong with this. What is the issue is the transmission, without consent, of data.
Ian Innocent, Data Protection and Privacy Office, NTT Security provided the following analysis:
The most obvious consequence is that website owners would be required to conclude a joint controller agreement with third parties whose content they embed in their website. The German Data Protection Authorities provided a template in several weeks ago: https://www.baden-wuerttemberg.datenschutz.de/wp-content/uploads/2019/05/190521_Vertragsmuster-Art-26.docx
With regards to Facebook, LinkedIn, Twitter and all other social media platforms, NTT would have to conclude a similar agreement to the one Facebook provided here: https://www.facebook.com/legal/terms/page_controller_addendum%20
According to the German Data Supervisory Authority, where consent is required, a consent banner is a necessary item. The banner must fulfil the stipulated consent requirements. “Einwilligungs-Banner“ müssen eingesetzt werden, wenn tatsächlich eine Einwilligung des Nutzers nötig ist, also insbesondere Daten an Dritte weitergegeben werden oder Dritten die Möglichkeit eröffnet wird, Daten zu erheben. (“Consent banner” must be used if a user’s consent is actually required, ie in particular data is passed on to third parties or third parties are given the opportunity to collect data.)
Website owners would also have to adapt their privacy policies to reflect their status as a joint controller with Facebook, LinkedIn etc. Additionally they would have to customise and adjust the information they provide when collecting consent for processing the personal data. If they fail to do so, they will not be collecting “informed consent”, potentially causing a multitude of legal and liability issues.
What does this mean for website owners?
The solution to the problem is going to cause work for many websites. It may also cause some to see a drop in visitor numbers. In addition, this is not just about Facebook. It will impact all plug-ins that they are using that interact with third party websites.
What can you do?
- Don’t collect data you don’t need. Check what plug-ins are collecting and record it.
- Ensure that plug-ins do not automatically transfer data before the user has given consent. Do not implement a plug-in that sends data as soon as a visitor lands on the page.
- Provide a consent box for the visitor that details what information is being captured and where it is being sent. This creates another challenge for the website. If the visitor declines consent do you still want them to visit the website? This is already an issue with EU users visiting a number of US websites. A number of leading sites block EU visitors because they disagree with the use of consent as it limits their ability to gather data for marketing purposes.
- Update all privacy policies on the site.
- Ensure you can respond to any requests for data captured and transferred, a non-trivial task for a busy website.
As Innocent told us: “Don’t use platforms whose data processing activities are not transparent (As a joint controller you will be unable to plead ignorance of the Law and will not be able to shift blame for lack of knowledge onto the third party i.e. ignorance of the Law and/or vendor processing activities isn’t an excuse)”
Enterprise Times: What does this mean
This is more than just a simple clarification of the responsibilities of a website owner. If you are gathering and passing data to a third-party you MUST get consent. As Innocent says, ignorance of the law and the plug-in is no excuse.
There is also a warning here for developers. Many use plug-ins to save them time when it comes to writing code. These plug-ins come from libraries or from third-parties. Developers should check each plug-in to see if it gathers data. If so, they have to identify what data it collects. They also need to find out what is happening to that data. Before using the plug-in they must make sure that the website owner is aware of what is does and that includes any data protection issues.
There is some good news here for Fashion ID and other website owners caught in this position. The CJEU has ruled that they are not responsible for what Facebook does with the data as a data processor.