Embedding the Facebook like button? Beware the data protection implications!
In Fashion ID v Verbraucherzentrale NRV 29/07/2019 (C-40/17) the European Court of Justice (ECJ) held that operators of websites who embed the Facebook ‘Like’ button are joint controllers with the plugin operators for data protection purposes.
The facts and legal issues were rather complex. We’ll cut through the waffle and concentrate on what is relevant to website owners like you.
By embedding the Facebook ‘Like’ button, personal data of visitors to the Fashion ID website was transmitted automatically to Facebook without the visitor being made aware of it. This also applied whether or not they were a member of Facebook or had even clicked the button!
German consumer rights group Verbraucherzentrale NRW brought an action for an injunction against Fashion ID claiming that the fashion retailer breached German privacy law by embedding the Facebook ‘Like’ button on its website and transmitting personal data to Facebook without visitor consent and in breach of duties to inform.
The ECJ held that a website operator who embeds a social plugin on a website that causes a browser to request content from the plugin provider and then transmits a visitor’s personal data to that plugin provider can be considered to be a controller.
Here’s what you should do if you’ve embedded the Facebook ‘Like’ button (or something similar from another social media platform on your website:
- Provide your website’s visitors with information at the time of the collection of the data such as its identity and the purposes of the processing.
- If you’re relying on consent as a basis for lawful processing, that consent must be obtained in respect of the operations for which it is joint controller—in this case, the collection and transmission of data to the plugin provider.
- If you’re relying on legitimate interests as a basis for lawful processing, the collection and transmission of personal data to the plugin provider must represent a legitimate interest of each of the joint controllers.
Now is a great time to update your website’s privacy and cookie policies to keep the Information Commissioner’s Office off your back and instil confidence in your website’s visitors. Please note that the contents of this article are for information only and do not constitute formal legal advice. Always obtain professional advice if you’re unsure of which steps you need to take to comply with data protection law.
Technical Terms provides commercial law advice and drafts customised commercial contracts. If you require further information on how you can enjoy less risk, more opportunities and greater control of your business, please book a no-cost, no-obligation Discovery Call with our director, Simon Ward.