An international court has held that the operators of websites that display a Facebook ‘Like’ button can be data controllers under GDPR, because they are passing data on to Facebook.
The Court of Justice of the European Union held and announced today, July 29, 2019, that “The operator of a website that features a Facebook ‘Like’ button can be a controller jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors to its website.” Note: Even if you are based in the U.S. you need to read on.
The underlying case leading to this GDPR decision press release involves online German clothing retailer FashionID, who embedded on their website the Facebook ‘Like’ button, so that you could ‘like’ them on their Facebook page. Says the court, “The consequence of embedding that button appears to be that when a visitor consults the website of FashionID, that visitor’s personal data are transmitted to Facebook Ireland. It seems that that transmission occurs without that visitor being aware of it and regardless of whether or not he or she is a member of the social network Facebook or has clicked on the ‘Like’ button.”
Basically the Court has held that, while the publisher of the website who puts a Facebook ‘Like’ button on their site cannot be held responsible for what Facebook does with the data after the data is transmitted to Facebook, the publisher of the website can be held responsible for that data which is transmitted to Facebook as a result of a visitor visiting their site.
Says the press release, “The Court holds, second, that it appears that FashionID cannot be considered to be a controller in respect of the operations involving data processing carried out by Facebook Ireland after those data have been transmitted to the latter. It seems, at the outset, impossible that FashionID determines the purposes and means of those operations. By contrast, FashionID can be considered to be a controller jointly with Facebook Ireland in respect of the operations involving the collection and disclosure by transmission to Facebook Ireland of the data at issue, since it can be concluded (subject to the investigations that it is for the Oberlandesgericht Düsseldorf to carry out) that FashionID and Facebook Ireland determine jointly the means and purposes of those operations.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
In the detailed opinion on Fashion ID v. Verbraucherzentrale NRW e.V., the Court explains that “A person that has embedded a third-party plug-in in its website, which causes the collection and transmission of the user’s personal data (that third party having provided the plug-in), shall be considered to be a controller within the meaning of Article 2(d) of Directive 95/46. However, that controller’s (joint) responsibility is limited to those operations for which it effectively co-decides on the means and purposes of the processing of the personal data.”
Basically, and put in plain English, if a website operator (publisher / owner) puts a Facebook ‘Like’ button on their website, they become a joint controller of the data about their visitor for that data about their visitor which is then transmitted to Facebook. That includes data that is transmitted to Facebook about their visitor even when the visitor does not click the Like button. And even when the visitor does not have a Facebook account of their own!
Now, this particular ruling talks about the data being transmitted to Facebook Ireland, but there is no reason to believe that it won’t hold true for personal data transmitted to any arm of Facebook.
And even if your business and website are in the U.S., you simply can’t know whether a visitor is coming from the EU or, for that matter, even if you attempt to restrict your traffic to non-EU visitors, you can’t possibly know if you are transmitting Facebook data to a non-US arm of Facebook (which in the end may not make a difference, as Facebook absolutely has a presence in the EU).
This is why our parent company, the Institute for Social Internet Public Policy has said all along that U.S. companies must comply with GDPR.
And even if a U.S.-based company or website owner doesn’t believe they need to comply with GDPR, there are already enough laws on the books in the U.S., and more coming down the pike, that they are going to have to get there anyways – or risk very hefty fines from inside the U.S..
For individuals, the ruling makes clear that the website operator must provide visitors with clear information about the data being collected ‘on behalf of’ Facebook (by virtue of the code for the Like button being embedded on the site, and transmitting data about the visitor even if they don’t click the Like button), and must get clear consent to the collection and transmission of that data.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.