Use of Facebook ‘Like’ Button May Put Websites on the Hook

On July 29, 2019, a judgment was issued by the European Union’s Court of Justice that highlights the need for online businesses to be aware of how user data is shared when third party plug-ins are included on their websites. The Court of Justice’s decision has been highly anticipated as to it reflects the extent to which a party can be a “joint data controller” i.e., an entity that determines, with another, the purpose and means of personal data processing. The decision has implications for all online businesses, wherever they are located, going forward.

The case was brought by a German privacy group against online retailer, Fashion ID, which had embedded a Facebook “Like” button on its website. The embedded “Like” button captured the IP addresses and browser strings of visitors to the Fashion ID site and transferred the information to Facebook Ireland, automatically and without regard to whether the visitor clicked on the “Like” button or even had a Facebook account.

The Court of Justice concluded that Fashion ID, as the owner of the website, should be responsible, along with Facebook, as a “joint data controller” along with Facebook for the collection and transmission of data to Facebook. The Court reasoned that it was Fashion ID that made the choice to include the “plug-in” on its webpage. The Court also reasoned that, subject to further investigation by the German court, Fashion ID and Facebook jointly determined the means of data collection from Fashion ID’s website and the purposes to which the data would be put.

However, Fashion ID was not found to be a “data controller,” with responsibility for how Facebook processed the data after it was transferred to Facebook. The Court noted that it “seemed impossible” that Fashion ID could control the purposes and use of the data after it was transferred. The Court referred the matter for further proceedings to the national court in Germany.

The decision impacts websites beyond those based in Germany. Many online retailers, for example, include links to Facebook and other social media without real consideration of the potential impact in doing so. However, as data controllers, online businesses should explore the extent to which their website user data is being shared with a third party as a result of a plug-in and whether their privacy practices properly reflect that reality. Depending on the circumstances, businesses may be required to fully disclose that data is being shared with third parties and the purpose for which it is shared, and they may also be required to give their users the opportunity to “opt-in” or “opt-out” depending on which law applies. Additionally, although this decision was decided under prior law, it may have implication under the General Data Protection Regulation (GDPR) for non-EU businesses that collect and transmit EU resident data to third parties as a result of third-party plug-ins.

Regardless of what law applies, given the explosion of privacy laws that are enacted every day, the decision reminds businesses that they must be constantly vigilant regarding the user data that they process and the rights of their users to consent or decline this processing.

The Court of Justice’s Press Release can be found here.