Does your business have a Facebook “Like” button embedded on its website? If so, it is now considered liable for the data Facebook collects and processes even if users don’t click it, under a shock ruling by Europe’s top court today that could have “serious implications” for businesses and seriously dampen the use of such buttons.
The opinion by the Court of Justice of the European Union (ECJ) came after a German consumer group sued online fashion retailer Fashion ID for breaching personal data protection rules by using the button on its homepage: a German court sought guidance and the ECJ now says it shared joint responsibility with Facebook.
” The reason why Fashion ID seems to have consented, at least implicitly, to the collection and disclosure by transmission of the personal data of visitors to its website by embedding such a button on its website is in order to benefit from that commercial advantage. Thus, those processing operations appear to be performed in the economic interests both of Fashion ID and of Facebook Ireland,” the ECJ determined.
Data about website visitors is sent to Facebook “without that visitor being aware of it and regardless of whether or not he or she is a member of the social network Facebook or has clicked on the ‘Like’ button”, the ECJ noted sharply.
“Fashion ID can be considered to be a controller jointly with Facebook Ireland in respect of the operations involving the collection and disclosure by transmission to Facebook Ireland of the data at issue”, the judges said.
Facebook Like Button Makes Websites Jointly Responsible for Data Processing…
The decision comes days after Facebook was fined a record $5 billion by the US Federal Trade Commission (FTC) for misleading users about what it does with their data: despite the hefty fine, the agreement does not limit how Facebook collects, uses, and shares users’ personal information and is expected to have minimal impact on its ad business.
Tanguy Van Overstraeten, Global Head of Data Protection at Linklaters, said: “Today’s judgment confirms the broad approach adopted by the CJEU last year (Jehovah Witness and Facebook fan page cases), while going further and broadening even more the concept of joint controllership: the fact that a website provider enables Facebook to collect information coupled with the economic interests of both parties suffice.
“This is a very broad interpretation which is likely to seriously impact a large number of website operators and potentially also have implications for business models on the Internet. This impact is all the more important as the level of awareness and understanding of these rules are likely to considerably vary among operators.”
The opinion is likely to leave businesses seriously considering the potential risk of having a Facebook like button embedded: it’s certainly likely to lead to more pop-ups: the ECJ said that website owners need to furnish users of the like button with “their [the website owner’s] “identity and the purposes of the processing”.