Charlotte Burroughs, a solicitor in our Commercial & Technology/IP team reviews the EU decision making website owners and Facebook jointly responsible for collecting user data via ‘Like’ button plugins.
The rise of social media has seen a huge growth in the use of website ‘plugins’ (such as Facebook’s ‘Like’ button) to help promote goods and services.
At the same time the authorities have recognised the privacy issues raised by plugins and seem determined to tighten up the way data protection laws are applied to the relationships between social media platforms and website operators using their plugins.
On 29 July 2019, the Court of Justice of the European Union (CJEU) released its judgment in relation to the German case Fashion ID GmbH & Co. KG vs. Verbraucherzentrales NRW eV.
Fashion ID is a German online clothing retailer which had embedded the Facebook ‘Like’ button on its website. The ‘Like’ button enables businesses that use it on their website to share personal data of their website visitors with Facebook without these users being aware of it – regardless of whether the visitors clicking on the ‘Like’ button have a Facebook account. A German consumer association filed an injunction before the regional court of Dusseldorf which was then dealt with by the Higher Regional Court of Dusseldorf before the CJEU.
The key points from the CJCE decision are as follows:
- Both Fashion ID and Facebook were joint controllers of the personal data of the website’s visitors which is shared between them.
- Website owners are jointly liable with the social media companies providing them with plugins to collect personal data.
- It is the responsibility of a website operator (such as Fashion ID) to obtain its visitors’ consent to process their personal data and share it with Facebook.
- Fashion ID was not responsible for what happened to the data after it had been passed to Facebook.
Although the CJEU ruling is based on the provisions of the former Data Protection Directive, the issues raised still apply in the context of the GDPR which came into effect in May 2018, imposing tighter privacy rules and higher fines for non-compliance.
In light of the decision website operators using social media plugins should review their data protection compliance and make any necessary changes. We recommend the following actions:
- Check that personal data shared as a result of using social media plugins is covered by a data sharing agreement (as required by Article 26 of the GDPR). This needs to set out clearly the parties’ respective responsibilities and liabilities.
- Check that the website privacy policy (the document which explains how visitors’ personal data is processed) – does it properly explain what personal data is collected, why and who it is shared with, in particular where it is collected and shared as a result of using social media plugins?