The Court of Justice of the European Union (CJEU) ruled on that websites that use Facebook’s ‘Like’ button can be held liable for data collection.
CJEU has analysed the case of Fashion ID, an online clothing retailer, which embedded on its website the ‘Like’ social plugin from the social network Facebook which allowed the personal data of visitors to that website to be transferred to the provider of that plugin without their knowledge.
The essential finding based on CJEU decision are the following:
– the operator of a website that features a Facebook ‘Like’ button can be a controller jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors to its website and shall share responsibility for the data collection;
– each of the joint controllers, namely the operator of a website and the provider of a social plugin, must pursue a legitimate interest through the collection and transmission of personal data in order for those operations to be justified in respect of each of them;
– the operator of the website, which embeds on its website the ‘Like’ social plugin from the social network Facebook, has a duty to inform at the time of data collection about such data processing to the visitors of its website;
– the consent by the visitor must be given prior the collection and disclosure by transmission of the data subject’s data. It is for the operator of the website rather that for the provider of the social plugin to obtain the consent as relates only to the operations involving processing of personal data in the respect of which the operators actually determine the purposes and means.
For the website operators equipped with the Facebook ‘Like’ button the latest ruling of the CJEU may result in the obligation to comply with the obligations provided for in Directive 95/46, which are generally in line with obligations imposed by the provisions of the GDPR.
In accordance with the judgment of the CJEU, ECOVIS ProventusLaw suggests website operators who integrate a Facebook ‘Like’ Button or similar plugins of social network on their websites to:
1. identify and assess their use of third-party plugins in websites and apps;
2. review their notice and consent strategy for data collected through plugins;
3. ensure that there is a legal basis to collect and transfer personal data to Facebook Ireland;
4. fulfill the information obligation for persons visiting such a website.
The Judgment of the CJEU in Case C-40/17 is available at http://curia.europa.eu/juris/liste.jsf?num=C-40/17.
If you need more information or help with adopting a different approach for ‘Like’ buttons in order to comply with data protection rules, please do not hesitate to contact us.