Website plug-ins such as Facebook’s “Like” button are becoming increasingly common on websites to promote websites’ products and services on social media platforms. However, a recent ruling by the European Union Court of Justice sheds light on the privacy risks of using a social media plug-in and should instill caution in website operators that use these kinds of plug-ins. In Fashion ID GmbH & Co. KG v. Verbraucherzentrale NRW eV (Case C-40/17), the EU Court ruled that embedding a social media plug-in such as a Facebook “Like” button on a website makes the website operator jointly responsible with Facebook for the collection and transmission to Facebook of the personal data of visitors to its website. Joint liability with Facebook could have serious consequences for website operators.
In Fashion ID GmbH, a German online clothing retailer called Fashion ID utilized Facebook’s “Like” button plugin on its website. Embedding the Facebook plug-in on Fashion ID’s website caused the data of Fashion ID website’s visitors to be transferred back to Facebook, and visitors were not made aware of this transfer. Moreover, visitors’ data were transferred to Facebook even if the visitors had not clicked the “Like” button or did not have a Facebook account. Website operators should be aware that embedding a Facebook plug-in transfers visitors’ data to Facebook regardless of whether the visitor actually uses the plug-in.
According to the judgment published by the Court, Fashion ID and other websites like it are not responsible for what happens to the data of its visitors after it is transferred to Facebook, but they are responsible for "operations involving the collection and disclosure by transmission to Facebook." This decision has significant implications on operators of EU-facing websites, who now must take care in ensuring such collection and transfer of data to Facebook and other social media platforms is fully compliant with GDPR.
If you have any questions or requests for further information, please contact Greg Leighton and Bari Nathan of NGE's Data Privacy team.