The operator of a website that contains a “Like” button for Facebook can be mutually responsible with Facebook for collecting and transmitting the personal data of its website visitors. This was ruled by the Court of Justice of the European Union (ECJ) on 29 July 2019 (Ref.: C-40/17).
When so-called social sharing plugins are used, cookies are downloaded to the website visitor’s computer. Then, the browser automatically establishes a connection with the Facebook servers and also transmits personal data to them.
This affects all website visitors, even those without a Facebook account. Facebook uses the data transmitted in this way to create user profiles for the purpose of displaying personalized advertisements.
In addition, by using a “Like” button on the website, a so-called iFrame is integrated. Because of this foreign content in the source code of the actual website, Facebook is able to determine the referrer URL when the page is opened. Furthermore, a cookie that may have been set earlier is also transferred to the Facebook server. If users surf the net and are logged on to Facebook during this time, they can be assigned to the session ID, and their online activity can be tracked.
In the current case, the ECJ argues that it can be assumed that the two defendants – Fashion ID (online shop of Peek & Cloppenburg KG) and Facebook Ireland – jointly decide on the purposes and means of transferring the data. The integration of Facebook’s “Like” button through Fashion ID in the online shop enables the latter to optimise advertising for their products by making them more visible on the social network Facebook when a visitor to their website clicks on the button.
In order to gain this economic advantage, Fashion ID appears to have consented, at least tacitly, to the collection of personal data from visitors to its website as well as the disclosure of this data through transmission. As a (co-)responsible party, the operator must make certain information, such as his/her identity and the purposes of processing, available to website visitors when their data is collected.
However, Facebook alone is responsible for the subsequent processing of the data by Facebook. According to the ECJ, at first glance it seems impossible for Fashion ID to decide on the purposes and means of these processes. The ECJ then clarified what this means for the two relevant cases of “consent” and “legitimate interest” to be distinguished:
- In the case in which the data subject has given consent, the ECJ has decided that the operator of a website such as Fashion ID must obtain this consent beforehand (only) for the processes for which the operator is (co-)responsible, i.e. for the collection and transmission of the data.
- In cases where data processing is necessary for a legitimate interest, the ECJ states that each of the parties (co-)responsible for the processing, i.e. the website operator and the social media platform operator, must have a legitimate interest in the collection and transmission of the personal data so that these operations are justified for both parties.
It is important to note that the ECJ has not fundamentally excluded the solution of a legitimate interest. However, this will be very difficult to justify in the context of the necessary balance of interests. In the present case, the Düsseldorf Higher Regional Court, which had submitted the proposal to the ECJ, now has to clarify this proposal on the basis of its own legal opinion.
Practical consequences of the ruling
The consequence of the ECJ ruling will be that website operators must inform or (if necessary) obtain consent from the website visitor before data can be collected and transmitted via social plugins such as the “Like” button on their site. Typically, this will mean having to obtain consent directly the first time the website is accessed. Due to the legitimate interest of both responsible parties, which is presumably very difficult to justify, the general rule will probably be the consent solution.
Therefore, in addition to the waiver of social plugins, the following solutions are available for website operators:
- Obtaining informed consent when a website is accessed via a so-called consent banner. If this consent is not granted, it will not be possible to use the website, or an alternative page must be loaded that does not include social plugins.
- The implementation of a so-called “2-click solution”. In this case, the user must first activate the social button by clicking on a function button for the first time. The user is then informed in accordance with the requirements for the necessary consent.
- The Shariff solution. This includes a server-side script that interacts with the social network. As long as the user does not actively click on the plugin link or button, no data is collected and transmitted in this direction.
We recommend the last option, as it is the best and easiest to implement. The Shariff solution enables website users to share their favourite content without compromising their privacy. By implementing the Shariff solution, website operators can continue to integrate social sharing buttons without restricting the usability of their websites. However, the platforms only receive personal data for processing if the user proactively decides to do so. Since only an informed decision can be made voluntarily, the motto in this case is also: The more transparent the processing of personal data is for the visitor, the more compliant the controller is in terms of data protection.