What’s not to like about the Facebook “Like” button?

Do you have the Facebook “Like” button on your website? If so, you will need to be aware of your data protection obligations as controller of… Read more

Do you have the Facebook “Like” button on your website? If so, you will need to be aware of your data protection obligations as controller of the data collected by it.  The Court of Justice of the European Union (CJEU) has recently held that a website operator can be held jointly liable for the collection of data through the Facebook “Like” button embedded on its website. By embedding the plugin, the website operator exerts “decisive influence” over the data processing. The judgment follows a similar stance taken by the Advocate General in his opinion from last year.

How does the “Like” button work?

The Facebook “Like” button is deployed as an iframe or Javascript. When a website user clicks on the button, it triggers a transmission of data to Facebook. However, data collection is not only limited to users who interact with the button. Security researchers have flagged in the past that the iframe allows Facebook to deploy a cookie on the machine of any user accessing a website that hosts the “Like” button. Regardless of a user clicking on the button or having a Facebook account, their data will still be collected and transferred to Facebook. From a technical perspective, any encounter of the “Like” button on the web will deploy a Facebook cookie similar to visiting the Facebook website. Once the cookie is set, Facebook can track the user’s browsing activities. Similarly, the Javascript solution asks Facebook to provide a file that then enables the website to create the button. In doing so, it instructs your browser to send Facebook information such as your IP address, the pages you visit and your unique Facebook ID, and allows Facebook to speak to the cookie set on your machine. Facebook uses the data in connection with targeted advertising. In the CJEU case, the applicant, which was a German consumer protection organisation, quite rightly complained that this data is collected without the user’s knowledge or consent in breach of data protection law.

Facebook and website operator held to be joint controllers

The CJEU held that the website operator is a joint controller in relation to the initial collection and transmission of data, but not in relation to any subsequent processing by Facebook which is outside the website operator’s control and happens without its knowledge. Joint controllers are expected to share a common purpose of processing. The CJEU held that the website operator embedded the Facebook ‘Like’ button to “benefit from the commercial advantage consisting in increased publicity for its goods”, whereas Facebook also gained from the collection of data for its own commercial purposes. Based on this, the CJEU confirmed that the “processing operations are performed in the economic interests of both” parties. The CJEU followed the Advocate General’s opinion that there was “unity of purpose: there is a commercial and advertising purpose” in relation to which the parties were held to co-decide. Accordingly, the website operator was held to co-determine the purposes and means of processing with Facebook at the stage of the collection and transmission of the personal data. As a joint controller, the website operator will be jointly liable for the data processing that occurs during that stage, even if it does not necessarily have access to all personal data.

The judgment represents a fairly broad interpretation of the concept of “joint controller” which has not been used in most commercial data pooling arrangements. However, this will likely change due to the decision that the processing was carried out for the economic interest of both parties under the commercial and advertising purpose, even if it could be argued that the parties in fact pursued different purposes. Accordingly, many parties thinking they are “controllers in common” (i.e. independent controllers pursuing different purposes in relation to the same pool of data) may now find themselves in the position of joint controllers (i.e. controllers who jointly determine the purposes in relation to the same pool of data).

What are the website operator’s data protection obligations?

As a controller, the website operator using the “Like” button has to comply with the data protection principles with respect to such processing, including, among others, the obligation to inform users of the processing, establish a legal basis for processing such as consent or legitimate interest, data minimisation, limited retention, security, etc. In light of CJEU’s decision, the website operator should carefully assess whether and how it is able to meet these compliance requirements by carrying out a data privacy impact assessment. Indeed, if the processing carried out by Facebook is considered too intrusive, the website operator should consider technical measures to limit data collection by Facebook. Failing to do so, could potentially lead to unexpected consumer claims for compensation or regulatory action against the website operator in relation to the jointly-controlled processing.

If the button is deployed, the website operator must provide sufficient information in its privacy notice about its own data processing as well in relation to the data that will be collected and transmitted to Facebook. This should cover the identity of the joint controllers, a description of how the button operates, what data is collected and describing all aspects of the data processing by the joint controllers along with the data transfers. It should also make clear at which point the joint controllership ceases and, if possible, which controller is responsible for various compliance obligations. Including a separate section about the “Like” button in the privacy notice would be helpful. The CJEU held that the transparency obligation is even greater in relation to the unsuspecting users who do not have a Facebook account.

Interestingly, CJEU held that both joint controllers needed a legal basis under data protection law to collect and share the data and that legitimate interest could be relied on in this case. However, in relation to cookie consent under the ePrivacy rules the website operator would be responsible for that. Following the latest ICO guidance on cookies, GDPR-standard of consent will always be required for cookies, including any third-party cookies like the Facebook cookie. This requirement will also apply to the “Like” button.

Security of data processing is another essential requirement. Joint controllers must implement appropriate technical and organisational measures to protect personal data. As the Facebook “Like” button is prone to clickjacking attacks (i.e. a malicious actor wraps the “like” button in an iframe linking to a malicious site to harvest login credentials, spread malware or trick users into turning on their web-cam or microphone), the joint controllers will have to consider and address these common risks.

Next steps

The call to action for website operators from this case is that they should understand what data is being collected on their websites, either by themselves or by third parties. To this end, an audit should be carried out to better understand what data collection and tracking takes place on the website. This will in turn assist in updating the privacy notice. A detailed assessment of the processing activities should also be conducted looking at the activities carried out by both the website operator and any social media organisation offering a plug, in particular, breaking down the activities and assigning responsibilities for each.

Website operators currently using the Facebook Like button should expect certain changes in the near future from Facebook who have said that they welcome the CJEU’s decision and “are carefully reviewing the court’s decision and will work closely with [their] partners to ensure they can continue to benefit from [Facebook’s] social plugins and other business tools in full compliance with the law.

• Share this blog

• Twitter
• Facebook
• Linkedin