Do you operate a website that uses a social plugin such as Facebook “Like” button?

By Nicolas Roland on in Privacy

shutterstock_212430586 (3)

If so, you should, at least, review your privacy notice to ensure that it remains accurate and up to date. Also, you must enter into appropriate arrangements with the provider of that plugin.

Why?

In its decision of 29 July 2019 (Fashion ID, C-40/17), the European Court of Justice (ECJ) found that someone who embeds on his/her website a social plugin causing the browser of a visitor to transmit personal data to the provider of that plugin (such as the IP address of that visitor’s computer) is actually involved in the collection and disclosure by transmission of these personal data, despite that operator being unable to influence the processing of the data transmitted to that provider as a result. The website operator must therefore provide certain information to his/her visitors such as, for example, the purposes of the processing, when these data are collected.

Furthermore, the Court is of the opinion that, by embedding a social plugin on that website, the website operator and the provider of that plugin jointly determine the means and purposes of the processing of these personal data. As a result thereof, they must determine in a transparent manner their respective responsibilities for compliance through an arrangement, pursuant to Article 26 of the General Data Protection Regulation (GDPR). The essence of this arrangement must then be made available to the visitors to the website.

In the current case, it appears that Fashion ID’s embedding of the Facebook ‘Like’ button on its website allows it to optimise the publicity of its goods by making them more visible on the social network Facebook when a visitor to its website clicks on that button. The reason why Fashion ID, an online clothing retailer, seems to have consented, at least implicitly, to the collection and disclosure by transmission of the personal data of visitors to its website by embedding such a plugin on that website is in order to benefit from the commercial advantage consisting in increased publicity for its goods; those processing operations are performed in the economic interests of both Fashion ID and Facebook Ireland, for whom the fact that it can use those data for its own commercial purposes is the consideration for the benefit to Fashion ID.

Lastly, it is still unclear whether the provider of a social plugin has to obtain prior consent for the collection and transmission of data of a visitor to that website as required under the ePrivacy Directive for cookies and similar technologies. It is for the referring court to investigate further on this issue (§§ 90 and 91).

The ECJ decision can be found on https://curia.europa.eu