The ubiquitous Facebook Like button you encounter on almost every website is not as innocent as it appears to be. It has far-reaching privacy effects that are not immediately visible to your site’s visitors. With the latest ruling by the European Court of Justice, business websites should be extra careful.
The European Court of Justice (ECJ) Ruling on the Facebook Like Button: It is all about accountability.
An ECJ ruling on July 29, 2019, based on GDPR (General Data Protection Regulation) states that website operators should obtain users’ consent before they transmit any data through the Facebook Like Button. The case in question involved the German retailer Fashion ID whose e-commerce website had the Facebook Like Button displayed on its web-pages. The button was used to collect the site visitors’ personal data and transmit it to Facebook’s European headquarters in Ireland.
Surprisingly, the tracked data also referred to non-Facebook members, and it was transformed even if the visitors didn’t click on it. The court ruled that both Fashion ID website, as well as Facebook, are responsible and is now considered as a controller. This ruling is alarming for any entity that operates websites for business purposes, especially B2C business organizations. “Fashion ID can be considered to be a controller jointly with Facebook Ireland in respect of the operations involving the collection and disclosure by transmission to Facebook Ireland of the data at issue…” the judges said.
Data-hungry Script
With nearly 2.41 billion users on Facebook, the Like Button seems to be the ideal option to share and engage web content on social media. However, it is much more than just a button. It is a JavaScript code that is loaded onto browsers on the client-side and enables websites to track and share their visitors’ data. The JavaScript snippet collects whatever personal information is available from the visitor and sends it to Facebook. Similar is the process of Facebook Pixel, which is also a code inserted into web pages. In this case, websites are obliged for due diligence and handle the user’s private information in accordance with the European privacy regulations.
Not that Innocent: An Unsafe World
Facebook Like Button can do much more than just sharing. Once the user lands on the website, irrespective of whether he/she hits the Facebook Like Button or not, it starts tracking the user’s data and sends it to Facebook. The data it aggregates includes the users’ physical IP address, location data, browser information, screen resolution, etc. But as we noted, the absurd thing is that the data is transmitted even if the user is not a Facebook member. And if the user is indeed an active member, the actions could have far-reaching consequences. Every item within the user’s social media profile has the risk of being exposed publicly. The accountability is not only on Facebook’s end, it is also on the business organization’s end, the one that runs the website.
Organizational Responsibilities
The ECJ ruling has changed everything, and the GDPR has thus become a more significant challenge to websites. So, what should we expect next?
Websites that use such social media plugins and widgets, must seek explicit user permission before transmitting data to the social platform, irrespective of whether users click the button or not.
Businesses and/or enterprises that operate websites have to prove they have a legitimate reason for collecting and transmitting the data.
Websites are expected to notify their visitors what these remote or third-party tools can do. As an example, Facebook might be using the tracked data for marketing and research purposes without the user’s consent – which should be obtained on the website they visit.
The toughest part of the ruling is that it cannot be appealed against anywhere. The decision is binding on everyone.
Remember, what you see, is not what you get. A button is not only a button, an image is not only an image. It’s a code, running on the user’s browser and tracks data.
Be Safe, Be Secure
Already in the dock with a deluge of GDPR-related cases, Facebook has been reported to have welcomed the decision and stated that it would do everything to comply with the ECJ ruling.
As per the verdict, no website shall hereafter collect or transmit personal data without the permission of the customer.
Websites are also expected to verify that the Facebook Like Button and similar widgets like Facebook Pixel, or even other social media icons like Twitter, Instagram or LinkedIn, for that matter, have an explicit mention of the technicalities in the Privacy policy of the web pages they appear in, as directed by GDPR.
Subscribe to our newsletter
Stay updated with the latest news, articles, and insights from Reflectiz.
Your Website looks great!
But what’s happening behind the scenes?
Discover your website blind spots and vulnerabilities before it’s too late!