The Facebook Like Button Is Not as Innocent as It Seems.
The ubiquitous Facebook Like button you encounter on almost every website is not as innocent as it appears to be. It has far-reaching privacy effects that are not immediately visible to your site’s visitors. With the latest ruling by the European Court of Justice, business websites should be extra careful.
The European Court of Justice (ECJ) Ruling on the Facebook Like Button: It is all about accountability.
An ECJ ruling on July 29, 2019, based on GDPR (General Data Protection Regulation) states that website operators should obtain users’ consent before they transmit any data through the Facebook Like Button. The case in question involved the German retailer Fashion ID whose e-commerce website had the Facebook Like Button displayed on its web-pages. The button was used to collect the site visitors’ personal data and transmit it to Facebook’s European headquarters in Ireland.
Surprisingly, the tracked data also referred to non-Facebook members, and it was transformed even if the visitors didn’t click on it. The court ruled that both Fashion ID website, as well as Facebook, are responsible and is now considered as a controller. This ruling is alarming for any entity that operates websites for business purposes, especially B2C business organizations. “Fashion ID can be considered to be a controller jointly with Facebook Ireland in respect of the operations involving the collection and disclosure by transmission to Facebook Ireland of the data at issue…” the judges said.
Not that Innocent: An Unsafe World
Facebook Like Button can do much more than just sharing. Once the user lands on the website, irrespective of whether he/she hits the Facebook Like Button or not, it starts tracking the user’s data and sends it to Facebook. The data it aggregates includes the users’ physical IP address, location data, browser information, screen resolution, etc. But as we noted, the absurd thing is that the data is transmitted even if the user is not a Facebook member. And if the user is indeed an active member, the actions could have far-reaching consequences. Every item within the user’s social media profile has the risk of being exposed publicly. The accountability is not only on Facebook’s end, it is also on the business organization’s end, the one that runs the website.
The ECJ ruling has changed everything, and the GDPR has thus become a more significant challenge to websites. So, what should we expect next?
Websites that use such social media plugins and widgets, must seek explicit user permission before transmitting data to the social platform, irrespective of whether users click the button or not.
Businesses and/or enterprises that operate websites have to prove they have a legitimate reason for collecting and transmitting the data.
Websites are expected to notify their visitors what these remote or third-party tools can do. As an example, Facebook might be using the tracked data for marketing and research purposes without the user’s consent – which should be obtained on the website they visit.
The toughest part of the ruling is that it cannot be appealed against anywhere. The decision is binding on everyone.
Remember, what you see, is not what you get. A button is not only a button, an image is not only an image. It’s a code, running on the user’s browser and tracks data.
Be Safe, Be Secure
Already in the dock with a deluge of GDPR-related cases, Facebook has been reported to have welcomed the decision and stated that it would do everything to comply with the ECJ ruling.
As per the verdict, no website shall hereafter collect or transmit personal data without the permission of the customer.
Want to understand the privacy implications of third-party apps on your website?
Book a meeting with our experts and learn exactly where the external plugins are integrated on your website and how each affects your organizational liability.
Want to get a free third-party privacy check for your website? Contact us