The Latest ECJ Ruling on Facebook-like Button Imposes Obligation On Website Operator

According to the ECJ ruling, website operators who integrate a "Like" button from Facebook are jointly responsible for data processing by Facebook. Since the processing is only triggered by the visit of the website, the website operators are obliged to obtain the prior consent of each and every user.

Published by Usercentrics

6 mins to read

Jul 31, 2019

What does the ECJ ruling state?

According to the ECJ ruling, website operators who integrate a “Like” button from Facebook are jointly responsible for data processing by Facebook. Since the processing is only triggered by the visit of the website, the website operators are obliged to obtain the prior consent of each and every user. This was decided by the European Court of Justice (ECJ) on Monday, 28.07.2019, in Luxembourg (Case No. 40/17) confirming a judgement of the Regional Court of Düsseldorf of March 2016. In doing so, the judges essentially follow the opinion published by the responsible ECJ Attorney General Michal Bobek.

Who was sued?

The judgement is directed against the German eCommerce provider Fashion ID GmbH & Co. KG, which belongs to the Peek & Cloppenburg chain based in Düsseldorf. Facebook itself has joined the court proceedings on the Fashion ID GmbH & Co. KG site.

How does the Facebook Like-Button process user data?

Facebook provides the administrators of Facebook fan-pages with a code that they can embed on a website. The original Facebook Like button is then displayed in the front-end, enabling the user to link directly to the Facebook page of the website operator – without first being redirected to Facebook. However, this code automatically collects the data of all visitors who have not yet clicked “Like”.

What’s the issue with the Facebook Like Button?

On the website itself, the user has no opportunity to object to or prevent the transfer of data. A concerned user is only allowed to surf with special plugins or browsers to protect his own privacy. However, this is not acceptable. Much rather the web page operator should inquire first the consent of the user and link the data passing on to it.

What is the user afraid of and what should he be protected from?

For example, a visit to the website of a cancer support group can lead to this being added to one’ s Facebook profile and therefore Facebook lists the user as a cancer patient in their databases. Facebook uses this information to play out ‘relevant’ and personalized advertisements to the user. The characteristics and interests of the user are thus processed and monetized without the user’s knowledge. The warning issued by the consumer association North Rhine-Westphalia was issued in 2015, which is why the ECJ will decide on the basis of the GDPR predecessor directive. However, the concept of “responsible party” is very similarly defined in both laws, so that the ruling can be applied to the legal situation prevailing since GDPR regulation and becomes even clearer due to the stricter requirements.

Does one have to adhere to the ECJ judgement as a website operator?

Whether or not you adhere to the court’s opinion that you must obtain the user’s prior consent to play the Facebook Like button remains up to you. However, in view of the current judgment and the legal situation under the GDPR we strongly recommend this. As national and local courts as well as data protection supervisory authorities will follow the ECJ ruling, a violation of the consent requirement will be punished with penalties and fines in accordance with GDPR. Given that in the present case there is no consent and therefore no legal basis for data collection and processing, the maximum penalty of 4% of the total annual turnover theoretically applies. However, another tendency is impending: the longer the majority of website operators maintain the status quo of unsolicited data transfer, the more resistance there is among users. Currently, the only option is to implement AdBlockers such as AdBlock Plus, Disconnect or UBlockOrigin, which blocks all scripts. Website operators are thus suffering because they can then no longer collect any information about users – even if they do not need consent for individual scripts, but the legitimate interest pursuant to Art. 6 f GDPR would apply. Particularly in Germany, the proportion is particularly high with 40% AdBlock coverage. This shows how sensitive users are to this issue and would like to see a fundamental revision in the mindset and execution of website operators.

What must I undertake as a website operator?

As a website operator, you should set up your pages in such a way that they also function “autonomously” without external tools, i.e. without passing on user data to third parties unsolicited. At the very least, you have to take precautions to either defend a deviation from the court decision or most importantly, implement the installation of a consensus tool to link the play of the Like button to the consent. There are special consent-tools for website operators to depict this technically.Therefore, the following argumentation that a Facebook like-button cannot be integrated in any other way or that this would be too complex does not apply. In addition to a consent tool, it is also possible to embed the like button only as an icon or image and link to the Facebook page instead of embedding the special Facebook code.

What does Usercentrics offer website operators to ensure compliance with ECJ ruling?

The Usercentrics Consent Management Platform technology maps opt-ins for elements such as the Facebook Like button. This means that customers can control not only cookies and pixels, but also embedded content such as YouTube videos, Twitter Feed, Google Maps, etc. via the Consent tool and play them out depending on the user’s preference.