• EN
    • DE
  • Login
Consent Management Platform
Consent Management Platform (CMP) Usercentrics
  • ProductsHolistic Consent Management Software
    • Website Consent Management
    • Mobile Consent Management
    • AMP Consent Management (BETA)
    • Smart Data Protector
    • Automatic Privacy Policy
  • Solutions
    • GDPR
    • CCPA
    • CMP for Publishers
  • Pricing
  • Resources
    • Developer Documentation
    • Videos
    • FAQ
    • Knowledge Hub
    • Whitepaper
    • Webinars
    • RFI Template
    • What’s new?
  • Partner
    • Find a partner
    • Become a partner
    • Tech Partner
    • Expert Partner
    • Reselling Partner
    • Referral Partner
  • Company
    • About us
    • Career
    • Press
    • Events
    • Contact
  • GET STARTED NOW
  • Menu
GDPR Penalties
July 31, 2019 | 4 min read

The Latest ECJ Ruling on Facebook-like Button Imposes Obligation On Website Operator

Resources
Knowledge Hub
The Latest ECJ Ruling on Facebook-like Button Imposes Obligation On Website Operator

Table of contents

Show more Show less

What does the ECJ ruling state?

According to the ECJ ruling, website operators who integrate a “Like” button from Facebook are jointly responsible for data processing by Facebook. Since the processing is only triggered by the visit of the website, the website operators are obliged to obtain the prior consent of each and every user. This was decided by the European Court of Justice (ECJ) on Monday, 28.07.2019, in Luxembourg (Case No. 40/17) confirming a judgement of the Regional Court of Düsseldorf of March 2016. In doing so, the judges essentially follow the
opinion published by the responsible ECJ Attorney General Michal Bobek.

Who was sued?

The judgement is directed against the German eCommerce provider Fashion ID GmbH & Co. KG, which belongs to the Peek & Cloppenburg chain based in Düsseldorf. Facebook itself has joined the court proceedings on the Fashion ID GmbH & Co. KG site.

How does the Facebook Like-Button process user data?

Facebook provides the administrators of Facebook fan-pages with a code that they can embed on a website. The original Facebook Like button is then displayed in the front-end, enabling the user to link directly to the Facebook page of the website operator – without first being redirected to Facebook. However, this code automatically collects the data of all visitors who have not yet clicked “Like”.

What’s the issue with the Facebook Like Button?

On the website itself, the user has no opportunity to object to or prevent the transfer of data. A concerned user is only allowed to surf with special plugins or browsers to protect his own privacy. However, this is not acceptable. Much rather the web page operator should inquire first the consent of the user and link the data passing on to it.

What is the user afraid of and what should he be protected from?

For example, a visit to the website of a cancer support group can lead to this being added to one’ s Facebook profile and therefore Facebook lists the user as a cancer patient in their databases. Facebook uses this information to play out ‘relevant’ and personalized advertisements to the user. The characteristics and interests of the user are thus processed and monetized without the user’s knowledge.

Does the judgment also apply to the GDPR?

The warning issued by the consumer association North Rhine-Westphalia was issued in 2015, which is why the ECJ will decide on the basis of the GDPR predecessor directive. However, the concept of “responsible party” is very similarly defined in both laws, so that the ruling can be applied to the legal situation prevailing since GDPR regulation and becomes even clearer due to the stricter requirements.

Does one have to adhere to the judgement as a website operator?

Whether or not you adhere to the court’s opinion that you must obtain the user’s prior consent to play the Facebook Like button remains up to you. However, in view of the current judgment and the legal situation under the GDPR we strongly recommend this.

What follows a breach of the required consent for website operators?

As national and local courts as well as data protection supervisory authorities will follow the ECJ ruling, a violation of the consent requirement will be punished with penalties and fines in accordance with GDPR. Given that in the present case there is no consent and therefore no legal basis for data collection and processing, the maximum penalty of 4% of the total annual turnover theoretically applies.

However, another tendency is impending: the longer the majority of website operators maintain the status quo of unsolicited data transfer, the more resistance there is among users. Currently, the only option is to implement AdBlockers such as AdBlock Plus, Disconnect or UBlockOrigin, which blocks all scripts.

Website operators are thus suffering because they can then no longer collect any information about users – even if they do not need consent for individual scripts, but the legitimate interest pursuant to Art. 6 f GDPR would apply. Particularly in Germany, the proportion is particularly high with 40% AdBlock coverage. This shows how sensitive users are to this issue and would like to see a fundamental revision in the mindset and execution of website operators.

What must I undertake as a website operator?

As a website operator, you should set up your pages in such a way that they also function “autonomously” without external tools, i.e. without passing on user data to third parties unsolicited. At the very least, you have to take precautions to either defend a deviation from the court decision or most importantly, implement the installation of a consensus tool to link the play of the Like button to the consent.

There are special consent-tools for website operators to depict this technically.Therefore, the following argumentation that a Facebook like-button cannot be integrated in any other way or that this would be too complex does not apply. In addition to a consent tool, it is also possible to embed the like button only as an icon or image and link to the Facebook page instead of embedding the special Facebook code.

What does Usercentrics offer website operators?

The Usercentrics Consent Management Platform technology maps opt-ins for elements such as the Facebook Like button. This means that customers can control not only cookies and pixels, but also embedded content such as YouTube videos, Twitter Feed, Google Maps, etc. via the Consent tool and play them out depending on the user’s preference.

Schedule a free demo to learn how to implement the Facebook-Like GDPR-compliant with Usercentrics!

Related Articles

50 million Euro fine upheld for Google due to GDPR breach
June 27, 2020
2 min read
GDPR Penalties

50 million Euro fine upheld for Google due to GDPR breach

Remember the 50 million Euro fine levied against Google in May 2018 by the French data protection authority (CNIL)...

Read more
Highest GDPR-fine in Hungary: 290.000 EUR due to weak fragile website security 
June 25, 2020
2 min read
GDPR Penalties

Highest GDPR-fine in Hungary: 290.000 EUR due to weak fragile website security 

Without a doubt, the breach of website security can be extremely expensive: Hungarian telecommunications company Digi just got fined...

Read more
GDPR 2020: Coronavirus is no excuse for mistakes in data protection management
May 25, 2020
3 min read
GDPR ComplianceGDPR Penalties

GDPR 2020: Coronavirus is no excuse for mistakes in data protection management

Happy Birthday GDPR! You are now two years old – about time we started taking you seriously. The State...

Read more

Next Steps

Scan your website

Scan your website

Check your privacy compliance
Request a demo

Request a demo

Schedule for free
Get started

Get started

See our pricing

Legal Update

Always up-to-date: With our legal update, we keep you up to date with the latest trends around data protection.

Products

  • Website Consent Management
  • CMP for Publishers
  • Mobile App Consent
  • Automatic Privacy Policy
  • Smart Data Protector
  • AMP Consent Management (closed beta)

Resources

  • Whitepaper
  • Case Study
  • On Demand Webinars
  • Live Webinars
  • Knowledge Hub
  • RFI Template
  • Videos
  • FAQ
  • Developer Documentation

About Us

  • Who we are
  • Career
  • Press
  • Events
  • Contact

Our Mission

Helping companies to achieve compliance in harmony with their marketing strategy.

Legal

  • Legal Notice
  • Privacy Policy
  • Terms and Conditions

Address

Usercentrics GmbH
Sendlinger Straße 7
80331 Munich
Germany

© Copyright 2021 Usercentrics

This website and all services provided by Usercentrics are not intended for users and companies outside of the European Union, U.K. or Switzerland.

Cookies & GDPR Checklist: Do’s & Don’ts Are Cookies personal data Usercentrics - GDPR-compliant Customer Journey Designing The Customer Journey To Be GDPR Compliant
Scroll to top