Since the introduction of the GDPR in May 2018, not all points have been clearly regulated and can be interpreted differently. Exemplary court rulings are needed to establish legal interpretations for these in detail. Such decisions then serve as a guideline for further judgements and related issues.
The European Court of Justice made such a ruling on Monday 29 July 2019. It involved a consumer centre filing a lawsuit against an online fashion retailer because the Facebook Like Button delivers personal information to Facebook without the visitor being informed or able to give their consent. Facebook uses this information to display tailored advertisements to the visitor elsewhere (Web pages, Facebook, Instagram).
The court says:
- Those who implement the Facebook Like Button on their website are jointly responsible and liable with Facebook for data collection.
- The website operator must inform visitors about this.
- The website operator must obtain the user’s consent in advance.
- If a legitimate interest is asserted, a legitimate interest must exist for all parties jointly responsible (Facebook and website operator).
What does that mean?
The judgement regarding the Facebook Like Button also applies to other social plugins and all elements that are integrated by third parties on a website. These include, for example, the following:
- Embedded YouTube videos
- Facebook Share Buttons
- Twitter Tweet and Share Buttons
- LinkedIn Share and Follow Buttons
- Display of the Instagram Feed on the web page
- Display of a Twitter tweet on the website
Thus, if the website operator uses these plugins or elements, it must
- Inform the visitor that social plugins send information to third parties for advertising purposes.
- Obtain consent beforehand or claim a legitimate interest together with the plugin provider.
Any legitimate business interest plugin providers (e.g. Facebook) may have is difficult to justify for one’s own website. It would mean the interest of third-party providers must be given more weight than the individual’s right to privacy. It is practically impossible to assert that, for example, Facebook has a legitimate interest that they are automatically informed of a visit when a user accesses any website that uses the Like button.
Conclusion: If there is no prior consent and no credible legitimate interest from both parties can be asserted (very unlikely) then these plugins may no longer be used.
What’s the next step?
The judgment is binding on the national courts of the Member States. This means that from now on social plugins may no longer be used on websites without consent. Either they must be removed or a cookie banner is used. This deactivates the social plugins by default and only activates them after the visitor has given his consent.
Even before the GDPR came into force, we pointed out in our article
(5 GDPR Quick-Fixes for your Website) that the use of social plug-ins violates the principles of the GDPR. In the meantime, we have set up several dozen cookie management solutions with which the activation of social plug-ins can also be controlled.