This could change a lot of things. If your website has Facebook’s like button on it for content or comments, you could be liable under the European Union’s privacy rules regardless of where you do business.
The EU Court of Justice handed down the ruling this week in a case involving an online retailer. A consumer trade association had complained that by embedding the FB like button, it collected data and transmitted it to Facebook. Under the GDPR, personal information may only be legally collected and transmitted after an affirmative opt-in.
With the like button plugin, data can be transferred to Facebook without user’s knowledge even if they haven’t clicked the button or aren’t Facebook users.
The court ruled that website owners can be held jointly liable for the collection and transmission of personal data to Facebook.
“The Court makes clear that the operator of a website such as Fashion ID, as a (joint) controller in respect of certain operations involving the processing of the data of visitors to its website, such as the collection of those data and their transmission to Facebook Ireland, must provide, at the time of their collection, certain information to those visitors such as, for example, its identity and the purposes of the processing.” – Court Ruling
Further, the court ruled that website operators must obtain prior consent for any operations that they are a joint controller. Using the Facebook plugin, or other widgets, make websites joint controllers of information.
“With regard to the cases in which the processing of data is necessary for the purposes of a legitimate interest, the Court finds that each of the (joint) controllers, namely the operator of a website and the provider of a social plugin, must pursue a legitimate interest through the collection and transmission of personal data in order for those operations to be justified in that regard” – Court Ruling
The ruling is not appealable.
While the ruling happened in a European court, and the GDPR protects European citizens, it can impact any company that does business in Europe or has EU visitors to its website. If someone from the EU interacts with anything on your website, you can be held liable by EU regulators if you don’t comply with the GDPR.
The impact of this could be far-reaching. It’s not just Facebook that uses such plugins and widgets. Other social media platforms such as Twitter and LinkedIn have similar plugins and WordPress is full of third-party plugins that collect data.