A new ruling by the European Court of Justice has a potentially big impact on websites that deploy Facebook’s Like button.
There are actually several kinds of ‘Like’ button – they can allow the user to Like the page or product they’re looking at, or to Like the Facebook Page that accompanies the website they’re on – and the ruling seems to say that because clicking the button gives Facebook the user’s IP address and browser identification string, and sets cookies on their device, users should not be allowed to click it before they have provided their consent to that data collection.
The ruling also says that using these widgets makes the website’s owner a “joint data controller, along with Facebook” – which seems a stretch to us, as the host website never sees any data it collects and has no role in its subsequent processing. Crucially, that means that the website owner “must obtain that prior consent (solely) in respect of operations for which it is the (joint) controller, namely the collection and transmission of the data.” The “solely” part of hat sentence is a big deal, as it means we can’t rely on anything Facebook does or doesn’t do to allow users to give their consent.
This raises a number of questions:
- Does the principle of the ruling apply to other embedded data collection mechanisms equally, such as the increasingly popular Facebook Pixel?
- Will websites and brands want to take the risk of being treated as jointly responsible with big Internet companies for data that their websites collect?
The truth is, we need more GDPR test cases before we will really understand what the courts consider to be good practice in this area – but the web could be a pretty horrific user experience if every social interaction was disabled until the user gave explicit consent for it to be enabled.
We will watch the case with interest. In the meantime, clients who have any concerns about the implications should contact us for a chat.
You can read more about this story on The Register