Companies that embed Facebook‘s “like” button on their websites must seek users’ consent to transfer their data to the United States social network, in line with the European Union‘s data privacy laws, the bloc’s top court said on Monday.
Website plug-ins such as Facebook’s “like” button are a common feature of online retail as companies seek to promote their products on popular social networks. But critics fear the data transfer may breach privacy laws.
The ruling from the Luxembourg-based Court of Justice of the European Union (ECJ) came after a German consumer body sued German online clothing retailer Fashion ID for breaching personal data protection rules via its use of the button on its site.
A German court subsequently sought guidance, and ECJ judges said websites and Facebook share joint responsibility.
Under landmark EU data privacy rules adopted last year, a data controller determines why personal data must be collected and processed and also secures consent from users. A data processor only processes personal data on behalf of the controller, and is usually a third-party company.
“The operator of a website that features a Facebook ‘like’ button can be a controller jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors to its website,” ECJ judges said.
The German retailer benefited from a commercial advantage as the “like” button made its products more visible on Facebook, the court said, though it noted the company is not liable for how Facebook subsequently processes the data.
Facebook said the ruling sheds clarity on website plug-ins, calling them an important feature of the internet.
“We are carefully reviewing the court’s decision and will work closely with our partners to ensure they can continue to benefit from our social plug-ins and other business tools in full compliance with the law,” Jack Gilbert, Facebook’s associate general counsel, said in a statement.
Verbraucherzentrale NRW, the German consumer protection group that took Fashion ID to court, welcomed the ruling. “Companies that profit from user data must now live up to their responsibility,” its head, Wolfgang Schuldzinski, said after the ECJ’s decision.
Germany’s main technology industry association, Bitkom, however, lamented the burden placed on website operators.
“The European court is imposing an enormous responsibility on thousands of website operators – from the small travel blog to the online megastore, as well as the portals of major publishers,” said Bitkom head Bernhard Rohleder.
He said the ruling would not only affect websites with an embedded Facebook “like” button, but all social media plug-ins, forcing their operators to reach data agreements or face liability for collecting the data of users.
The ruling is in line with strict data privacy laws adopted by the 28-country EU last year, said Nils Rauer, a partner at law firm Pinsent Masons.
“The court was right in assessing whether Fashion ID had an interest in collaborating with Facebook by way of embedding the ‘like’ button,” Rauer said, adding that plug-ins will continue to be popular notwithstanding the judgment.
“Personally, I do not think that companies will turn away from embedding ‘like’ buttons due to the judgment,” Rauer said. “Presumably, they will pay more attention to the embedding process, by way of obtaining dedicated data privacy advice.”