Websites using Facebook's 'Like' button subject to GDPR data rules

Social media plug-ins, such as Facebook's 'Like' button, make a website operator a joint data controller, European Court of Justice rules

Website operators embedding Facebook ‘Like' buttons and other social media plug-ins into their pages are joint data controllers, making them subject to the GDPR data privacy regulations.

That's the ruling this week from the European Court of Justice in a case involving a German online clothing retailer, called Fashion ID. The ruling means that plug-ins enabling people to share a news story on Twitter, LinkedIn or WhatsApp, for example, also make a website a joint data controller.

As a result, website operators will need to communicate the data that is shared with a third-party by the plug-in, its presence on the site, and its use, as well as providing justification to visitors that the plug-in is legitimate.

"It appears… that Fashion ID's embedding of the Facebook ‘Like' button on its website allows it to optimise the publicity for its goods by making them more visible on the Facebook social network when a visitor to its website clicks on that button," the court ruled.

It continued: "The reason why Fashion ID seems to have consented, at least implicitly, to the collection and disclosure by transmission of the personal data of visitors to its website by embedding such a button on its website is in order to benefit from that commercial advantage.

"Thus, those processing operations appear to be performed in the economic interests both of Fashion ID and of Facebook Ireland, for whom the fact that it can use those data for its own commercial purposes constitutes the consideration for the benefit to Fashion ID."

In other words, as both the website operator and Facebook benefit from the personal data gleaned from the embedded plug-ins, they are therefore joint data controllers under the terms of GDPR.

As a result, the judgement concludes: "The operator of a website and the provider of a social plugin, must pursue a legitimate interest through the collection and transmission of personal data in order for those operations to be justified in that regard."

Barely a week goes by, these days, without Facebook being assailed by fresh bad news.

Earlier this week it was revealed that Google and Facebook could be forced to disclose algorithms by Australia's competition watchdog, while last week a $5 billion fine for violating a 2012 agreement with the US Federal Trade Commission (FTC) was confirmed.