EU Court: Website using Facebook ‘Like’ button liable for data

A German Consumer Body sued a German online clothing retailer Fashion ID for breaching personal data protection rules via its use of the Facebook ‘Like’ button on its website. The German Court sought guidance on this case from the European Union’s Court of Justice (ECJ).

The ECJ judges ruled that, in the case of embedding Facebook’s ‘Like’ button, both the website and Facebook are liable. In particular, they said: “The operator of a website that features a Facebook ‘Like’ button can be a controller jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors to its website.” The EU Court also noted that the German retailer Fashion ID gained a commercial advantage from the ‘Like’ button as it made its products more visible on Facebook.

According to EU General Data Protection Regulation (GDPR), a data controller determines why personal data must be collected and how they are processed. Following the EU Court’s ruling, a third-party company using the Facebook’s ‘Like’ button or any other similar widgets could be considered joint controller and, thus be held liable for the data collection and transmission to Facebook. However, the company will not be responsible for what happens to the data after it’s passed to Facebook.

In a statement to TechCrunch, Facebook's associate general counsel, Jack Gilbert said that “We are carefully reviewing the court’s decision and will work closely with our partners to ensure they can continue to benefit from our social plugins and other business tools in full compliance with the law.”

This ruling does not prevent Facebook or other companies with similar buttons from offering these options, however, websites embedded to these widgets must obtain the users’ consent before transferring their data to Facebook or other companies. Right now, it appears that these buttons embedded to the websites transfer the visitors’ data to other companies without their consent and regardless of whether the visitors click on them or not. Consequently, websites should adopt a different approach for ‘Like’ buttons in order to comply with data protection rules.