Companies integrating Facebook’s „Like“ button on their websites share joint responsibility with Facebook for the compilation and transfer of data
Website plugins such as Facebook’s “Like” button are a common feature of online retail as companies seek to promote their products on popular social networks, but critics fear the data transfer may breach privacy laws. In line with the data privacy laws, the CJEU ruled that companies which embed Facebook’s “Like” button on their websites must seek users’ consent to transfer their personal data to the U.S. social network.
During their past practice, Facebook obtained data from users of online retailers, even if such users didn’t have a Facebook account. The CJEU’s ruling was assessed after a German consumer body sued a German online fashion retailer for breaching personal data protection rules via its use of the “Like” button on its site.
An online retailer can be considered to be a controller within the meaning of Article 2(d) of Directive 95/46, jointly with Facebook, in respect of the operations involving the collection and disclosure by transmission of the personal data of visitors to its website, the judges said.
In this case, the old data protection guidelines of 1995 were still applicable. They have been replaced by the General Data Protection Regulation (GDPR) in 2018. Even if the court had to interpret law that isn’t in force anymore, the ruling might be relevant for the new legislation under certain circumstances. The CJEU used to take such interpretations into account when the law in force contains almost identical provisions as the previous applicable law.
Facebook now wants to provide „Like“ buttons compatible to data protection regulations.
The ruling can be found here.
More information and reactions from the parties can be found here.