EU Court declares website is data controller for Facebook “like” button

Share This Post

The Advocate General has issued an opinion in Case C-40/17 relating to the use of a Facebook “like” button placed on the website of Fashion ID. The opinion sets out who is responsible for the sharing and processing of data.

The Court of Justice of the European Union found that when a website features a Facebook “Like” button which passes information to Facebook (usually the IP address and browser settings) the website owner is a joint controller for the use of the button on their website, although Facebook is responsible for the actual processing that happens on their platform (meaning the website cannot be responsible for this aspect).

During the case it was observed that personal data is passed to Facebook when the button is on the site regardless of whether or not a website visitor clicks the “Like” button or is a Facebook user. Furthermore, the use of the button on the website, means that Fashion ID are able to better target its advertising on Facebook.

What does this mean in practice?

Essentially this ruling implies that where you may be using a third-party plugin on your website that sends personal data to a third-party provider (e.g. a social media network) you should consider yourself the data controller for the initial collection of the data and the passing of that data to the third-party. This in turn means it is up to you to determine the lawful basis for processing the website visitor data and if you determine the lawful basis to be consent, then you will need to make sure you seek that consent in a GDPR compliant and if you are relying on legitimate interest then you will need to ensure your interest doesn’t not outweigh the right of the website visitors.

Wider implications for websites

It’s difficult to not think about the wider connotations of this ruling with regards to any third-party plugins you may be using on your website and what data is being passed to any third-parties and whether or not your need consent or rely on legitimate interest as your lawful basis for processing…

Further information and guidance on the implications of this ruling, is available for Hub subscribers, within the Website compliance section of the Digital Compliance Hub. Not a member? No worries, contact us for a free trial.

More To Explore

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy