The Advocate General has issued an opinion in Case C-40/17 relating to the use of a Facebook “like” button placed on the website of Fashion ID. The opinion sets out who is responsible for the sharing and processing of data.
The Court of Justice of the European Union found that when a website features a Facebook “Like” button which passes information to Facebook (usually the IP address and browser settings) the website owner is a joint controller for the use of the button on their website, although Facebook is responsible for the actual processing that happens on their platform (meaning the website cannot be responsible for this aspect).
During the case it was observed that personal data is passed to Facebook when the button is on the site regardless of whether or not a website visitor clicks the “Like” button or is a Facebook user. Furthermore, the use of the button on the website, means that Fashion ID are able to better target its advertising on Facebook.
What does this mean in practice?
Essentially this ruling implies that where you may be using a third-party plugin on your website that sends personal data to a third-party provider (e.g. a social media network) you should consider yourself the data controller for the initial collection of the data and the passing of that data to the third-party. This in turn means it is up to you to determine the lawful basis for processing the website visitor data and if you determine the lawful basis to be consent, then you will need to make sure you seek that consent in a GDPR compliant and if you are relying on legitimate interest then you will need to ensure your interest doesn’t not outweigh the right of the website visitors.
Wider implications for websites
It’s difficult to not think about the wider connotations of this ruling with regards to any third-party plugins you may be using on your website and what data is being passed to any third-parties and whether or not your need consent or rely on legitimate interest as your lawful basis for processing…
Further information and guidance on the implications of this ruling, is available for Hub subscribers, within the Website compliance section of the Digital Compliance Hub. Not a member? No worries, contact us for a free trial.
Providing cost-effective, simple to understand and practical GDPR and ePrivacy advice and guidance, via my one-stop-shop helpline. I ❤️ GDPR