Digital Media and Data Privacy Law Blog

A ruling by the highest court in the European Union regarding the common practice of putting a Facebook “Like” button on a website could have repercussions for American companies doing business overseas.

In late July, the Court of Justice of the European Union ruled that the owner of a website is jointly responsible, with Facebook, for any data that is shared with the social media giant by embedding a social media plugin, such as Facebook’s “Like” button. This means that websites must now get explicit permission to share information with social media sites and show they have a clear business reason for collecting and sharing data. While the website is responsible for protecting the data while it is transmitted to the social media site, the courts did find these websites are not liable for what Facebook and social media sites do with the data.

The decision stems from a lawsuit a German-based consumer protection group filed against a German online fashion retailer, alleging that the personal data of visitors to the website was being shared with Facebook regardless of whether or not they clicked on the “Like” button. While this lawsuit was specifically about Facebook, the court decision applies to any information transmitted to a social media site through a plugin.

While this decision was rendered pursuant to the former Data Protection Directive, a predecessor regulation to the General Data Protection Regulation (GDPR) enacted by the European Union last year, it serves as a clear reminder of the European Union’s belief that data privacy is a fundamental right of all European citizens. American businesses should not ignore this deeply held conviction and should take steps to ensure they do not run afoul of European privacy laws when doing business in the European Union.

The first question to consider when evaluating if this ruling by the Court impacts you is, are you advertising to residents of the European Union? While websites are global, if your key customer base is local and you are not actively directing sales or services to the European Union, you probably do not need to worry about this ruling. However, if you target a European audience with your advertising, marketing and website, this ruling will likely impact you, even if your company is based in the United States.

This ruling does not mean you need to instantly remove Facebook’s “Like” button or other social media plugins from your website entirely. Instead, companies who are actively marketing to customers in Europe should start by ensuring the plugin is integrated with your site in way that communication with the social media company only takes place when a consumer clicks on the plugin button—and not whenever someone browses the website. It is also important that businesses understand what data Facebook and other social sites are collecting from these plugins and how that data is being used. It is virtually impossible to appropriately inform users about the data processing that takes place through the use of the plugin and articulate a legitimate basis for processing the data without this knowledge.

With Facebook, other social media and websites facing increased scrutiny in regard to their data collection and privacy practices in recent months and the European Union taking a tougher stance on data privacy as well, this case serves as another reminder that all businesses need to be aware of what data they are collecting, who they are sharing it with and how all data is being used.