The Court of Justice of the European Union recently made a ruling that could place websites as liable for privacy violations stemming from any data transmitted to Facebook.
To pull out the principle more broadly, the ruling states that since Facebook’s Like buttons automatically transfer private data back to the privacy giant, the website hosting said buttons must ensure that it has full consent from its users.
As per the EU:
Fashion ID’s embedding of the Facebook ‘Like’ button on its website allows it to optimise the publicity for its goods by making them more visible on the Facebook social network when a visitor to its website clicks on that button. The reason why Fashion ID seems to
have consented, at least implicitly, to the collection and disclosure by transmission of the personal data of visitors to its website by embedding such a button on its website is in order to benefit from that commercial advantage. Thus, those processing operations appear to be performed in the economic interests both of Fashion ID and of Facebook Ireland, for whom the fact that it can use
those data for its own commercial purposes constitutes the consideration for the benefit to
The Court makes clear that the operator of a website such as Fashion ID, as a (joint) controller in respect of certain operations involving the processing of the data of visitors to its website, such as the collection of those data and their transmission to Facebook Ireland, must provide, at the time of their collection, certain information to those visitors such as, for example, its identity and the purposes of the processing.
It’s not 100% clear what the immediate implications of this would be, but it implies that sites would have to ask consent for users to share their data to Facebook, in addition to the other cookie and/or GDPR consent forms they have to sign. This would provide a little more informed conser and/or choice to consumers who may not want any of their data at all to head to the internet giant.
You can read the full judgement here.