Big Implications for CJEU Ruling on Website Third-Party Data Sharing in Fashion ID Facebook “Like” Button Case

A big ruling implicating privacy disclosures and liability around third-party data sharing on websites has been issued by the EU Court of Justice today.

The CJEU issued its Judgment in Case C-40/17 involving Fashion ID, which concerned the operator of a website that features a Facebook “Like” button and whether they are a joint controller in the collection and transmission of the personal data of its website visitors to Facebook.

As the Court determined that a website operator can be a joint controller with a social media company, companies placing third-party assets on their websites will have additional obligations under EU privacy laws as a result. Although the decision did not directly interpret the General Data Protection Regulation (GDPR) because the case arose before the new privacy law went into effect last May, the implications are obvious.

Scrutiny over third-party data sharing has been enhanced over the past year as the facts behind the Cambridge Analytica scandal came to light and other social media / technology companies faced investigations by governments and the media. The ruling makes plain that a company which allows third-parties to operate assets on its website can face liability under GDPR for the acts which are under its control.

What are the facts behind the case?

An online clothing retailer embedded the Facebook “Like” button on its website which transmits certain personal data of a website visitor to Facebook Ireland whether or not the visitor is a member of the social network. The visitor does not need to hit the “Like” button for Facebook to receive data about the visitor.

What was the Court’s ruling?

Although the Court held that the website operator is not a controller with respect to all of Facebook’s data processing because the operator does not determine the purpose and means of those operations, it did find it responsible for the collection and disclosure to Facebook Ireland of the data at issue because it placed the button on its website for its commercial advantage. By placing the button on its website, it gained additional publicity for its goods on the social network. As a result of this and Facebook’s interests, it found that the social media company and the website operator were joint controllers with respect to the data sent that both controlled.

The Court also found that both the website operator and the third-party need to have a lawful basis for the processing. If they are to rely on legitimate interest, then each must establish their legitimate interest for the collection and processing to be justified. If the website operator wishes to use consent, it must gather consent for the operations which it controls, the collection and transmission of the data, before any personal data is collected and sent. The website operator must also adequately disclose the data collection and processing as part of its transparency obligations.

Why is this ruling important?

Many marketing companies and IT departments embed third-party plugins and assets on their website without considering the privacy implication. The ruling could impose liability for this data collection without a lawful basis or for inadequate disclosures of it under GDPR’s transparency obligations.

Summary for Website Operators:

– If you embed a Facebook like button on your website, you are a joint controller over its data collection there.

– This ruling is not limited to Facebook and may implicate the other third-party assets on your website.

– You must have a lawful basis for the data collection of the Facebook like button.

– To rely on consent, you must disclose the data collection and processing which you control before the operations begin.

How can Clarip help?

The Clarip Data Risk Intelligence helps companies identify third-party data sharing to put the appropriate privacy disclosures, lawful basis of processing and data sharing contracts in place. Contact us online or call Clarip at 1-888-252-5653 for a demo of the Data Risk Intelligence module.