Is your use of Facebook “Like” plugins lawful?
At Gerrish Legal we often help tech start-ups with their legal obligations and understand how important social media is for the promotion of your business.
1.59 billion people log on to Facebook daily, a number which increases month on month. Embedding a Facebook “like” plugin onto your website can bridge the gap between social media followers and your online platform, increasing the number of people that your products and services reach.
However, recent legal guidance from the European Court of Justice illustrates that this feature brings not only advantages but also imposes heavier responsibilities on website owners.
The Legal Bit
The recent General Data Protection Regulation (2016/679) most commonly known as the GDPR, is the most important change to European data privacy regulation in 20 years.
The GDPR sets out strict obligations for businesses handling personal data. Essentially personal data means any information which allows an individual person (a data subject) to be identified. This includes data gained through cookies, trackers and online identifiers which can be used to identify an individual person (such as an IP address) – it is not necessary that the person’s name and physical address is included- online data can still constitute personal data and can, therefore, be caught by the GDPR’s strict processing requirements. Data transmitted in the online advertising environment, through social media platforms or campaigns, or even personal data obtained via clicking a Facebook “Like” button is likely to be considered as personal data for the purposes of the law.
An entity which determines how data is collected and processed is termed as a controller, and an entity which processes personal data on behalf of a controller and in accordance with their instructions is termed as a processor. Both controllers and processors must implement appropriate technical and security measures to ensure that personal data is kept safe, secure and confidential, and have procedures in place to demonstrate that data is being handled lawfully. Where there are two (or even more) controllers jointly using and making decisions about data together, they are known as joint controllers and must work together to ensure that they follow specific obligations imposed on joint controllers by the GDPR.
The European Court decision
In a recent court decision, the Court of Justice of the European Union (CJEU) made it clear that if you embed a Facebook “like” button on your website, you may be considered to be a joint controller with Facebook itself. In this case, an online fashion retailer had used a Facebook “like” button on its website which meant that visitors visiting the website had their data automatically transmitted to Facebook even if they didn’t click it (or even if they weren’t a Facebook visitor!) – but the visitors did not know that this was happening. This was in conflict with the GDPR requirement of transparency when it comes to data processing activities.
The CJEU ruled that the fashion retailer was a joint controller with Facebook when it was collecting and disclosing the personal data of its website visitors, and that both Facebook and the online fashion retailer had obligations under the GDPR, but that the online fashion retailer was not responsible for any further processing activities by Facebook once the personal data had been transferred over.
Under the GDPR, there are six legal bases which allow personal data to be collected and processed. The CJEU confirmed in this case that when it comes to Facebook “Like” plugins, the only option to rely on will be the first legal basis, consent.
The other legal bases under the GDPR do not apply since collecting data via like buttons is not required for the performance of a contract (option two), for complying with pre-existing legal obligations (option three), to protect the vital interests of the data subject (option four), or for public interest reasons (option five). Whilst there is a sixth option to collect data if it is in your legitimate interests as a website owner, these cannot override the data subjects own personal interests, and the CJEU advised that in the context of Facebook “Like” buttons, this basis is unlikely to be justified.
Practical advice for using Facebook “Like” buttons on your website
Whilst Facebook’s associate general counsel stated in response to the CJEU decision that:
“[Facebook] are carefully reviewing the court’s decision and will work closely with [Facebook]’s partners to ensure they can continue to benefit from [Facebook]’s social plugins and other business tools in full compliance with the law”,
we are still awaiting concrete guidance from Facebook, particularly about whether website owners using plugins will need to enter into specific contracts with the social media giant. It should be noted that whilst the CJEU referred specifically to the Facebook “Like” plugin, the decision would apply to any other similar social media plugin technologies.
Whilst we await such guidance, we have nonetheless set out some simple tips and tricks you can implement now.
Implement your lawful basis
Following the decision, website owners using Facebook “Like” buttons must ensure that they are sufficiently transparent to visitors and that, in order to collect and process personal data of its visitors, they are able to rely on a valid lawful basis for doing so. In accordance with the CJEU guidance, this will be by getting the consent of your website visitors.
Transparency
Transparency is vital for valid consent. Website owners should ensure that clear information about personal processing activities is either clearly displayed or easy to access. Visitors must comprehend the purposes for which a website owner is collecting their personal data, and this must be explained in plain language for them to clearly understand. Usually, the best way to be transparent is to share this information on the website itself. This can be done through a privacy policy which is easily available on the website.
Additionally, next to any “Like” buttons, you should also put a note and a link to the privacy policy, explaining the consequences of a visitor pressing “Like”, and confirming that their active click on the “Like” button would constitute evidence that they accept their data to be processed jointly by you and by Facebook.
Obtaining consent
The collection of personal data through a Facebook ‘Like” plugin will require freely given, specific, informedand unambiguous consent from an individual visitor. Therefore, once a visitor understands a website owners’ purposes for collecting their personal data (as per the above transparency requirement), they must have the opportunity to either consent to or reject its collection.
When obtaining consent, an easy option on a website is to ensure that you have thorough cookies consent preferences so that visitors can turn off any online analytics (backed up by a clear and understandable cookies policy) and through the use of checkboxes.
Remember – consent must be given in an active manner: silence is not consent! Pre-ticked boxes and default “ON” settings will not do, since there is nothing to show that the visitor has actually read, understood and consented to the processing.
So, if you are a website operator considering embedding a Facebook “Like” button or have already done so for the many benefits it brings, take care!
This is just a summary of our tips and tricks for embedding like buttons on your website and does not constitute definitive legal advice – if you have any of your own tips, please share them below!
And of course, if you have any questions on your obligations under the GDPR, please don’t hesitate to get in touch.
Article by Lily Morrison and Charlotte Gerrish @ Gerrish Legal, first published on TechGirl in August 2019