EU Court of Justice Rules Using Facebook’s “Like” Button Creates a Joint Data Controller Relationship

Written by: Richard Sheinis, Esq.

Fashion ID is an online retailer whose website used a plug-in to feature a Facebook “Like” button.  As a result of the plug-in, when a user lands on Fashion ID’s website, information about the user’s IP address and browser string is automatically transferred to Facebook.  This transfer of information occurs irrespective of whether the user has clicked the “Like” button, and whether or not the user even has a Facebook account.

On July 29, 2019, the Court of Justice of the European Union (“CJEU”) ruled that Facebook and the website operator are joint data controllers, but only with respect to the collection and transmission to Facebook of the personal data of website visitors.  However, any further processing of the personal data by Facebook, beyond the collection and transmission of the data, is not the responsibility of the website operator.

What does this ruling mean to website operators?

1. As joint controllers, Article 26 of GDPR requires the website operator and the provider of a plug-in to enter into a transparent “arrangement”, which determines their respective responsibilities for GDPR compliance. The arrangement must be made available to data subjects.  Although GDPR does not further define “arrangement”, the best practice is to have a written agreement with Facebook or any similar social media plug-in provider.
2. Website operators must provide information related to the functioning of the plug-in. Website notices should be reviewed and updated accordingly.
3. Determine whether consent obtained pursuant to Article 5(3) of the ePrivacy Directive is sufficient to cover the collection and transmission of personal data to the plug-in provider.