Image: Fashion ID

Think the little Facebook “Like” button included on so many companies’ websites is little more than an arbitrary plugin? Think again. The European Union’s top court stated in a decision on Monday that companies that opt to use these social media-centric plugins may be on the hook for privacy law violations unless they explicitly obtain consent from users before handing the data collected on EU-hosted websites to third-parties, such as Menlo Park, California-headquartered Facebook.

Monday’s decision from the Court of Justice of the European Union (“CJEU”) follows from a case first filed in a regional court in Germany by consumer advocacy group Verbraucherzentrale NRW. The German group asserted that consumers that visited the e-commerce site of Düsseldorf-based fashion retailer Fashion ID had their data – including IP address and browser string – collected and passed to Facebook Ireland regardless of whether they clicked on the “Like” button.

Seeking guidance from the EU, the case made its way before CJEU Advocate General Michal Bobek, who asserted in a non-binding opinion in December that the transfer of info from Fashion ID to Facebook “occurs automatically when Fashion ID’s website has loaded, irrespective of whether the user has clicked on the ‘Like’ button and whether or not he has a Facebook account.” Such a process, he stated, “causes the collection and transmission of the user’s personal data,” and given that “a third party,” Fashion ID in this case, “provided the plug-in,” that third-party “shall be considered to be a controller,” and thus, held jointly liable.

Speaking specifically about the evolving digital landscape, AG Bobek stated, “A long time ago (the fans of a certain sci-fi franchise might wish to add ‘in a galaxy far, far away’), it was cool to be on a social network. Then gradually, it started to be cool not to be on a social network. Nowadays, it appears to be a crime to be on one.” With such an “evolving social context,” the role of the judicial decision-making “should certainly react to that context, but not be controlled by it.”

“A social network,” he asserted, “like any other application or programme, is a tool. Similar to a knife or a car, it can be used in a number of ways. There is also no doubt that if used for the wrong purposes, that use must be prosecuted,” and with that in mind, “novel forms of vicarious liability have to be put in place.”

Fast forward to Monday and the CJEU issued its binding decision in what is being called a “landmark case,” determining that Fashion ID and other sites can be held jointly liable along with Facebook, and other social media sites, in connection with the collection and transfer of consumer data. “The operator of a website that features a Facebook ‘Like’ button can be a controller jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors to its website,” the CJEU panel of judges stated on Monday.

As Reuters stated, “The German retailer benefited from a commercial advantage as the ‘Like’ button made its products more visible on Facebook, the court said, though it noted the company is not liable for how Facebook subsequently processes the data.”

With that in mind, in order to avoid liability, website operators need to inform users when data is being collected, what is being collected, and what legitimate reason there is for such data being collected.

A spokesman for Facebook stated on Monday, “Website plugins are common and important features of the modern internet. We welcome the clarity that today’s decision brings to both websites and providers of plugins and similar tools. We are carefully reviewing the court’s decision and will work closely with our partners to ensure they can continue to benefit from our social plugins and other business tools in full compliance with the law.”