Facebook “likes” device counter on table showing how the recent EU court ruling on Facebook ‘like’ button could have huge implications for websites
EU Court Ruling on Facebook ‘Like’ Button Could Have Huge Implications for Websites by Nicole Lindsey

EU Court Ruling on Facebook ‘Like’ Button Could Have Huge Implications for Websites

Across the Internet, the Facebook Like button is nearly ubiquitous. Visit any website, and you’re likely to see the Facebook Like button staring back at you, encouraging you to share your “like” with all of your friends, family and acquaintances on the Internet. However, a recent court ruling from the European Court of Justice (ECJ), the top court in Europe, could bring an end to the era of the social media “like.” In a surprising and very broad interpretation, the European Court of Justice ruled that website operators need to seek out the consent of users before transferring any personal data via the Facebook like button.

This European ruling calls into question the entire system of social media plug-ins, in which it is easier than ever before to add social media sharing buttons to a website. Without the proper safeguards in place for social plug-ins, users could be unknowingly or unwittingly sharing all of their personal data with a burgeoning ecosystem of digital advertisers, third-party data brokers and social networks.

The case of the German fashion retailer involving the Facebook ‘Like’ button

This need to ask for the explicit permission of website users anytime the Facebook like button is embedded on a website is based on a case out of Germany involving the German fashion retailer Fashion ID. In the information that Europe’s top court analyzed, it appeared as though data was being sent immediately to Facebook the second that a user landed on the page of the e-commerce retailer. Even if the user was not a member of the social media network, Fashion ID was still sending as much data as it could back to Facebook, including the physical address of the user and other potentially identifying information. If the user was actually a member of the Facebook social network, the extent of the data sharing was even more extensive. Hitting the Facebook like button meant that any and all items included within the user’s social media profile could be sent to the Facebook social network.

What made the Court of Justice of the European Union side against Fashion ID was that the company was clearly using the Facebook like button for commercial gain. Any time a user hit the Facebook like button, it was tantamount to sending a mini-ad to all of that user’s friends and followers, letting them know about the German fashion retailer. Visitors to its website, by hitting the Facebook like button, were helping Fashion ID sell more products.

From a purely legal perspective, the European Court of Justice ruled that the operator of a website (i.e. an e-commerce site) could be considered a “data controller” under the terms and conditions set forth in the 2018 General Data Protection Regulation (GDPR). And, as the GDPR makes clear, if an entity is a “data controller,” then it must seek out the consent and explicit permission of its users. In other words, if a Facebook like button is showing up on its website, then the operator of that website is also liable for any data transmitted away from that site (in this case, all data transmitted to Facebook). The only good news, from the perspective of website operators, is that the court said that the websites had no further responsibility or liability once the data resided within Facebook’s data silos.

Implications of the Facebook ‘Like’ ruling for other websites

Perhaps not surprisingly, Facebook was careful to portray this court ruling in the best possible light. The troubled Silicon Valley giant is already facing a deluge of GDPR-related privacy cases, and it is clearly eager to remain on the good side of regulators and legislators and show that all social media tools are in full compliance. As Facebook noted tersely, the company “welcomed the clarity” of the decision involving data transmission to Facebook, and suggested that it would do everything possible to comply with the ruling. After all, this decision can’t be appealed, so Facebook would gain very little by trying to marshal its legal resources for a decisive legal counter-attack. So it says that it will work closely with its partners to ensure compliance with the decision after carefully reviewing the court decision.

In other words, Facebook is probably already looking for a legal end-run around this ruling, or at least, some way to comply without really complying. Perhaps the easiest fix to this problem is asking each website operator that uses the Facebook like button to ask for consent, in much the same way that users must give their consent for a website to collect cookies on their browsing behavior. Social plug-ins and other business tools, almost a compliance afterthought these days, now must be GDPR-compliant.

Some form of consent pop-up window might be the easiest and most expedient solution, but it also threatens to further degrade the overall online user experience. Do you really want to answer a bunch of questions each and every time you use a website? Do you really want your use of the Facebook ‘Like’ button – perhaps the easiest way to engage with content on the Internet – to come with a confusing menu of privacy options? Yet, to ensure that they can continue to operate, website operators are going to have to answer these tough questions.

What makes the EU court ruling so potentially disastrous for website operators is that it doesn’t matter if users click on the Facebook like button or not – all that matters is that the Facebook ‘Like’ button is somewhere on the page, and it automatically triggers the need to obtain consent. Thus, imagine the confusion of a user who has already quit Facebook being asked if it’s OK if Facebook still collects data on them. Moreover, as the European top court makes clear, website operators now have the onus of responsibility of showing that they have a legitimate reason for collecting and transmitting data to Facebook. They can no longer “hide behind Facebook” – they now bear joint responsibility for whatever happens to a user’s data in order to remain in compliance with the law if the Facebook ‘Like’ button is on their websites.

The future of the Facebook ‘Like’ button

All of which, of course, calls into question the future of the Facebook ‘Like’ button. It could be the case that we’ve already reached a period of “peak Facebook” on the web, and that the next few years will represent a steady rollback of Facebook’s presence across the broader web. That rollback could start with the end of the Facebook ‘Like’ button, which has become so ubiquitous these days that many people may not even consider how pressing a single button could open up their social media profiles to a wide range of prying eyes.