Websites that embed Facebook’s ‘Like’ button are now partially responsible for the resulting data, according to a new ruling by the European Union’s Court of Justice.
These sites now have to obtain informed consent from visitors, or demonstrate a legitimate legal basis for using this data.
To be clear, Facebook and publishers are still allowed to collect data related to consumers’ ‘Like’ activity. They now have to be more transparent about the practice.
In its ruling, the Court of Justice specifically referenced FashionID, a German online clothing retailer, which was identified as embedding Facebook’s ‘Like’ button on its site.
“The consequence of embedding that button appears to be that when a visitor consults the website of FashionID, that visitor’s personal data is transmitted to Facebook Ireland,” according to the EU body. “It seems that transmission occurs without that visitor being aware of it and regardless of whether or not he or she is a member of the social network.”
In its judgment, the Court found its former Data Protection Directive does not preclude consumer-protection associations from being granted the right to bring or defend legal proceedings against a person allegedly responsible for an infringement of the protection of personal data.
The Court also noted the new General Data Protection Regulation expressly provides for this possibility.
Unlike U.S. policymakers, European regulators have been quite aggressive in taking on Facebook and its business practices. Most recently, antitrust regulators in Germany ordered Facebook to change the way it tracks users across digital channels.
Germany’s Federal Cartel Office -- or Bundeskartellamt -- warned the company that within the year, it must stop collecting the data of unsuspecting consumers and combining it with their Facebook accounts.
In response, Facebook said it plans to fight German regulators in count, and took issue with its specific demands.
Since the GDPR went into effect last year, the comprehensive European data law has threatened a number of U.S. tech titans with significant fines.
In the wake of a security breach that affected roughly 50 million Facebook accounts late last year, European regulators reportedly threatened the company with over $1 billion in fines.
Facebook’s lead European privacy regulator, Ireland’s Data Protection Commission (DPC), made its concerns public late last year.
At the beginning of 2019, privacy regulators in France hit Google with roughly $57 million in fines for failing to comply with GDPR guidelines.The French National Data Protection Commission said the U.S. search giant failed to obtain consumers’ consent before using their data to deliver more targeted advertising.