Jul 31, 2019 | Articles, GDPR

Using the Facebook ‘Like’ button on your web site makes you a joint data controller without consent

Howard Freeman

Howard Freeman

Facebook 'Like' Button

It is now official, replying the Facebook ‘Like’ button on your web-site could render you non-compliant to the GDPR.

A landmark ruling by the European Court of Justice has decided that web site owners can be held liable for data collection when using the so-called “social sharing’ widgets. The ECJ is the highest court in the EU. The court has ruled that deploying these widgets actually makes the organisation a joint data-controller, along with Facebook. This is particularly awkward as Facebook has a poor track record when it comes to privacy. Therefore, being associated with Facebook in this way may not be good for business.

Legal Basis for Processing Data

The court stated that web-site owners “must provide, at the time the data is collected, information as to the purpose of the data processing and its identity.” This ruling, by extension, also applies to Twitter and LinkedIn.

It is worth remembering what the ‘Like’ button actually does. It isn’t, as many think it is, a way of saying I like this or that company. In fact it has a primary purpose of tracking individuals across websites. It also permits data collection, even when there is no explicit use of Facebook products.

The route to court

So, how did this end up in the highest court in the European Union? It begins with the German fashion retailer named Fashion ID. They, like so many others, placed Facebook’s button on their site. They ended up being sued by a German consumer rights group. This group, Verbraucherzentrale NRW claimed that users were automatically surrendering their data. This data included their IP address, browser ID string and many cookies. All of this contravened the EU Data Protection Directive (DPR) of 1995. The DPR has since been superseded by the General Data Protection Regulation (GDPR). The GDPR is a lot stricter that the DPR.

In 2016, Fashion ID lost the case in a regional court and then appealed to a higher German court. Facebook also joined the appeal. The case was then escalated to the ECJ where, on Monday of this week, a ruling was given. This ruling stated “in respect of the collection and transmission to Facebook of the personal data of visitors to its website”. The court also stated that it was not, in principle, “a controller in respect of the subsequent processing of those data carried out by Facebook alone”.


“Thus, with regard to the case in which the data subject has given his or he consent, the court holds that the operator of a web-site such as Fashion ID must obtain that prior consent (solely) in respect of operations for which it is the( joint) controller, namely the collection and transmission of the dat,” the ECJ said.

The concept of the data controller is the organisation that is responsible for deciding how data collected online, will be used. This is a key part of both the DPR and the subsequent GDPR. The controler has more responsibilities than a data processor. The latter cannot change the legal basis for processing of the data. If the rules are breached, the data controller is the one held accountable.

Facebook has responded and decided to the the approach of “the like button was just a plug in”, when in fact it is anything but. Their Associate Legal Counsel said, in statement, “We welcome the clarity that today’s decision brings to both web-sites and plugin providers and similar tools. We are carefully reviewing the court’s decision and will work closely with our partners. We want to ensure they can continue to benefit from our social plugins and other business tools in compliance with the law.”

What should you do now?

It is clear by this ruling that you must have consent if you have the FB ‘Like’ button on your web site. As stated earlier, you are responsible for asking and receiving such consent. How will this be done? In talking to web developers, it seems that following the clicking of the FB button, a challenge or consent box needs to appear. The user then consents to their data being passed on to Facebook. If they don’t tick, then the data is not passed and the box can be closed. A record of such consent being given would be captured by the web site. This will allow a DPO to keep proper records.

If you are concerned, then call us on 03333 22 1011 and we will be happy to help. Your initial consultation is free.


Can we help?