Websites that embed Facebook’s ‘Like’ button are now jointly liable for the initial processing of user data and must get consent from European Union visitors before transferring it to the social network, or be able to demonstrate legitimate business interest for processing, according to the bloc’s top court.

On Monday, the Court of Justice of the EU ruled that under GDPR rules, which came into force last year, a data controller must determine why personal data should be harvested and processed and should therefore obtain consent when embedding the social network’s widgets. Though Facebook processes the data, under GDPR it cannot change the purpose or use of that data. However, the penalties of the regulation are borne by the controller, meaning the ruling will cause headaches for websites worldwide.

The ‘Like’ button was first introduced in 2010 as part of Facebook’s Open Graph – an initiative that allowed third party developers to integrate tools and products that relate to Facebook’s data. Soon after its release, several privacy organisations put their criticisms to the social network in an open letter. Few of those concerns have diminished; the ‘Like’ button was never intended for actual liking so much as collecting data about users from a far broader pool of websites. In 2018, Facebook told the UK parliament that the button appeared on 8.4 million websites, according to TechCrunch.

“The operator of a website that features a Facebook ‘Like’ button can be a controller jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors to its website,” judges said. However, the ruling went on to note that the “operator is not, in principle, a controller in respect of the subsequent processing of those data carried out by Facebook alone”. By extension, The Register observed, this ruling extends logically to similar plug-ins from Twitter and LinkedIn.

The case arrived at the court following a complaint against the German online fashion retailer Fashion ID brought by Verbraucherzentrale NRW, a consumer protection association. With legal action beginning in 2015, the case actually predates GDPR’s implementation, but the plaintiff claimed that the button breached earlier data protection laws.

Verbraucherzentrale NRW claimed that by using the Facebook ‘Like’ button, visitors to Fashion ID were automatically handing over their IP addresses, browser information and cookies, which was against the earlier (1995) Data Protection Directive. Since GDPR, however, those rules have toughened and specific, informed and freely given consent are now part of EU law.

“We are carefully reviewing the court’s decision and will work closely with our partners to ensure they can continue to benefit from our social plug-ins and other business tools in full compliance with the law,” Jack Gilbert, Facebook’s associate general counsel, said in a statement.

As with earlier criticisms of the GDPR, the ruling broadens the pool of sites that have to contend with the new regulations, whether they’re colossal multinational businesses or small team websites; big businesses have an advantage in scale.

Sourced from the ECJ, Digital Trends, The Register; additional content by WARC staff