Consent for Social Plugins? The ECJ’s Fashion ID decision

The operator of a website that contains the Facebook “Like” button may be jointly responsible with Facebook for the collection and transmission of the personal data of visitors to its website. However, the operator is generally not responsible for the later processing of this data by Facebook. This was held by the European Court of Justice in a recent decision (“Fashion ID”, judgment in the case C-40/17, Fashion ID GmbH & Co. KG/Verbraucherzentrale NRW eV). 

The underlying issue was that the operator of the “Fashion ID” website was using a conventional Facebook “Like” button. The Verbraucherzentrale NRW (a consumer organisation) filed a complaint on the grounds that the integration of Facebook’s “Like” button required the consent of website visitors, which Fashion ID did not obtain. The ECJ has now confirmed this position.

The ECJ essentially came to the following conclusion:

Facebook and website operators are in part joint controllers

The operator of a website that uses a social plugin (e.g. Facebook’s “Like” button) which causes the browsers of the website visitors to request content from the provider of this plugin and to transmit personal data of the visitor to this provider to this end must to be regarded as a “controller” in the sense of data protection law. However, this responsibility shall be limited to the prcoessing operations for which it actually co-decides the purposes and means, i.e.

–       the collection of the data in question, and 

–       their transmission to Facebook (or any other provider of a social plugin).

A “legitimate interest” is required for both Facebook and the website operators

In a situation in which the operator of a website uses a social plugin, it is necessary that the operator and the provider (for example Facebook) each have a legitimate interest (article 7(f) of Directive 95/46) in those processing operations so that those operations are justified for each of them. This of course only applies if a legitimate interest is required at all.

Consent only required when using cookies, but before collecting data?

In a situation like the Fashion ID case, in which a website operator uses a social plugin, consent must be obtained by the operator, but only with regard to the processing activities for which the operator actually co-decides on the means and purposes. And only under the condition that cookies are used. 

Concerning consent itself, it must be obtained before any data are collected and transmitted. It is therefore the responsibility of the website operator and not of the provider of the social plug-in to obtain consent, as the processing of personal data is already triggered by the fact that a visitor accesses the website.

However, the website operator only requires consent for those processing operations for which they actually co-decide on the means purposes. 

Website operators must also meet information requirements

The statutory transparency requirements also concern the website operator, but the latter must again inform the data subjects only in relation to the processing operations for which they actually co-decide on the means and purposes.

Practical consequences for the online industry

This judgment contains no real news for any industry professional who is up to speed with current privacy developments. First, it should be pointed out that the lawsuit and the judgment were based on the old EU Data Protection Directive of 1995, which was replaced by the General Data Protection Regulation with effect of 25 May 2018. However, the ECJ will probably decide similarly on the basis of the current GDPR. Nevertheless, the judgment makes some specific points:

Back in June 2018, the ECJ had already ruled that Facebook Fan Page operators are joint controllers for processing visitor data (case C-210/16 “Wirtschaftsakademie”). Now, the ECJ has decided that this broad understanding of joint controllership also applies to the “Like” buttons on social media platforms. What is new, however, is that the responsibility ends where the data reach Facebook. 

Surprisingly, however, the ECJ leaves open one of the most important questions of the online industry, namely whether website operators always require consent for the integration of social plugins, such as Facebook’s Like button, or whether a “legitimate interest” (within the meaning of art. 7(f) of the old Directive or today’s art. 6(1)(f) GDPR) can be sufficient justification for the operator. It is true that the ECJ indirectly emphasises (paras. 89, 91) that setting a cookie under the Data Protection Directive always requires consent. Whether this also applies, however, if no cookie is set, as is sometimes the case with a like button, is apparently intentionally left unanswered by the ECJ. It also leaves open the question of what exactly consent should look like in the case of a cookie and thus also the controversial question of whether tacit consent could also be sufficient. The ECJ only comes to the conclusion that, if legitimate interest is sufficient, it is required both by Facebook and by the website operator.

The question of whether legitimate interest can generally be sufficient as a legal basis or not was not the subject of the decision. However, this question is of such practical importance for the online industry that can hardly be overestimated. If one follows the opinion of the German supervisory authorities, consent must always be obtained – not only for social media buttons, but for all tracking measures. This also applies to the view of the supervisory authorities of other EU countries, such as the French CNIL or the British ICO.

If, on the other hand, one takes the view of many affected businesses and industry associations, many data processing activities can also be justified by art. 6(1)(f) GDPR and thus by the controller’s “legitimate interest”. The decisive difference: Consent would then not be required for the integration of the Like button.

However, if you want to be on the safe side, you should plan to obtain the consent of your users before the data is actually collected. How best to do this is left open by the supervisory authorities, despite the German authorities’ recent publication of a “telemedia” whitepaper (covering, inter alia, websites). A technical solution that meets these requirements today, but only for social plugins, is the so-called 2-click solution. The Like button is initially integrated as a mere image file. If the user then clicks on the icon, consent is obtained with which the correct Like button is loaded. However, how consent must be obtained, especially when cookies are used, remains unclear even after the ruling of the European Court of Justice. In the future, it will certainly make sense to work with so-called Consent Management Platforms (CMPs) or even better with the Interactive Advertising Bureau’s so-called Transparency and Consent Framework (TCF).

However, one thing is already clear: in both cases (consent or legitimate interest), operators have to fulfill transparency obligations towards their visitors, but only for the data for which they are co-responsible. Website operators, on the other hand, do not have to provide information about how Facebook processes the data. Facebook must provide this information itself, which is a certain relief.

Furthermore, the joint responsibility assumed by the ECJ under the GDPR leads to the obligation for website operators to regulate their joint data protection obligations in an agreement under to art. 26 GDPR (a model is provided by the supervisory authorities). The providers of social plugins will probably provide such an agreement in the future.

Conclusion: So what to do with Social Pugins?

  • apply the 2-click solution
  • decide on a general consent solution
  • urge the supplier to provide an agreement pursuant to art. 26 GDPR
  • transparently inform about the integration of social plugins in the privacy policy