This week The Court of Justice of the European Union ruled that websites are liable for Facebook’s tracking activities. This is an important decision that clarifies one of the most important outstanding GDPR issues – whether the consent you’ve given to Facebook exempts website owners from asking for consent.
What is the Facebook like button?
It’s a script snippet that you copy and paste into your website that lets visitors like your pages. The like button is only of of several tools (“social plugins“) provided by Facebook for various embedded Facebook features (including chat, liking your page, sharing). We can add the Facebook pixel to that mix, which allows conversion tracking for Facebook ads.
What Facebook does with all these tools under the hood is track your users. Because you have included a Facebook script on your website, Facebook can correlate user behaviour based on their tracking cookies. They can track every page visit and even every click of your users and store it in their database. Facebook has spread its digital tentacles all around the web with seemingly benign tools.
It comes from Facebook. It’s trustworthy… isn’t it?
The issue is, according to the court, that website can be liable for including these code snippets, because they are so called “joint controllers” with Facebook. And they should ask for consent for the data collection done by Facebook. And while it may seem that a simple “Do you agree?” overlay would be sufficient, it can’t be. Because website owners don’t actually know what data is collected by Facebook – they are including a script which can do anything, almost like a virus. And the only reason website owners trust this script (e.g. not to steal credit card information) is because it comes from Facebook.
But no website owner can know for sure what data is being collected about their users. Sure, they can inspect the information sent back to Facebook and try to decipher it, but the scripts can potentially be obfuscating the data. And even if it isn’t, it requires some technical skill to actually understand what data is being sent, and many website owners don’t have that skill. You have a WordPress site or a small online shop, and you run that by drag-and-drop – you can’t be expected to know what is the Facebook script doing with your visitors.
But the court says that you should ask for consent, and GDPR says that when you ask for consent, you should ask for particular data, not a generic “do you agree that we or Facebook collect whatever we like about you”. And if you can’t know what data Facebook is collecting, you can’t properly ask for consent. The court leaves an option for pursuing a legitimate interest, but it’s hard to imagine such massive data collection as a legitimate interest.
Your options about the Facebook Plugins
This issue practically means that the safest option is to just remove any Facebook social plugin that you have on your website, at least until Facebook become explicit about what they are collecting and provide you with automated consent options. This may sound harsh, but it’s actually one of the reasons GDPR exists – that the online giants, due to their dominant position, are able to collect huge amounts of data about users by “exploiting” unsuspecting website owners. The change now is that website owners are liable and they can no longer ignore it.
Data privacy has many forms – you may have the best tools that protect the data that you collect, but if your website if sending your users’ behaviour to Facebook, you are still, technically, “leaking personal data”. Just not to hackers, but to Facebook.