Website Embedding Facebook 'Like' Button Subject to Privacy Law, EU High Court Rules

challenge by a German consumer rights organization against Fashion ID, a German online clothing retailer. The seller embedded the "Like" plug-in supplied by Facebook Ireland on its website, causing visitors' browsers to automatically send information about their IP address and browser string to the social media platform, the court said. Those transmissions took place without users having to click on the button, and also allowed Facebook to place cookies on users' devices. The consumer group sued in a national district court to force Fashion ID to stop integrating the plug-in. The case was later referred to the ECJ for interpretation of several provisions of the former data protection directive as replaced by the general data protection regulation (GDPR). Among the court's findings: A website operator that embeds a third-party plug-in on its website resulting in the collection and transmission of a user's personal data is considered a data controller with joint responsibility (here with Facebook) for operations for which it co-decides on the means and purposes for processing the data and a data subject's consent obtained under the directive must be given to a website operator that has embedded the content of a third party. The case is "quite significant," tweeted Hogan Lovells (London) data protection lawyer Eduardo Ustaran. In practice, he added, all website operators using such cookies should contractually apportion responsibilities for the data collection and processing consider which GDPR lawful ground applies, and then explain those data uses in their privacy or cookie policies.