Liking Gone Wrong? A Cautionary Privacy Tale for Companies with Websites and Apps
The European Court of Justice (ECJ) recently issued a decision that both the website operator embedding a plugin and the third party plugin provider are jointly liable for collection and transmission of personal user data collected by the embedded plugin.
The case, FashionID, involved a German fashion retailer that inserted the Facebook “Like” plugin on their website. When a user navigated to the FashionID website, information was automatically collected and transmitted to Facebook via the plugin. The user did not need to interact with the “Like” button or have a Facebook account; landing on the website page was enough to cause the immediate collection and transfer of data. Information transmitted included the user’s IP address and browser string. FashionID had no ability to alter the behavior of the plugin to prevent automatic collection and transmission of information.
In Europe, personal data is any information relating to a natural person which allows the person to be identified. The ECJ had previously clarified that an IP address can constitute personal data. It should be noted that under the California Consumer Protection Act, going into effect January 1, 2020, IP addresses are also protected personal information.
A few issues remain unresolved from this decision. For example, What is the scope of consent that needs to be obtained when integrating a live plugin similar to the Facebook “Like” button? What is the scope of liability? What are the available remedies?
In an era with heightened privacy concerns, businesses should note that the Facebook “Like” button is not an outlier for automatically collecting and transmitting data. In fact, the non-profit advocacy group Privacy International reported in December 2018 that some of the most widely used apps in the Google play store automatically collected and sent personal data to Facebook. This is a continually evolving issue and as of March 2019 many of the apps reviewed in December had removed that feature.  That said, the FashionID decision is relevant outside Europe given the increasingly global nature of business and the increase in privacy legislation in more jurisdictions around the world. Even without additional legislation, businesses should also consider the possibility of reputational harm if customers believe the collection of personal data is not transparent and is overreaching.
There are several actions businesses can take now. Review your website and update your privacy section — particularly if a Facebook “Like” button is embedded!  Don’t stop there. Understand how plugins and automatic data collection tools (e.g., cookies) operate on the website to avoid inadvertent collection and/or transmission of personal data without appropriate permission. Carefully consider whether the business needs to embed the tools. Whenever possible, clearly give users the ability to opt out of data collection and use of personal data. Explain which data the website collects and how the data is used. Review where user traffic is coming from and any local privacy rules that might be in place or going into effect. If your business has an app in an app store, review those as well. Don’t forget, the California Consumer Privacy Act goes into effect January 1, 2020.
 FashionID GmbH & Co. KG v. Verbraucherzentrale NRW, Case C-40/17; Judgement of the Court 29 July 2019.
 Article 2, Directive 95/46/EC of the European Parliament and of the Counsel on the protection of individuals with regard to processing of personal data and on the free movement of such data, 24 October 1995.