X

Websites using Facebook 'Like' button liable for data, Europe's top court decides

'Like' button plugins can transmit people's data back to Facebook even if they don't click on those buttons, the ECJ finds.

Katie Collins Senior European Correspondent
Katie a UK-based news reporter and features writer. Officially, she is CNET's European correspondent, covering tech policy and Big Tech in the EU and UK. Unofficially, she serves as CNET's Taylor Swift correspondent. You can also find her writing about tech for good, ethics and human rights, the climate crisis, robots, travel and digital culture. She was once described a "living synth" by London's Evening Standard for having a microchip injected into her hand.
Katie Collins
2 min read
Facebook like logo is seen on an android mobile phone

Websites need to think carefully about using Facebook's 'Like' button plugin.

Omar Marques/SOPA Images/LightRocket via Getty Images

Facebook's 'Like' button might not appear to be one of the internet's most complex tools, but there's more to the little upturned thumb than meets the eye. Some companies, for instance, use that Like button on their websites as a plugin, and on Monday Europe's top court decided that they are jointly responsible with Facebook for the transfer of people's data.

The court was looking at the case of Fashion ID, a German online clothing retailer, which had the Like button plugin installed on its website. The data of visitors to the website was being transferred back to Facebook without their knowledge, even if they hadn't clicked the button or weren't members of the social network, the court found.

According to the judgment published by the Court of Justice of the European Union, Fashion ID and other websites like it cannot be responsible for what happens to the data after it's passed to Facebook, but they are responsible for "operations involving the collection and disclosure by transmission to Facebook."

The decision means that in the future, all websites transmitting data about European citizens back to Facebook and other social networks -- whether by a Like button or any other plugin -- must first get their explicit permission to do so in order to comply with strict EU data protection rules introduced last year. In accordance with Europe's General Data Protection Regulation, people must give explicit consent for their data to be collected.

Watch this: GDPR: Here's what you need to know

Companies big and small are still learning how to comply fully with GDPR, and decisions such as the one made by the Court of Justice on Monday help clarify their roles when the lines are blurred. For Facebook and other social media companies, the judgment provides a clearer idea of which data collection and processing responsibilities are theirs alone, and which are shared by third parties.

"We welcome the clarity that today's decision brings to both websites and providers of plugins and similar tools," said Jack Gilbert, associate general counsel for Facebook. "We are carefully reviewing the court's decision and will work closely with our partners to ensure they can continue to benefit from our social plugins and other business tools in full compliance with the law."

Smart displays let Amazon, Facebook, Google show you answers to your questions

See all photos