In light of the recent ruling of the European Court of Justice, website owners have to respect data protection responsibilities when using plug-ins on their websites.
The case concerns the German company FashionID, which had a Facebook plug-in installed on its website. The program was used to transfer personal data to Facebook without the visitor of the website being aware of it, regardless of whether he or she had a Facebook account or whether he or she had pressed the “Like” button.
The court explained in the decision that in such a situation, the owner of the website is a joint controller with Facebook of the personal data that is collected and sent to Facebook. The owner of the website is not a controller regarding the subsequent processing of personal data, which is processed by Facebook alone.
The court found that FashionID could be considered a joint controller with Facebook, as FashionID and Facebook jointly determine the means and purposes of data processing operations when assessing the collection and transfer of personal data.
Using the Facebook plug-in on the website allows FashionID to optimize the advertising of its products, making them more visible and providing them with a clear business advantage. This shows that using the plug-in is in the financial interest of both FashionID and Facebook.
The court clarified that before sending data to Facebook, a website must obtain consent unless legitimate interest as a legal basis for the processing is used. Such consent must be separate and specific to such a processing operation.
Personal data from the websites is sent to Facebook already when the page is loaded, i.e. before the user has the opportunity to cancel it. However, according to data protection rules, consent must be sought before sending personal data to third parties via plug-ins.
Such consent can be added to the cookie notification bar together with an explanation of the services to which the personal data will be transmitted. In that case, the request for consent shall be clear and transparent.
It is also possible to set up plugins in a way that sending the information will be held off until a website visitor has given consent, i.e. they have clicked on the cookie bar.