Facebook is one of the biggest companies in the world and almost all organizations use it to create their own sites. A lot of websites also have Facebook’s Like button, which you can click to like the content of the site, embedded on them.
Do you know, for example, what data the Like button collects of the visitors of your website? Did you know that the data of visitors who have no Facebook account, is also transferred to Facebook through the Like button?
Lately, Facebook has been in the news repeatedly, since it has turned out it collects or it is used to collect personal data with questionable means. The Court of Justice of the European Union has already twice expressed its view on how Facebook and the companies utilizing it are responsible for collecting personal data.
The Court of Justice of the European Union has ruled that if the website has Facebook’s Like button, the owner of the website needs to obtain the consent of the user prior to collecting and disclosing data to Facebook. Data may be transferred even if the visitor does not click on the Like button. The court has ruled in line with previous rulings that the owner of the website is a joint controller with Facebook in relation to the collection and disclosure of data and it must inform the visitors of the purposes of use. Facebook, on the other hand, is the controller in relation to processing and using the data.
Although both cases are based on the interpretation of the directive preceding the GDPR, the definition of the controller has not been changed by the GDPR as such. It can therefore be concluded that the interpretations of the GDPR are in line with these rulings. In practice, this is reflected in a strict attitude that the organization needs to inform the data subjects of collecting their data, if a Facebook page is created. In the cases concerning Facebook, the owners of the websites didn’t even have access to the personal data in questions, but since they were considered to gain advantage from collecting the data of the visitors, they had the obligation to provide information. Providing information can easily be done, for example, by drafting a privacy notice.
The authorities have already fined Facebook for billions of dollars for neglecting privacy. People also seem to have realized how widely it actually collects data. In addition, the privacy authorities in the EU have fined other companies for data breaches and insufficient data protection measures. Thus, privacy issues should be taken seriously. What should every website owner know and what should be done in practice? We will discuss this and other topics related to e.g. cookies and marketing in our Privacy Academy (in Finnish) September 25th, 2019.