The Court of Justice of the European Union has ruled that if the website has Facebook’s Like button, the owner of the website needs to obtain the consent of the user prior to collecting and disclosing data to Facebook. Data may be transferred even if the visitor does not click on the Like button. The court has ruled in line with previous rulings that the owner of the website is a joint controller with Facebook in relation to the collection and disclosure of data and it must inform the visitors of the purposes of use. Facebook, on the other hand, is the controller in relation to processing and using the data.
Although both cases are based on the interpretation of the directive preceding the GDPR, the definition of the controller has not been changed by the GDPR as such. It can therefore be concluded that the interpretations of the GDPR are in line with these rulings. In practice, this is reflected in a strict attitude that the organization needs to inform the data subjects of collecting their data, if a Facebook page is created. In the cases concerning Facebook, the owners of the websites didn’t even have access to the personal data in questions, but since they were considered to gain advantage from collecting the data of the visitors, they had the obligation to provide information. Providing information can easily be done, for example, by drafting a privacy notice.
The authorities have already fined Facebook for billions of dollars for neglecting privacy. People also seem to have realized how widely it actually collects data. In addition, the privacy authorities in the EU have fined other companies for data breaches and insufficient data protection measures. Thus, privacy issues should be taken seriously. What should every website owner know and what should be done in practice? We will discuss this and other topics related to e.g. cookies and marketing in our Privacy Academy (in Finnish) September 25th, 2019.