Time to ditch the Facebook "Like" button on your website

Does your site use Facebook’s “Like” button? If so, you could be facing significant liability in the European Union. A recent ruling by the Court of Justice of the European Union made it clear that the operator of a website that features a Facebook “Like” button can be a data controller, jointly with Facebook, with respect to the collection and transmission to Facebook of the personal data of visitors to its website. The ruling doesn’t stop Facebook, or other companies with similar widgets, from offering these options: however, site operators must obtain consent from users before sending data to Facebook. Right now, data gets sent to Facebook as the page loads — before users have a chance to opt out. Website operators who wish to avoid this liability will need rethink their design and, in my view, should seriously consider ditching the “Like” button all together.

This recent decision involves German clothing retailer Fashion ID, which was sued for sending users’ personal data to Facebook. The Court of Justice found that Fashion ID wasn’t a “controller” of the data once Facebook had obtained it, but it could be considered responsible for its role in transmitting that data. The Court held that Fashion ID’s embedding of the Facebook “Like” button on its website allows it to optimize the publicity for its goods by making them more visible across Facebook’s network . Therefore, Fashion ID had at least implicitly agreed to collecting and transmitting personal data in order to benefit from that commercial advantage, without first obtaining user consent.

Remember, privacy by design is the name of the game in a post-GDPR world, and automatically sending user data to Facebook and other aggregators is no longer consequence-free.