If websites make use of social plugins, the ECJ has ruled that the provider and the operator of the site are jointly responsible for the collection and transfer of personal user information.
Many website operators use what are referred to as social plugins by embedding them on their website. While the site operators are then jointly responsible for the collection and transfer of personal information, they are generally not responsible for the subsequent processing of this data by the provider of the social plugins. That was the verdict of the European Court of Justice in a ruling from July 29 (Az.: C-40/17). We at the commercial law firm MTR Rechtsanwälte note that this might mean in practice that website operators have to obtain the consent of their users, for instance by requiring an extra click for consent.
An online fashion retailer had embedded a “Gefällt mir” button, i.e., a “like” button, on its website. The consumer advice center for the German state of North Rhine-Westphalia, the Verbraucherzentrale NRW, took issue with this. It claimed that because of the button, personal information was being transferred to the provider of the social plugin from just loading the webpage, and that this was happening without the user’s knowledge and irrespective of whether the user was even registered with the relevant social network.
The Verbraucherzentrale considered the integration of the button a breach of data protection laws and filed an injunction suit. The case came before the ECJ.
The European Court of Justice held that the operator of the website may be deemed to be jointly responsible, together with the provider of the social plugin, for the collection and transfer of personal information, as it could be assumed that the website operator and the plugin provider jointly decided on the purposes and means, and that they both have an economic interest in the data. The Court went on to state that the operator of this kind of website must, therefore, make certain information available to users at the point in time when the data is being collected, for example regarding identity and the purpose of processing. However, the site operator is generally not responsible for the subsequent processing of the data after it has been transferred.
While the final details have yet to be clarified by the OLG Düsseldorf, website operators need to prepare themselves for having to obtain the consent of their users if the former wish to embed social plugins on their website. Lawyers with experience in IT law can offer advice.