Sites could be liable for helping Facebook secretly track your web browsing, says EU court

The European Union’s top court says website owners could face legal risk over Facebook’s ubiquitous “Like” buttons. The Court of Justice of the European Union ruled today that site owners could be held liable for transmitting data to Facebook without users’ consent — which appears to be exactly what happens when users visit a site with a Like button, whether or not they click it.

The ruling doesn’t stop Facebook, or other companies with similar widgets, from offering these options. But sites must obtain consent from users before sending data to Facebook, unless they can demonstrate a “legitimate interest” in doing otherwise. Right now, data gets seemingly sent to Facebook as the page loads — before users have a chance to opt out. So in the future, sites might have to approach Like buttons differently.

The case involves a Germany clothing retailer Fashion ID, which was sued for sending users’ personal data to Facebook. The court found that Fashion ID wasn’t a “controller” of the data once Facebook had obtained it, but it could be considered responsible for its role in transmitting that data. “Fashion ID’s embedding of the Facebook ‘Like’ button on its website allows it to optimize the publicity for its goods by making them more visible on the Facebook social network,” says a press release. Therefore, Fashion ID had at least implicitly consented to collecting and transmitting personal data “in order to benefit from that commercial advantage.”

In a statement to TechCrunch, Facebook associate general counsel Jack Gilbert said Facebook “welcome[d] the clarity” of the decision. “We are carefully reviewing the court’s decision and will work closely with our partners to ensure they can continue to benefit from our social plugins and other business tools in full compliance with the law,” said Gilbert. That could include making unspecified changes to how the Like button works.

The US government recently fined Facebook $5 billion for failing to protect data provided by Facebook users. But the company has also used its widgets to track people on sites across the web, regardless of whether visitors have Facebook accounts. (Other embedded social media buttons can also track you, although some — like Pinterest — offer opt-out options.) Today’s decision almost certainly won’t change the Like button’s popularity, but it could at least make its tracking functions more obvious.