On 9 March 2016 the Düsseldorf Regional Court in Germany ruled that an online shopping site, Peek & Cloppenburg, which integrated Facebook’s “like” button into its website had violated users’ privacy rights.
How the “like” button works
The button allows website users who click on it to share instantly the pages and content from the website on their Facebook profiles. This technology is a rapidly-growing marketing tool.
What most people are not aware of is that this button also uses cookies that automatically send personal information, such as the user’s IP address and browser string, from the website user’s computer to Facebook when the website is accessed. This transmission of information occurs even if the button is not clicked or the user is not a registered Facebook user.
Although the German case related to the Facebook “like” button, it applies equally to other social media buttons, such as those used for LinkedIn, Twitter and Google+, all of which result in similar data transfers.
Finding of the Court
Having found that the IP addresses amounted to personal information and that the transfer of IP addresses to Facebook was not necessary for the functioning of the website, the court found that Peek & Cloppenburg violated German data privacy laws when it integrated the button into its website.
The court held that the link to a data protection statement at the bottom of the website could not save the business’ defense. The court held that the link was insufficient to constitute an indication that data was being, or would be, processed.
The court found against Peek & Cloppenburg because the personal information of users was sent to Facebook without the user’s prior, express consent or approval and there was no method of revoking the data transfer. The court ruled that users should have consented and been informed of what personal information was being processed and the purpose of the processing.
A South African take
Although the Protection of Personal Information Act, 2013 (POPI) is not yet fully in force, POPI has similar requirements to inform data subjects (in this case, the website users) of the personal information being processed and the purpose of the processing, and to obtain their consent to processing.
The website owner will likely be a “responsible party” under POPI because the owner determines the purpose, and means, of processing the personal information, namely allowing the integration of the button on the website to transmit information to Facebook regardless of the fact that the transmission occurs automatically.
The Information Regulator and South African courts may come to a similar conclusion once POPI is in force, but the issue may turn on the adequacy of the website’s privacy policy and terms and conditions. Many of these terms specify that consent is given by the user using the website. Whether this “consent” amounts to voluntary, specific and informed consent, as required by POPI, would probably depend on the circumstances of each case.
