Sites using Facebook ‘Like’ button liable for data, EU court rules

&quot;He warned that the decision would go beyond Facebook and effect all social media plug ins, which are important for many firms to expand their reach on the web.&quot;<p>Add an image on your own website that links to Facebook. Problem solved. You keep your like buttons, their servers are no longer involved in serving your web page.

Sites using the like button are dumb to begin with, especially if they are in e-commerce. You’re handing your competitors an ability to do lookalike targeting of your customers via Facebook ads. This is one of the biggest advantages of that platform. Surprised nobody writes about this while gasping at Facebook’s profits.

I think all these privacy protection rulings are a step in the right direction, in that we are seeing governments respond to dark patterns similar to how they respond to spam and telemarketing.<p>The loose thread now is in how the companies are required to communicate their data mining. These twenty page privacy policies that I agree to with a flick of the scrollbar and a button click, or these equally boring popovers when I visit a site, are where the governmental innovation needs to happen next.

I get the sentiment, but wouldn’t this apply to something as simple and fundamental to the web as including an image that I don’t host on my webpage? The 3rd party hosting that image could be collecting a decent amount of data about people accessing it - I really have no idea what they’re doing, or any way to verify it.<p>This ruling feels poorly thought out to me. Activities on the web aren’t totally private, that’s how it’s always been. Getting rid of 3rd party content makes it ... kind of not the web anymore.

&gt; Bitkom, a German trade federation for online businesses criticised the ruling, saying it would heap costly bureaucracy on firms without enhancing consumer protection.<p>Swap &quot;costly&quot; for &quot;mildly inconvenient&quot; and then I could almost see where they&#x27;re coming from but I think they&#x27;re missing the forest for the trees here. Let the &quot;like button&quot; die, rulings like this take the wind out from beneath it and eventually it&#x27;s a metric you&#x27;ll never be burdened with.

The best part:<p>&gt; Under EU data protection law, therefore, a European retailer and the US platform are jointly responsible for gathering the data<p>I really hope this means that Facebook and all those stats&#x2F;ads providers can be held responsible if they don&#x27;t take adequate measures to ensure that only data from users who have given valid consent is sent.<p>Going after individual site operators is a fight against windmills. It would be much more effective if they could go after a company that provides an Ad SDK to hundreds of thousands of apps, but just tells the app developers in the fine print &quot;by using this SDK you confirm that you have gotten consent from your users&quot; - and as a result, knowingly accepts that nobody will care and data from non-consenting users will be collected.

Will EU regulate mobile apps and the two dominant platforms too? On web I&#x27;m safe using blockers, no JS etc. But on my phone I lack alternatives to suppress privacy abusers.

How much value does like and other sharing buttons provide to anyone other than Facebook&#x2F;Google&#x2F;Twitter these days? I’d argue very little.<p>I used to work for one of the larger social sites in the UK with many millions of unique users and we found that the social buttons got next to no engagement. Before I left we began the conversation about removing them entirely as they were just dead space on the page.

Wouldn&#x27;t the same logic, apply for users clicking on ads?

I wonder if this will end up being applied to the usage of third party CDNs as well such as Google Fonts.

It is interesting how with the many copyright and data protection acts and rules, that the EU is, in effect creating a whole new type of decentralised firewall for content for want of another way of perceiving it all.<p>Though this is a firewall for the people against business practice&#x2F;malpractices. Which is a good thing. I&#x27;m sure there will be many cases of this causing issues, but on the whole, it does fall in the favour of the end-user, us the people.<p>I say firewall, more an IDS that reacts to breaches. But it is good how they are at least not ignoring and overlooking such details and this is a fine example of it being well thought out.

What exactly is the data being transferred? It is that the user has visited the site, correct?<p>The only way the third party site can know that is via third party cookies, or attempting fingerprinting as a third party iframe. Do you see any other way?<p>I thought that the EU already realized that this is a matter of cookies - in this case third party cookies of a site that you HAVE logged into. Browser makers should just let the user make a decision whether they want the requests to be automatically sent with third party cookies in this case — OR to explicitly approve every single time they log in using oAuth or want to share something.<p>Whatever happened to this proposed law from 2017, which correctly realized that it’s the Browser’s responsibility to let the user select the cookie policy they want:<p><a href="https:&#x2F;&#x2F;www.kitguru.net&#x2F;channel&#x2F;generaltech&#x2F;matthew-wilson&#x2F;the-european-union-proposes-law-to-stop-browser-cookie-pop-ups&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.kitguru.net&#x2F;channel&#x2F;generaltech&#x2F;matthew-wilson&#x2F;t...</a>

Do facebook Like button really matter anymore? I mean my page has over 5000 likes but there&#x27;s almost nil traffic on my blog through my page. I have removed like button from my website and nothing has been impacted

<a href="http:&#x2F;&#x2F;panzi.github.io&#x2F;SocialSharePrivacy&#x2F;" rel="nofollow">http:&#x2F;&#x2F;panzi.github.io&#x2F;SocialSharePrivacy&#x2F;</a><p>IMO, decent websites have been using something like that for a long time (the small subset of them that have like buttons, that is), so nothing will change for them.

The important crux of the problem is that the current model for <i>all</i> “like”&#x2F;“social” buttons is that simply including the link grossly violates your user’s privacy.<p>Why should I have to surrender my privacy to read an article on your site? Why do you think that it’s ok?<p>The <i>only</i> time a your site should be sending tracking information to someone your user’s have not explicitly stated they want <i>you</i> specifically to share is when they have actually interact with the bottom. Not a mouse over, not a resource load, not an invisible overlay.<p>The use has to consciously opt to do that.<p>If you can’t ensure that your site isn’t abusing users&#x2F;readers you need to gate <i>all</i> your pages with a page stating that you will be providing other companies with tracking information that provides your browsing history. You should also list all of the companies you will be sending that data to.<p>If you don’t want to do that because it will hurt “engagement” or “conversion” that’s your problem.<p>Alternatively you could have a banner that says “you’ve used our site so we sent information about your browsing history to these companies, and there is no support for deleting that information. We recognize that you may not like that but we don’t care about your privacy, and have no intention to preserve it”

Would this include ad-tech, like advertising cookies and other tracking stuff (specifically, not Facebook &#x2F; google ones)?

What bugs me, is most sites dealing with the issue throw up an &quot;Accept&quot; button with whatever blurb in place, but they&#x27;re already including the metrics&#x2F;etc scripts before accept happens.<p>I mean, I get it... but the whole point was to stop the behavior, not side step it.

Can this verdict be extended to cover Google analytics and all other 3rd party tracking?

That&#x27;s what I really like about the EU. At least sometimes it tries to serve it&#x27;s people.

This sounds like a great precedent.<p>A side project of mine, starting in the Junkbuster days, is fighting cross-site tracking&#x2F;profiling, and almost every Web site does it at least a little. Legal precedents suggesting liability for that seems huge, and maybe end the technological arms race (which I think the privacy&amp;security people will otherwise ultimately lose).

&gt; Bitkom, a German trade federation for online businesses criticised the ruling, saying it would heap costly bureaucracy on firms without enhancing consumer protection.<p>What cost is involved by not embedding third party bescons on your website?<p>How does it not improve consumer protections? It&#x27;s literally stopping doing the thing that is causing harm.<p>&gt; “With its decision, the ECJ places enormous responsibility on thousands of website operators – from small travel blogs to online megastores and the portals of large publishers,” Bitkom CEA Bernard Rohleder said.<p>Yes, this is exactly how serious this situation is. I&#x27;m glad you&#x27;re getting a handle on just how damn huge this problem really is. Aren&#x27;t you glad we&#x27;re finally doing something about it?<p>&gt; He warned that the decision would go beyond Facebook and effect all social media plug ins, which are important for many firms to expand their reach on the web<p>Uh, yes, that&#x27;s the the idea? Your firm&#x27;s right to expand their reach does not overrule my right to privacy.<p>People can still share and like your links on the social platforms. It doesn&#x27;t require me to be forced into it.

And Google Analytics tracking system?. I guess every site on earth has it!

Good. The sooner the like button and all the other &#x27;social media&#x27; plug ins disappear the better. It&#x27;s trivial to host the button and the link on your own pages. That way only the actual likes get counted.

For those that want to show official Share Counts on their Share Buttons while maintaining User Privacy, take a look at Shareaholic&#x27;s Share Count Proxy -<p><a href="https:&#x2F;&#x2F;www.shareaholic.com&#x2F;blog&#x2F;social-share-count-api&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.shareaholic.com&#x2F;blog&#x2F;social-share-count-api&#x2F;</a><p>Share Count queries to the Social Networks are proxied through this service securely and visitor privacy is protected... like an anonymous VPN.

The entire Cookie warning fiasco should never have been about cookies. That scared people from using cookies - even authentication related ones. It should have been about connecting your browser to unrelated domains owned by a third party. I mentioned this in a previous post, but when you&#x27;re logged into your CVS pharmacy account I get tons of connections to Facebook.

Everything that stops them from feeding my shadow profile to FB is welcome. I never gave my consent for that shit.

what&#x27;s really missing in all this GDPR and privacy discussion is a technical way to enforce it. If you have a large multinational company with 50 TLD&#x27;s you might have several hundred (including all the subdomains) that are Internet facing.<p>For a company on that scale to remain compliant to things like cookie law (mention every cookie and what it does for opt-in) there is no easy way to see if you&#x27;re compliant. We need some standard (like security.txt) which defines how cookie data, impressum or other site specific links are expected which has to be machine readable. Right now every company creates it&#x27;s own mess of html which is no fun scraping to figure out if the company is compliant or not. (yet scraping is what everyone in compliance expects to happen).<p>I wonder how these laws can be enforced without creating a huge administrative backlog.

This is a great ruling, big win for privacy advocates and Europeans!

a side effect of the ruling is that now facebook is NOT liable for that consent, and google is not liable for analytics &#x2F; adsense. Will the EU start going after the little guys now?

Tears of joy.

And google analytics tracking system? I guess every site on earth has that.

GDPR needs to be sharpened to state that you can’t even show a different service <i>at all</i> based on consent relating to third party data sharing.<p>That is: “to give you this service we need to store some info” - OK.<p>“To give you this service we need to share info with advertisers” - not ok.<p>That is: you need to be able to provide the service using only non targeted ads if the user wants it.

I think GDPR requires website owner to inform users what exactly is being processed and by who. The problem for website owners is that Facebook won&#x27;t really tell what data they process and who will they share it with or they do not seem to allow to revoke consent.

oh lordy

The EU is out of control and is ruining the Internet.

This is totally insane. Stop ruining the internet before it&#x27;s too late, EU.

From the article:<p>&gt; According to the European Court of Justice ruling, a site that embeds the Facebook “like” icon and link on its pages also sends user data to the US web giant.<p>This is categorically false. The site that embeds the like icon is sending absolutely nothing to Facebook. The user&#x27;s browser is the one sending information. You have control over your browser. You can do something about it if you don&#x27;t like it.<p>The EU&#x27;s regulations infantilize the public and removes consumer choice.

EU shooting themselves in the foot with all these data rulings. Innovation will never happen there, US tech products will slowly suck the wealth out of European nations, much like China manufacturing sucked the wealth out of the us manufacturing sector.