That is the question now faced by millions of website operators as a result of the judgement delivered by the Courts of Justice for the European Union (CJEU) in the case of “Fashion ID GmbH & Co. KG and Verbraucherzentrale NRW eV, concerning Fashion ID’s embedding of a social plugin provided by Facebook Ireland Ltd on the website of Fashion ID”, who, on the 29th July 2019, ruled that website operators who install Facebook “Like” buttons are determined to be Joint Controllers with Facebook*. This latest post from GDPRPLAN looks at the implications that this judgement will have between website operators and 3rd party technology providers, vendors and suppliers, with some helpful guidance to help affected parties with their compliance obligations.

The CJEU judgement will have a serious impact across the digital world, because if you’re a website operator (such as an e-commerce retailer or brand, or a newspaper/television/magazine/trade journal website) and you’ve integrated a Facebook “Like” button that then shares the page that you’re reading on to your profile to your friends, that user’s personal information (in the form of a unique identifier) is collected by both you and by Facebook. The latter can determine what happens with that user’s information – such as profiling them, or selling advertiser solutions to businesses using that user’s “Like” (or other “reactionary” behaviour such as sharing), and who knows who’s buying that user’s profile or behaviour or interests and what they’re doing with it?

There is also the capability of Facebook (in the case of this judgement) collecting all of that user’s “Like” activity in order to create a profile of him/her and then serve targeted ads or content (and possibly sell that users profile to other advertisers who are looking for a similar profile to serve their ads to). All of this is possible from what seems like an innocent act of appreciation for a product or news story that was published on the website operator site (the e-commerce brand/publisher/news site) who (as soon as the user interacts with any tracking or plugin) has no control as to what happens with that users information.

Let’s assume that the user gave their consent for the website owner and social plugin provider to collect their personal information, what process is in place to ensure that the user’s data is processed only in accordance with what they’ve consented to and who is liable for the loss of the confidentiality, integrity, and availability between the website operator and the 3rd party (in this case social media plugin)? Who has control over that user’s personal information once it’s been collected and sold on by the social plugin and what controls does the website owner have in place to ensure that user’s information is adequately protected?

The CJEU judgement is significant because it doesn’t just apply to Facebook or social media plugins. The website operator is ultimately accountable for any 3rd party tracking solution. That includes advertising and marketing technology providers who collect (in conjunction with the website operator) personal information of website users such such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that “natural person”).

If that information is then overlaid or matched with other data points such as “click reference/id” AND ”source” AND ”device id” AND ”location” AND ”products viewed” AND ”other websites visited” AND “order ID”) on a device (such as desktop/mobile/handheld or any other form of electronic device) via either/or any of the following, then this calls for a serious review on the following disciplines – regardless of whether the website operator is pursuing these activities directly or via the services of an intermediary (such as an advertising agency):

  • Sponsored Search Engine (Pay Per Click) listings
  • Content Ads (for example – like those “Sponsored Links” that you often see on news/media sites)
  • Product Listings Adverts on Search Engine Shopping channels and comparison shopping engines/sites
  • Affiliate Marketing & influencer (blogger) marketing ads and text links
  • Social Media sharing
  • Display advertising
  • Behavioural Targeting & Re-targeting advertising through display/email/social media


So what are the options and possible solutions?

The website operator and 3rd party technology partner will have to maintain a record of the processing activities under its responsibility, the category of personal data collected & processed, as well as the contact details of any of the controllers and processors that is involved with the collection and processing of that users data, and that contact information must be made available to the user before that data is collected. If that data is transferred outside of the European Economic Area then it is the responsibility of the organisation (who collects that data) to ensure adequate safeguards are in place during the storing and transferring or any other processing of that data outside the EEA.


Micky Khanna, founder of GDPRPLAN says:

“This CJEU judgement has serious implications for the digital marketing industry given the over-reliance on Facebook Like buttons as well as other social media plugins and 3rd party tracking solutions deployed by retailers, brands, and publishers. Even though this case relates to the previous Data Protection Directive 95/46, the implications for Joint Controllers under the General Data Protection Regulation (which became enforceable as of 25th May 2018) is significant, with possible enforcement/sanctions, and/or penalties far more severe than under the GDPR’s predecessor. Each business will need to assess their own circumstances and relationships between their users and 3rd party technology partners and where (both operationally and geographically) that personal data is transferred to/from and stored.

What remains consistent however, is the need for Controllers (including joint controllers) and Processors to instill appropriate technical and organisational measures to ensure the confidentiality, integrity and availability personal information. Ignoring these obligations could leave your business open to the maximum fine possible under the UK DPA 2018/EU GDPR or possibly even a demand to stop collecting and processing personal data.”


For further information and advice on 3rd party vendor/supplier contracts email today.

*The full judgement can be found here:


Featured Image by sprklg – Quartier Européen Nord, Kirchberg, CC BY-SA 2.0,