Lots of websites include “Like” buttons. Fashion ID’s site (they are a German online clothing retailer) is one of them. If site visitors “like” an item on Fashion ID’s site, then that item will feature more prominently on Facebook. Unfortunately, including a “Like” button sends a visitor’s information to Facebook even if the visitor doesn’t click it. The ECJ noted that when a web page that includes a Facebook “Like” button loads the visitor’s IP address and browser string (information about the browser, operating system, and computer being used) are sent to Facebook. Facebook then places cookies on the visitor’s computer. All of this takes place without the visitor’s knowledge or consent, and it happens whether or not the visitor is a Facebook user.
Verbraucherzentrale NRW, a consumer protection organization in Germany, brought suit against Fashion ID alleging that the company did not (1) inform site visitors that their data was being collected and shared with Facebook, (2) explain why information was being collected and shared, (3) obtain the necessary consent, and (4) inform visitors to log out of Facebook if they don’t want their browsing information linked to their Facebook account. The suit sought an order preventing Fashion ID from using Facebook “Like” buttons because they violate the GDPR.
Fashion ID (supported by Facebook) argued that it had no obligations with respect to data transmitted because of its use of “Like” buttons because it has no control over how Facebook will process the data. The ECJ determined that Fashion ID controlled how Facebook collects data because it utilizes “Like” buttons. Ultimately, the court determined that Fashion ID and Facebook were jointly responsible for the collection of data. The court held that Fashion ID is not responsible for any violations resulting from Facebook’s processing of the personal information collected.
The Fashion ID decision is big news, folks. It is going to make compliance with the GDPR more difficult.
The decision is a good lesson on the reach of the GDPR. The regulation clearly will be applied to matters such as “Like” buttons on web pages that could easily be overlooked by companies concentrating on larger issues. Companies that are subject to the GDPR now must focus on each collection and transfer of personal information no matter how small and seemingly inconsequential.
The decision will have tremendously broad application. Every website of every company subject to the GDPR that includes social media and other similar plugins that collect and transmit data must now obtain users’ informed consent to do so. This is a problem Facebook and others must also address. While an easy solution would be to avoid using such plugins, that is a drastic step that I suspect few will take.
Companies may also now be at greater risk if they use web trackers. While the issue of web trackers (software that tracks a user’s web browsing activities) and their compliance with the GDPR is not new, the Fashion ID decision may expand the liability of companies with websites that use services such as AdRoll and Google Analytics.
Some of you may be wondering whether a similar situation will arise when the California Consumer Privacy Act (CCPA) becomes effective in January 2020. Fortunately for companies the answer is no. Unlike the GDPR, under which data controllers must obtain a data subject’s consent to share their information, under the CCPA data controllers can share information unless the consumer has opted out.
With an increased GDPR compliance burden comes increased costs for companies. Can cyber insurance help? On that subject I have good news and bad news.
First, the bad news. Cyber policies do not cover a company’s costs to comply with relevant legal obligations affecting its business. Those are viewed by insurers as operational costs that are not incurred because of a fortuitous event. Insurers historically have refused to cover a company’s operational costs.
The good news is that Cyber insurance can respond to claims such as the one against Fashion ID. The policy can cover defense expenses, monetary settlements, and fines if they prove to be legally insurable. Not every policy will respond to every claim, however. Policies that limit liability coverage to claims arising out of a breach of personally identifiable information may not respond if there is no breach and the claim is simply one for non-compliance with the GDPR. It is essential that companies subject to the GDPR ensure that their cyber policies are broad enough to cover any claim arising from non-compliance.