Extracted from Law360
On July 29, 2019, the European Court of Justice issued its decision in the case of FashionID GmbH & Co. KG v. Verbraucherzentrale NRW. The ECJ found that websites that integrate Facebook plugins are jointly responsible for the data collected by those plugins and sent to Facebook.
Despite the somewhat innocuous-sounding holding, this decision is a major milestone in determining who is responsible (and liable) for the routine integrations that occur on practically every website. The court’s reasoning arguably applies beyond Facebook to the broader third-party advertising environment. It will potentially have implications for website publishers of all kinds and also for the online advertising ecosystem.
The FashionID case recently became available in English, although it was initially available in German (as the language of the lower proceedings). This article is intended as an “everything your company needs to know” convenience summary of the case. It starts with a summary of the case — facts, procedural history and key holdings. Then, we address (1) what the immediate action items are for companies and (2) what the broader implications of FashionID are — and they are significant.
Summary of the Case
FashionID is an online retailer that sells a range of clothing and accessories from its e-commerce websites, which feature Facebook’s “like” button that allows shoppers to “like” items and have them shared on Facebook. The Facebook like button appears to have been configured to automatically transfer data to Facebook about all FashionID website visitors, regardless of whether they (1) used the like button or (2) were logged into Facebook.
The case arose in 2015, when the Consumer Center of North Rhine-Westphalia sued FashionID to enjoin its use of the like button. The CCNRW argued that FashionID needed to provide privacy notices about Facebook’s data collection and obtain website visitors’ consent before data is transferred to Facebook. CCNRW was able to bring suit based on Germany’s Law Against Unfair Trade Practices, which grants qualified consumer-rights organizations statutory standing to sue on behalf of consumers to enjoin violations of certain market-conduct rules.
The CCNRW won in part on the merits at the trial court. FashionID appealed to the Düsseldorf Higher Regional Court, which referred the proceedings to the ECJ.
Findings of the ECJ
Limited joint controllership exists for like buttons.
The ECJ found that FashionID could be considered a joint controller of personal data collected by Facebook’s like button, albeit only to a limited extent. The ECJ held that FashionID and Facebook were joint controllers in regard to (1) collecting personal data via the like button and (2) transferring that data to Facebook. However, the ECJ also suggested there could be further “phases” of processing by Facebook for which FashionID is not jointly responsible.
It is unclear whether website operators need to obtain consent for like buttons.
One of the key questions from the German litigation was whether FashionID needed to obtain user consent prior to collecting and transferring like button data to Facebook or whether it could rely on its legitimate interests.
The ECJ largely punted on this question. It indicated that Directive 2002/58/'s Article 5(3) special consent rule — which requires consent to be obtained any time (1) information is stored on a user’s terminal device or (2) information stored on a user’s terminal device is accessed — should decide the issue should decide the issue. The ECJ did not find whether one of these prongs was fulfilled in FashionID’s case. Instead, it remanded the question to the Düsseldorf Higher Regional Court for further factual findings.
But if consent is required, publishers only need to obtain limited consents.
Despite punting on the consent issue, the ECJ clarified that if website operators must obtain consent to integrate a live like button, the scope of the consent they must obtain is limited. According to the ECJ, website publishers only need to obtain consent for processing they jointly control, i.e., the initial collection of data via the like button and its transmission to Facebook. Websites would not be obligated to obtain consent for subsequent phases of processing by Facebook.
Privacy notice disclosures relating to like buttons are similarly limited.
The ECJ stated that the "limited scoping" rule as it applies to consent also applied to the transparency websites would need to provide users via privacy notices. Disclosures relating to like buttons would only need to inform users about the collection of data jointly controlled by the website operator, i.e., initial collection and transmission to Facebook, but not about subsequent processing by Facebook. However, the ECJ stated that privacy notices must be provided “immediately … when the data are collected.”
Remedies and liability in the data protection context are wide open.
Two final issues are likely to reappear in subsequent ECJ data protection decisions. First, the German litigation centered on whether the EU Data Protection Directive and General Data Protection Regulation precluded member states from establishing remedies such as the fair-trade practices statutory standing that permitted the CCNRW to sue FashionID. The ECJ roundly rejected that argument, indicating that member states had broad flexibility to design such remedies.
Second, the ECJ suggested that member states can devise civil liability rules that go beyond the GDPR’s concept of “joint controllers” to extend liability to different parties that touch the same data in the processing chain. The ECJ stated that the GDPR joint controller rules only make parties responsible for processing operations for which they jointly determine the purposes and means but not for any “upstream” or “downstream” processing of jointly controlled operations.
At the same time, however, the ECJ said that this rule is “without prejudice to civil liability provided for in national law,” implying that member states could enact measures that hold more parties accountable for processing operations than is contemplated under the GDPR’s joint controller rules.
Immediate Action Items
1. Publishers, update your privacy notices! Website publishers who integrate Facebook plugins are now joint controllers with Facebook for a limited set of processing operations. Website privacy notices need to be updated to include appropriate information about this fact.
However, as indicated above, the disclosures in the privacy notice only need to relate to (1) the collection of data via a Facebook like button and (2) the transmission of that data to Facebook. Disclosures do not necessarily need to encompass subsequent processing that Facebook may conduct.
2. Publishers, get ready to manage joint controller agreements and obligations with Facebook. As joint controllers with Facebook — even to a limited extent — website publishers will be subject to the requirement of GDPR Article 26 to (1) enter into an “arrangement” detailing each joint controller’s responsibilities and (2) make “the essence” of that arrangement accessible to data subjects.
In earlier instances in which Facebook was held to be a joint controller, i.e. in the fan page context, it elected to provide joint-controller terms to companies that use its platform. It may do the same here. If not, however, website publishers will need to take the initiative in seeking appropriate joint controller terms from Facebook.
3. Watch how the market handles social media plugin integrations. Commercial websites generally integrate social media plugins, not just from Facebook, but also from LinkedIn, Twitter, Pinterest, etc. Most of these plugins are integrated without any code that “deactivates” them until, e.g., a user logs into her Facebook account or affirmatively clicks on a sharing icon.
The ECJ’s decision, however, states that privacy notice disclosures about Facebook like buttons must be provided “immediately, that is to say, when the data are collected.” Arguably, having a general privacy notice that can be accessed from any page on a website provides immediate notice about data collection via a like button.
Still, it would not be inconceivable for European regulators to start suggesting that that the integration of social media plugins needs to be tightened up, so that data flows to social media providers occurs only when users are already logged in to social media or take some other affirmative action after having been informed about data sharing with social media providers. This kind of requirement would not be unambiguously supported by FashionID, but has been floated by regulators in the past. It will be important to watch the market’s response, and particularly — as discussed immediately below — to see how the Düsseldorf Higher Regional Court addresses the issue.
4. Plugin providers, start thinking about what kind of technical solutions you might develop to help publishers get consent for you. The ECJ’s decision indicates that website publishers are not legally required to obtain consent for the downstream uses that plugin providers want to make of data collected via plugins. Often, as between publishers and providers, obtaining appropriate consents for the down-the-line provider is addressed in contractual terms.
But it is also an open question as to whether publishers can build the technical infrastructure needed to obtain the type of granular, demonstrable consent that is required under GDPR Article 7, and publishers will likely be averse to warranting that consents generated by publisher-created solutions will satisfy GDPR requirements.
Most likely, plugin providers would be well-served to start putting in the leg work of figuring out how to provide publishers with plug-and-play solutions for obtaining GDPR consent. Of course, whether consent is required is still open. But if consent requirements come, plugin providers may not want to be in a position of asking themselves what an MVP looks like.
Larger Implications of the FashionID Decision
1. Follow the Düsseldorf Higher Regional Court's upcoming decision on consent requirements closely. As stated above, the ECJ left open the enormous question of whether consent is required in order to integrate a "live" Facebook plugin into a website and remanded that question back to the Düsseldorf court. The Düsseldorf court’s decision may shape up to be momentous. A Facebook plugin is in many ways similar to other cookies, pixels, tags, scripts, or other third-party code or content that routinely gets integrated into websites. A finding that Facebook plugins require user consent could potentially spread to other common integrations, such as other social media pixels, common website tags or third-party cookies used for audience tracking, measuring and retargeting.
At the same time, the rule the Düsseldorf Higher Regional Court has been asked to apply is anything but clear. The ECJ has effectively instructed the court to determine whether a Facebook like button triggers Article 5(3) of the e-privacy directive’s special consent rule, i.e., by (1) storing information on a user’s terminal device or by (2) accessing information stored on a user’s terminal device. The terms of Article 5(3) of the e-privacy directive are not extensively litigated and leave room for arguments on many sides.
For example, a Facebook like button may not necessarily “access” information on a user’s terminal device, but it may collect and transmit information about the user’s browser type, IP address, operating system and the like. However, practically every website on the planet will collect the same information about all its users via the client requests the users send to simply access the website under the Internet’s governing protocols. Should routine client requests require consent as well?
Similarly, it could be argued that a Facebook like button is in some sense “stored” on a user’s terminal device when the user loads the website that contains the button. But again, if I build a website, the simple process of loading that website onto a user’s browser will at least arguably result in some “storage of information” on the user’s device, and it can be questioned as to how much of the storage is “strictly necessary” to provide the website to the user.
No courts or regulators have yet suggested that websites should have to provide a full notice-and-consent layer whenever an individual wants to visit a website. But the broad language of Article 5(3) of the e-privacy directive potentially brings even these kinds of basic internet design issues into the debate.
Hopefully, the Düsseldorf Higher Regional Court will engage with the manifold technical issues potentially impacted by its upcoming decision. The German court system does not typically permit the filing of amicus curiae briefs. But if there were a case meriting support by competent technical amici, this would be a good candidate.
2. Did the ECJ just attempt to directly apply Article 5(3) of the e-privacy directive throughout the European Union without regard to national implementing legislation? It is surprising that the ECJ would make the question of “Is consent needed for Facebook plugins?” entirely dependent on Article 5(3) of the e-privacy directive. Passed in 2009, Article 5(3) requires online actors to obtain consent for any “storing of information” or “gaining of access to information already stored” on a terminal device.
This was originally conceived as introducing consent rules for cookies, although debate has raged as to whether it was intended as an opt-in or opt-out rule. In any case, as a provision in a directive, Article 5(3) has no direct effect and is only effective as implemented by statutes passed by each member state. The member states have implemented Article 5(3) of the e-privacy directive, albeit with approaches that differ significantly as to whether consent must be express, prior and/or opt-in.
It is therefore curious that the ECJ entirely skips over any applicable national legislation and has asked the Düsseldorf Higher Regional Court to apply Article 5(3) of the e-privacy directive directly. Germany has statutes (called the Telemedia Act) that the German government claims implement Article 5(3), and the ECJ expressly referenced the Telemedia Act as potentially applicable law in the recitals to FahionID.
But when it came time for a rule of decision, the ECJ instructed the Düsseldorf Higher Regional Court to apply Article 5(3)’s standard, without reference to Germany’s national law. This is not insignificant — there is currently a live debate in Germany as to whether the Telemedia Act’s opt-out approach applies to websites’ third-party integrations or has been superseded.
If unchallenged, the ECJ’s approach here could create the precedent of the ECJ ordering a national court to disregard its own applicable domestic law in favor of applying Article 5(3) directly. There appears to be no reason to do this; if a member state failed to implement Article 5(3), the generally accepted remedy is a European Commission suit against that member state, not disregard of the allegedly insufficient legislation until it is updated. And while the ECJ undoubtedly has the authority to rule on the relationship between Article 5(3) of the e-privacy directive and national laws, the ECJ nowhere expressly states that it is doing so. Again, this would be an area where competent amici could potentially raise flags in remand proceedings.
3. Publishers are at the front where the EU is pushing back against Facebook. This is another case where, instead of enforcing data protection concepts against Facebook directly, enforcement was brought against a publisher. Some of this likely has to do with early attempts to enforce directly against Facebook, which failed in a number of instances based on jurisdictional and/or choice-of-law limitations that kept litigation in Facebook’s preferred Irish forum.
The data protection agency of the German state Schleswig-Holstein pioneered the concept of indirectly enforcing against Facebook via publishers, on the rationale that publishers are jointly responsible with Facebook for certain processing. Thus far, the ECJ has supported this approach. At least at present, the target of these actions largely appears to be Facebook, not publishers, although this could change.
In FashionID, the ECJ appears to have taken precautions to limit the burden on publishers while opening enforcement avenues against Facebook. Publishers do not need to disclose everything Facebook might do with like button data or obtain consent for all of it. Instead, publishers only to inform users about the initial phases of collection and transmission. Indeed, if publishers ultimately have to obtain consent from users, it must only be a consent to collect like button data and send it to Facebook. This has the consequence of leaving Facebook’s subsequent processing of such data unconsented to by the user, potentially requiring Facebook to find an alternative legal basis for any use of the data it hopes to make.
4. It is unclear whether FashionIDis a purely Facebook-facing decision or also applies to third-party integrations more broadly. In other words: advertising technology, start getting ready for your turn. The big question of FashionID is whether its reasoning can be neatly cabined to Facebook plugins or will spread to other routinely integrated third-party technologies such as cookies, pixels, tags or scripts.
The ECJ found that website publishers are joint controllers of Facebook like button data because (1) publishers integrate the Like button to optimize advertising; (2) in doing so, publishers “tacitly consent to the collection of personal data” of their users; and (3) the processing operations that result are in the economic interest of both Facebook and the publisher.
This setup — optimized advertising in exchange for data that benefits the third-party provider — is common across almost all third-party technology that is integrated into publisher platforms, be they websites, apps, streaming services, television or the like. Currently, it is only a Facebook plugin that is in the ECJ’s express focus, but the reasoning that the ECJ is applying to Facebook is not tightly cabined and could arguably be extended to other third parties.
This is important because the interests of the advertising ecosystem vary widely from publishers and the supply side to advertisers and the demand side. This is not always apparent to those outside the industry, who can sometimes view “adtech” as an undifferentiated whole whose participants are represented by Facebook and Google. It is important for participants in the advertising ecosystem to start making their interests known now. The ECJ’s data protection case law is beginning to reach tipping points that can have industry-wide effects, and the constituencies of the online advertising space will want to join the discussion sooner rather than later.