Social plugins and privacy: how to use the ‘like’ button legally

Thanks to the ever-in­creas­ing pop­u­lar­i­ty of social media, there’s now a humungous demand for social plugins for popular platforms such as Facebook, Twitter, Instagram, and Google+. When embedded into a website, these modules allow users to connect with an internet presence via their social network profiles. In doing this, it’s possible for users to promote the page further, whether it be in the form of a like, a share, a pin, or a tweet. These practical ex­ten­sions are a great way for website operators to expand their outreach massively, but caution should be exercised in order to avoid breaching data pro­tec­tion laws. Read on to discover how to implement and use social plugins correctly.

While there is no specific leg­is­la­tion on the subject of social plugins in the United States, recent EU data pro­tec­tion laws and court judge­ments within the European Union have led to a re­con­sid­ered use of social media buttons. As such, legal experts recommend pre­cau­tion­ary measures to prevent private and com­mer­cial website owners from violating EU data privacy laws. These laws are primarily in place for pro­tect­ing users via com­mer­cial in­di­vid­ual interests.

The Federal Trade Com­mis­sion (FTC) is the main body reg­u­lat­ing privacy policies in the United States, but these laws are complex and vary depending on state laws and the nature and means of data col­lec­tion. While laws are relaxed in certain states, other regions, such as Cal­i­for­nia, have strict laws requiring all owners of com­mer­cial websites to include a privacy policy in order to alert visitors to the use of cookies. Website operators living in the US should therefore take care to ensure that their site is in ac­cor­dance with their re­spec­tive state’s laws. For those regions and sectors that require website operators to in­cor­po­rate a privacy policy, the FTC requires that the in­for­ma­tion given is accurate and un­am­bigu­ous and includes details of both the technical and personal data being collected. Social plugins affect users’ privacy, so websites that use social media buttons need to wise up to their correct usage. The current legal situation means that mis­lead­ing or erroneous privacy notices can result in cease and desist orders, fines, or even serious legal action. Therefore, users must be informed when accessing any website that collects personal data from consumers for ad­ver­tis­ing, com­mer­cial purposes, or creating user profiles. Above all, this ruling applies to e-commerce and online shops, as websites of this kind are required to provide com­pre­hen­sive in­for­ma­tion regarding terms and con­di­tions and returns policies. Personal data isn’t only taken from online shops, however; cookies may well be used on other sites for other purposes, such as the ful­fil­ment of a con­trac­tu­al re­la­tion­ship or media usage). If your region or sector requires you to include a privacy policy and you have a clear and legal purpose for col­lect­ing personal data on your website, you must display the in­for­ma­tion clearly. Before you can begin to collect data, users must be aware of the scope and nature of the data usage and ex­plic­it­ly give their consent to the col­lec­tion of cookies. One way of obtaining the user’s consent, for example, is using the double opt-in process for a newslet­ter sub­scrip­tion. This process involves users clicking on a link sent to them via e-mail to confirm their per­mis­sion to share their data. If the website operator provides no privacy policy notice, they are putting them­selves at risk of legal action.

In certain parts of the world, embedding social media buttons such as Facebook’s ‘Like’ button can sometimes be prob­lem­at­ic. This refers par­tic­u­lar­ly to European countries and stricter American states. In these areas, website operators with social plugins must adhere to general data pro­tec­tion re­quire­ments, which presents a major problem, as can be demon­strat­ed using the example of Facebook’s social plugin. When accessing websites, users are already trans­mit­ting certain in­for­ma­tion to providers, including browser names, languages pref­er­ences, and their device’s IP address. With user consent, this data can be collected with cookies for re­tar­get­ing purposes in analysis and marketing.   Unless users ex­plic­it­ly block these cookies in their setting options, their browser will au­to­mat­i­cal­ly send existing cookies to the relevant domain. The cookies’ character strings can then be assigned to in­di­vid­ual users. Data pro­tec­tion activists are critical of this in par­tic­u­lar, because the re­spec­tive service can combine such in­for­ma­tion with other data already stored on the user. Using this pre-es­tab­lished in­for­ma­tion, the user can be iden­ti­fied rel­a­tive­ly precisely using social plugins. If you are logged into a social network like Facebook (or have an account there), the ‘Like’ button makes it possible to find out which page the user has just visited. Facebook’s social plugin is therefore a threat to user’s data privacy insofar as personal data can be evaluated without the in­ter­me­di­ate step of the user of­fi­cial­ly giving their consent. This is com­pli­cat­ed further by the fact that good data pro­tec­tion measures often mean that the web content itself is com­pro­mised. The Facebook ‘Like’ button caused its first legal dispute in 2011, when a website operator was slapped with a con­sid­er­able fine after embedding the extension without much thought to data pro­tec­tion. Simply embedding the Facebook social plugin is therefore in­ad­vis­able, as it can lead to user data being collected without their explicit consent. A data privacy notice alone is in­suf­fi­cient; consumers should be informed in advance about the extent to which social plugins record data and for what purpose. Only then can the use of social media buttons fully comply with privacy reg­u­la­tions around the world.

Because social plugins and data pro­tec­tion reg­u­la­tions have only recently become a public issue, the legal situation is prone to changing swiftly. There is currently no fool-proof way to protect website operators from cease-and-desist warnings, yet the use of social media buttons cannot truly be seen as a violation of data privacy standards. It really depends on the data pro­tec­tion con­di­tions. Website operators are currently able to protect them­selves from warnings in the following three ways:

• Avoiding social plugins: If you want to be com­plete­ly safe, just avoid using social media buttons al­to­geth­er. However, if you choose this option, you should keep in mind that you risk reducing your outreach, as these ex­ten­sions create direct links with social networks.

• 2-click solution: By adjusting the original social plugin settings, website operators can avoid trans­fer­ring user data when clicking on the share button. You can do this by inserting a page that asks users to give their per­mis­sion to collect their data before they are able to access your social media presence. However, this option only provides partial security, as it doesn’t com­plete­ly prevent servers from col­lect­ing the user’s data; it simply delays it. For many, this does not go far enough to ad­e­quate­ly protect user’s privacy.
  
  
• Security plugin: if you really want to use social media buttons, you can also use an extension that prevents direct and com­pre­hen­sive data tracking over social networks. For example, the ‘Shariff’ plugin un­ob­tru­sive­ly replaces a typical social plugin with a static link, which only dis­trib­utes data when the user actively clicks the button.

While each option has its own unique ad­van­tages and dis­ad­van­tages, website operators are free to choose whatever they feel com­fort­able with.

Specific laws on data pro­tec­tion, and by extension, social plugins, are generally de­ter­mined on a national level. Ju­rispru­dence therefore differs from country to country. As mentioned above,  American data pro­tec­tion laws are com­par­a­tive­ly liberal; there is ab­solute­ly no universal leg­is­la­tion that applies across different in­dus­tries. But while the legal situation in the United States is varied, similar data pro­tec­tion laws apply across most European countries. However, you should be aware of specific leg­is­la­tion in every country, es­pe­cial­ly if you happen to be operating a business in multiple countries. In contrast to the United Kingdom, American data pro­tec­tion laws are par­tic­u­lar­ly liberal; there is ab­solute­ly no universal leg­is­la­tion that applies across different in­dus­tries. Since 2016, a framework known as the EU-US Privacy Shield has been in place in an attempt to ensure the legal trans­fer­al of data between the USA and Europe, however, it is up to in­ter­na­tion­al companies that commit them­selves to the agreement to comply with its standards. Fur­ther­more, it is unclear how long the current agreement will remain in force, given the political de­vel­op­ments in the USA, with many experts and civil rights advocates ex­press­ing doubt over the validity of the procedure. This is par­tic­u­lar­ly because the agreement tends to favour Europeans and benefit them unfairly over US citizens. The legal status of social plugins is com­pli­cat­ed further when it comes to the matter of hosting. In general, it is only possible to ensure that specific leg­is­la­tion is upheld by hosting providers located in your own country. If personal data is processed via an out­sourced server (as many cloud servers are), these servers comply with the data pro­tec­tion laws of the country in which they are situated. Concerned users should therefore inform them­selves in advance about whether their webhost provides adequate data pro­tec­tion. In March of 2017, however, several service providers have committed them­selves to an al­ter­na­tive ‘Code of Conduct’ through the CISPE (Cloud In­fra­struc­ture Services Providers in Europe) or­ga­ni­za­tion, which offers cloud customers the option to save and process data specif­i­cal­ly within EU countries.

In December 2015, the EU Data Pro­tec­tion Directive 96/46/EG was replaced by the new EU Data Pro­tec­tion Com­pli­ance. The new EU General Data Pro­tec­tion Reg­u­la­tion (GDPR) must be adopted by all EU member states by the 25 May 2018. The purpose of these new reg­u­la­tions is to satisfy user demand for trans­paren­cy, as well as make penalties more flexible. The new reg­u­la­tions also emphasize the age of consent for the trans­fer­al of personal data to 16 years (before the minimum age was 13 years). The data pro­tec­tion re­quire­ments will then also be binding outside of Europe, for example, for American companies that also operate within Europe.

Social plugins continue to fall into a gray area when it comes to privacy. With the continual de­vel­op­ment of leg­is­la­tion sur­round­ing data pro­tec­tion, it is always best to stay cautious. In theory, the situation for website operators could change dras­ti­cal­ly, depending on both tech­no­log­i­cal and political de­vel­op­ments. To ensure that your data pro­tec­tion measures remain up-to-date and legally valid, you should be sure to keep up with the de­vel­op­ments. You can do this with the help of spe­cial­ist magazines, news, or by con­sult­ing experts and spe­cial­ized lawyers in the IT and media sector with specific questions. Only by taking these steps can you ensure that your website meets all current re­quire­ments. One thing is for sure: within Europe, website operators will soon have to adopt far more stringent data pro­tec­tion policies on their pages. Aside from all minor in­con­ve­niences aside, the bottom line should always be the pro­tec­tion of user data.