Facebook ‘Like' Button Violates German Privacy Laws

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jabeen Bhatti

March 9 — A German court ruled March 9 that the use of Facebook Inc.'s “Like” button by companies violates German data protection laws, according to a statement by the plaintiff state consumer agency.

The Regional Court of Düsseldorf, Germany, said that Facebook collects user data when individuals click the Like button, and the social network detects whether users have visited a page even if they don't click the Like button.

“The code for the plug-in is designed in a way” that whenever a user opens a website, the person's Internet protocol (IP) address and additional information will be forwarded to Facebook,” Sebastian Meyer, an attorney from BRANDI in Bielefeld, Germany, told Bloomberg BNA March 9. He represented the plaintiff in this case, Consumer Protection Agency NRW.

“And this is not what a consumer expects,” he said. The consumers expects that information will only be shared when they click on the button, not when they simply visit a website, he added.

Can Collect Less Data

Because data subjects aren't properly informed that this data transfer occurs or given the opportunity to object, the court ruled that the placement of the Like button on company websites was “not legally justified.”

The plaintiff argued that plug-ins such as the Like button can be designed differently to collect less data from consumers.

“You can design a plug-in in another way so that is only activated when you click on that button,” Meyer said. “And there's no reason for Facebook to do it in the way they have done it unless they are trying to gather as much information as possible.”

The case arose when the regional consumer protection agency, based in the western state of North Rhine-Westphalia, issued warnings to several companies for incorporating the Like button on their page. The companies included online retailer Fashion ID, a subsidiary of retail chain Peek & Cloppenburg, consumer goods firm Nivea (Beiersdorf), customer loyalty program Payback, the online reservation service HRS, ticketing company CTS Eventim and retailer KIK.

According to Meyer, all of these companies except Fashion ID and Payback changed how the Like button was used on their page. Attorneys for the agency said Beiersdorf has stopped using the Like button and KIK is now using a different technology that doesn't automatically transfer data.

When Fashion ID and Payback refused to cease using the Like plug-in, the agency filed suit. The case against Payback is currently pending at a lower court in Munich.

Similar Case Referred to ECJ

Facebook told Bloomberg BNA March 9 that, “this case is specific to a particular website and the way they have sought consent from their users in the past. We understand the website has since been updated. It is common practice for websites to use a variety of third party services, Facebook's Like button is only one of them.”

According to Facebook, the court's ruling has no effect on the legality of the Like button.

“The Like button, like many other features that are used to enhance websites, is an accepted, legal and important part of the Internet, and this ruling does not change that,” Facebook said.

In a similar case but involving Facebook fan pages, the Federal Administrative Court in Leipzig Feb. 25 asked the European Court of Justice for help in deciding whether a German state data protection authority's order to Facebook is in line with European Union privacy law .

According to Meyer, there are differences between the two cases.

“If you visit a fan page, the user normally should know that of course some information about you will be collected by Facebook because the user is voluntarily opening a fan page that is obviously connected with Facebook,” he said. “It's different with a plug-in on another website. There you don't expect that Facebook will know you visited a page.”

More Cases Likely

Attorneys expect that there will be an increase in similar cases in the future especially in light of a new law expanding class action suits to allow consumer groups to sue companies for data protection violations .

In this case, the consumer agency filed suit before the law came into force and was argued on the basis of Germany's unfair competition law. “We argued that consumer protection associations, regardless of these impending changes, are allowed to make claims based on the unfair competition act,” Meyer said.

“If there is a data protection regulation that intends to protect customers and consumers, a company that is not considering these data protection provisions has an unlawful advantage compared to a company who at the same time is complying with all data protection regulations,” he said.

The Regional Court of Düsseldorf agreed, meaning that the consumer agency was entitled to proceed with its case against Fashion ID even before the new legislation came into force.

“It is now easier of course for the Consumer Protection Agency and similar organizations to make legal claims based on data protection provisions, but it had been possible even before,” Meyer said.

To contact the reporter on this story: Jabeen Bhatti in Berlin at correspondents@bna.com

To contact the editor responsible for this story: Jimmy H. Koo at jkoo@bna.com

Request Bloomberg Law: Privacy & Data Security