Social plugins and privacy: how to use the ‘like’ button legally

Thanks to the ever-increasing popularity of social media, there’s now a humungous demand for social plugins for popular platforms such as Facebook, Twitter, Instagram, and Google+. When embedded into a website, these modules allow users to connect with an internet presence via their social network profiles. In doing this, it’s possible for users to promote the page further, whether it be in the form of a like, a share, a pin, or a tweet. These practical extensions are a great way for website operators to expand their outreach massively, but caution should be exercised in order to avoid breaching data protection laws. Read on to discover how to implement and use social plugins correctly.

While there is no specific legislation on the subject of social plugins in the United States, recent EU data protection laws and court judgements within the European Union have led to a reconsidered use of social media buttons. As such, legal experts recommend precautionary measures to prevent private and commercial website owners from violating EU data privacy laws. These laws are primarily in place for protecting users via commercial individual interests.

The Federal Trade Commission (FTC) is the main body regulating privacy policies in the United States, but these laws are complex and vary depending on state laws and the nature and means of data collection. While laws are relaxed in certain states, other regions, such as California, have strict laws requiring all owners of commercial websites to include a privacy policy in order to alert visitors to the use of cookies. Website operators living in the US should therefore take care to ensure that their site is in accordance with their respective state’s laws. For those regions and sectors that require website operators to incorporate a privacy policy, the FTC requires that the information given is accurate and unambiguous and includes details of both the technical and personal data being collected.

Social plugins affect users’ privacy, so websites that use social media buttons need to wise up to their correct usage. The current legal situation means that misleading or erroneous privacy notices can result in cease and desist orders, fines, or even serious legal action. Therefore, users must be informed when accessing any website that collects personal data from consumers for advertising, commercial purposes, or creating user profiles. Above all, this ruling applies to e-commerce and online shops, as websites of this kind are required to provide comprehensive information regarding terms and conditions and returns policies.

Personal data isn’t only taken from online shops, however; cookies may well be used on other sites for other purposes, such as the fulfilment of a contractual relationship or media usage). If your region or sector requires you to include a privacy policy and you have a clear and legal purpose for collecting personal data on your website, you must display the information clearly. Before you can begin to collect data, users must be aware of the scope and nature of the data usage and explicitly give their consent to the collection of cookies. One way of obtaining the user’s consent, for example, is using the double opt-in process for a newsletter subscription. This process involves users clicking on a link sent to them via e-mail to confirm their permission to share their data. If the website operator provides no privacy policy notice, they are putting themselves at risk of legal action.

In certain parts of the world, embedding social media buttons such as Facebook’s ‘Like’ button can sometimes be problematic. This refers particularly to European countries and stricter American states. In these areas, website operators with social plugins must adhere to general data protection requirements, which presents a major problem, as can be demonstrated using the example of Facebook’s social plugin. When accessing websites, users are already transmitting certain information to providers, including browser names, languages preferences, and their device’s IP address. With user consent, this data can be collected with cookies for retargeting purposes in analysis and marketing.  

Unless users explicitly block these cookies in their setting options, their browser will automatically send existing cookies to the relevant domain. The cookies’ character strings can then be assigned to individual users. Data protection activists are critical of this in particular, because the respective service can combine such information with other data already stored on the user. Using this pre-established information, the user can be identified relatively precisely using social plugins. If you are logged into a social network like Facebook (or have an account there), the ‘Like’ button makes it possible to find out which page the user has just visited. Facebook’s social plugin is therefore a threat to user’s data privacy insofar as personal data can be evaluated without the intermediate step of the user officially giving their consent.

This is complicated further by the fact that good data protection measures often mean that the web content itself is compromised. The Facebook ‘Like’ button caused its first legal dispute in 2011, when a website operator was slapped with a considerable fine after embedding the extension without much thought to data protection. Simply embedding the Facebook social plugin is therefore inadvisable, as it can lead to user data being collected without their explicit consent. A data privacy notice alone is insufficient; consumers should be informed in advance about the extent to which social plugins record data and for what purpose. Only then can the use of social media buttons fully comply with privacy regulations around the world.

Because social plugins and data protection regulations have only recently become a public issue, the legal situation is prone to changing swiftly. There is currently no fool-proof way to protect website operators from cease-and-desist warnings, yet the use of social media buttons cannot truly be seen as a violation of data privacy standards. It really depends on the data protection conditions. Website operators are currently able to protect themselves from warnings in the following three ways:

• Avoiding social plugins: If you want to be completely safe, just avoid using social media buttons altogether. However, if you choose this option, you should keep in mind that you risk reducing your outreach, as these extensions create direct links with social networks.

• 2-click solution: By adjusting the original social plugin settings, website operators can avoid transferring user data when clicking on the share button. You can do this by inserting a page that asks users to give their permission to collect their data before they are able to access your social media presence. However, this option only provides partial security, as it doesn’t completely prevent servers from collecting the user’s data; it simply delays it. For many, this does not go far enough to adequately protect user’s privacy.
  
  
• Security plugin: if you really want to use social media buttons, you can also use an extension that prevents direct and comprehensive data tracking over social networks. For example, the ‘Shariff’ plugin unobtrusively replaces a typical social plugin with a static link, which only distributes data when the user actively clicks the button.

While each option has its own unique advantages and disadvantages, website operators are free to choose whatever they feel comfortable with.

Specific laws on data protection, and by extension, social plugins, are generally determined on a national level. Jurisprudence therefore differs from country to country. As mentioned above,  American data protection laws are comparatively liberal; there is absolutely no universal legislation that applies across different industries. But while the legal situation in the United States is varied, similar data protection laws apply across most European countries. However, you should be aware of specific legislation in every country, especially if you happen to be operating a business in multiple countries.

In contrast to the United Kingdom, American data protection laws are particularly liberal; there is absolutely no universal legislation that applies across different industries. Since 2016, a framework known as the EU-US Privacy Shield has been in place in an attempt to ensure the legal transferal of data between the USA and Europe, however, it is up to international companies that commit themselves to the agreement to comply with its standards. Furthermore, it is unclear how long the current agreement will remain in force, given the political developments in the USA, with many experts and civil rights advocates expressing doubt over the validity of the procedure. This is particularly because the agreement tends to favour Europeans and benefit them unfairly over US citizens.

The legal status of social plugins is complicated further when it comes to the matter of hosting. In general, it is only possible to ensure that specific legislation is upheld by hosting providers located in your own country. If personal data is processed via an outsourced server (as many cloud servers are), these servers comply with the data protection laws of the country in which they are situated. Concerned users should therefore inform themselves in advance about whether their webhost provides adequate data protection. In March of 2017, however, several service providers have committed themselves to an alternative ‘Code of Conduct’ through the CISPE (Cloud Infrastructure Services Providers in Europe) organization, which offers cloud customers the option to save and process data specifically within EU countries.

In December 2015, the EU Data Protection Directive 96/46/EG was replaced by the new EU Data Protection Compliance. The new EU General Data Protection Regulation (GDPR) must be adopted by all EU member states by the 25 May 2018. The purpose of these new regulations is to satisfy user demand for transparency, as well as make penalties more flexible. The new regulations also emphasize the age of consent for the transferal of personal data to 16 years (before the minimum age was 13 years). The data protection requirements will then also be binding outside of Europe, for example, for American companies that also operate within Europe.

Social plugins continue to fall into a gray area when it comes to privacy. With the continual development of legislation surrounding data protection, it is always best to stay cautious. In theory, the situation for website operators could change drastically, depending on both technological and political developments. To ensure that your data protection measures remain up-to-date and legally valid, you should be sure to keep up with the developments. You can do this with the help of specialist magazines, news, or by consulting experts and specialized lawyers in the IT and media sector with specific questions. Only by taking these steps can you ensure that your website meets all current requirements. One thing is for sure: within Europe, website operators will soon have to adopt far more stringent data protection policies on their pages. Aside from all minor inconveniences aside, the bottom line should always be the protection of user data.