On July 29, 2019, the European Court of Justice (“ECJ”) issued its decision in the case of FashionID GmbH & Co. KG v. Verbraucherzentrale NRW. The ECJ found that websites that integrate Facebook plugins are jointly responsible for the data collected by those plugins and sent to Facebook. Despite the somewhat innocuous-sounding holding, this decision is major milestone in determining who is responsible (and liable) for the routine integrations that occur on practically every website. The court’s reasoning arguably applies beyond Facebook to the broader third-party advertising environment. It will potentially have implications for website publishers of all kinds, and also for the online advertising ecosystem.
The FashionID case just became available in English this morning, although it was initially available in German as of yesterday (as the language of the lower proceedings). This post is intended as an “everything your company needs to know” convenience summary of the case. It starts with a summary of the case – facts, procedural history, and key holdings. Then, we address (a) what the immediate action items are for companies, and (b) what the broader implications of FashionID are – and they are significant.
Summary of the Case
FashionID is an online retailer that sells a range of clothing and accessories from its ecommerce websites. The websites integrated Facebook’s “Like” button. This allowed someone looking at an article of clothing to “like” the article so that it would be shared on Facebook.
The Facebook “Like” button appears to have been configured so that it automatically transferred data about all visitors to FashionID’s websites to Facebook as soon as they landed on the sites, regardless of whether (a) the visitor interacted with the “Like” button, or (b) the visitor was a logged-in Facebook user.
- Procedural History
Litigation arose in 2015, when the Consumer Center of North Rhine-Westphalia (CCNRW) brought a suit against FashionID seeking to enjoin its then-current use of the “Like” button. The CCNRW argued that FashionID needed to provide appropriate privacy notices about data collection by Facebook, and obtain website visitors’ consent, prior to data being transferred to Facebook via the “Like” button. The CCNRW’s ability to bring this suit was founded on Germany’s Law Against Unfair Trade Practices, which grants qualified consumer-rights organizations statutory standing to bring representative suits on behalf of consumer classes to enjoin violations of certain market-conduct rules.
The CCNRW won in part on the merits at the trial court, and FashionID appealed to the Appellate Court of Düsseldorf. Facebook joined as an additional party to the appellate proceedings. The appellate court referred the proceedings to the ECJ.
- Findings of the ECJ
a. Limited Joint Controllership Exists for “Like” Buttons
- The ECJ found that FashionID could be considered a joint controller of personal data collected by Facebook’s “Like” button, albeit only to a limited extent. The ECJ held that FashionID and Facebook were joint controllers to the extent that they jointly determined the purposes and means for which data was collected by the “Like” button. This appeared to be limited to (a) collecting personal data via the “Like” button, and (b) transferring it to Facebook for so that Facebook could display that items had been ‘liked’.
- Thus, the ECJ found that FashionID was a joint controller for purposes of (a) the initial collection of personal data via the “Like” button, and (b) transfers of data to Facebook. However, the ECJ suggested there could be further “phases” of processing by Facebook for which FashionID is not jointly responsible.
b. Unclear Whether Website Operators Need to Obtain Consent for “Like” Buttons
- One of the key questions from the lower German litigation was whether FashionID needed to obtain user consent prior to collecting and transferring data to Facebook via the “Like” button, or whether it could rely on its legitimate interests.
- The ECJ largely punted on this question by treating it as a matter of fact needing further findings. It treated the ePrivacy Directive’s Article 5(3) special consent rule as the operative rule of decision for the issue. This rule requires consent to be obtained any time (a) information is stored on a user’s terminal device, or (b) information stored on a user’s terminal device is accessed. The ECJ did not find whether one of these prongs was fulfilled in FashionID’s case. Instead, it remanded the question to the Düsseldorf Court of Appeals to determine whether “the provider of a social plug-in, as in the present case Facebook Ireland, has access to information that is stored in the terminal device” of visitors to FashionID websites.
c. But if Consent is Required, Publishers Only Need to Obtain Limited Consents
- Despite punting on the consent issue, the ECJ used its decision to clarify – if website operators have to obtain consent to integrate a live “Like” button – the scope of the consent they must obtain. According to the ECJ, website operators like FashionID would only need to obtain consent for processing they jointly control, i.e. the initial collection of data via the “Like” button and its transmission to Facebook. Websites would not be obligated to obtain consent for “subsequent phases” of processing by Facebook.
d. Privacy Notice Disclosures relating to “Like” Buttons are Similarly Limited
- The ECJ stated that the same ‘limited scoping’ rule as applies to consent also applied for the transparency website operators would need to provide to users via privacy notices. Privacy notice disclosures relating to “Like” buttons would only need to inform users about the collection of data jointly controlled by the website operator – i.e. initial collection and transmission to Facebook – but not about subsequent processing by Facebook.
e. Remedies and Liability in the Data Protection Context are Wide Open
- Two final issues are likely to reappear in subsequent ECJ data protection decisions. First, the lower German litigation revolved around the question of whether the Data Protection Directive and the GDPR precluded Member States from establishing remedies such as the fair-trade-practices statutory standing that had permitted the CCNRW to sue FashionID. The ECJ roundly rejected that argument, indicating that the Member States had broad flexibility to design remedies meant to effectuate the substantive provisions of data protection law.
- Second, the ECJ suggested that Member States can devise civil liability rules that go beyond the GDPR’s concept of “joint controllers” to hold different parties that touch the same data in a chain of processing liable. The ECJ stated that GDPR “joint controller” rules only make parties jointly responsible for processing operations for which they jointly determine the purposes and means – but not for any processing that is “upstream” or “downstream” of the jointly-controlled operations. At the same time, however, the ECJ said that this rule is “without prejudice to civil liability provided for in national law.” This implies that Member States could enact rules that hold more parties accountable for processing operations that is contemplated under the GDPR’s joint-controller rules.
Immediate Action Items
1. Publishers, update your privacy notices! Website publishers who integrate Facebook plugins are now joint controllers with Facebook for a limited set of processing operations. Website privacy notices need to be updated to include appropriate information about this fact. However, as indicated above, the disclosures in the privacy notice only need to relate to (a) the collection of data via a Facebook “Like” button, and (b) the transmission of that data to Facebook. Disclosures do not necessarily need to encompass subsequent processing that Facebook may conduct.
2. Publishers, get ready to manage joint controller agreements and obligations with Facebook. As joint controllers with Facebook – even to a limited extent – website publishers will be subject to the requirement of Article 26 GDPR to (a) enter into an “arrangement” detailing each joint controller’s responsibilities, and (b) make “the essence” of that arrangement accessible to data subjects. In earlier instances where Facebook was held to be a joint controller – i.e. in the fanpage context – it elected to provide joint-controller terms to companies that use its platform. It may do the same here. If not, however, website publishers will need to take the initiative in seeking appropriate joint controller terms from Facebook.
3. Watch how the market handles social media plugin integrations. Commercial websites generally integrate social media plugins, not just from Facebook, but also from LinkedIn, Twitter, Pinterest, etc. Most of these plugins are integrated without any code that “deactivates” them until, e.g., a user logs into her Facebook account or affirmatively clicks on a sharing icon. The ECJ’s decision, however, states that privacy notice disclosures about Facebook “Like” buttons must be provided “immediately, that is to say, when the data are collected.” Arguably, having a general privacy notice that can be accessed from any page on a website provides “immediate” notice about data collection via a “Like” button. Still, it would not be inconceivable for European regulators to start suggesting that that the integration of social media plugins needs to be tightened up, so that data flows to social media providers occurs only when users are already logged in to social media, or take some other affirmative action after having been informed about data sharing with social media providers. This kind of requirement would not be unambiguously supported by FashionID, but has been floated by regulators in the past. It will be important to watch the market’s response, and particularly – as discussed immediately below – to see how the Düsseldorf Court of Appeals addresses the issue.
4. Plugin providers, start thinking about what kind of technical solutions you might develop to help publishers get consent for you. The ECJ’s decision indicates that website publishers are not legally required to obtain consent for the downstream uses that plugin providers want to make of data collected via plugins. Often, as between publishers and providers, obtaining appropriate consents for the down-the-line provider is addressed in contractual terms. But it is also an open question as to whether publishers can build the technical infrastructure needed to obtain the type of granular, demonstrable consent that is required under Article 7 GDPR – and publishers will likely be averse to warranting that consents generated by publisher-created solutions will satisfy GDPR requirements. Most likely, plugin providers would be well-served to start putting in the leg work of figuring out how to provide publishers with plug-and-play solutions for obtaining GDPR consent. Of course, whether consent is required is still open. But if consent requirements come, plugin providers may not want to be in a position of asking themselves what an MVP looks like.
Larger Implications of the FashionID Decision
1. Follow the Düsseldorf Court of Appeal’s upcoming decision on consent requirements closely. As stated above, the ECJ left open the enormous question of whether consent is required in order to integrate a ‘live’ Facebook plugin into a website – and remanded that question back to the Düsseldorf Court of Appeals. The Düsseldorf Court of Appeals’ decision may shape up to be momentous. A Facebook plugin is in many ways similar to other cookies, pixels, tags, scripts, or other third-party code or content that routinely gets integrated into websites. A finding that Facebook plugins require user consent could potentially spread to other common integrations, such as other social media pixels, common website tags, or third-party cookies used for audience tracking, measuring, and retargeting.
At the same time, the rule the Düsseldorf Court of Appeals has been asked to apply is anything but clear. The ECJ has effectively instructed the Court to determine whether a Facebook “Like” button triggers Article 5(3) ePrivacy Directive’s special consent rule, i.e. by (a) storing information on a user’s terminal device, or by (b) accessing information stored on a user’s terminal device. The terms of Article 5(3) ePrivacy Directive are not extensively litigated, and leave room for arguments on many sides. For example, a Facebook “Like” button may not necessarily “access” information on a user’s terminal device, but it may collect and transmit information about the user’s browser type, IP address, operating system, and the like. However, practically every website on the planet will collect the same information about all its users via the client requests the users send to simply access the website under the Internet’s governing protocols. Should routine client requests require consent as well?
Similarly, it could be argued that a Facebook “Like” button is in some sense “stored” on a user’s terminal device when the user loads the website that contains the button. But again, if I build a website, the simple process of loading that website onto a user’s browser will at least arguably result in some “storage of information” on the user’s device, and it can be questioned as to how much of the storage is “strictly necessary” to provide the website to the user. No courts or regulators have yet suggested that websites should have to provide a full notice-and-consent layer whenever an individual wants to visit a website. But the broad language of Article 5(3) ePrivacy Directive potentially brings even these kinds of basic internet design issues into the debate.
Hopefully, the Düsseldorf Court of Appeals will engage on the manifold technical issues potentially impacted by its upcoming decision. The German court system does not typically permit the filing of amicus curiae briefs. But if there was a case meriting support by competent technical amici, this would be a good candidate.
2. Did the ECJ just attempt to directly apply Article 5(3) of the ePrivacy Directive throughout the EU without regard to national implementing legislation? It is surprising that the ECJ would make the question of “Is consent needed for Facebook plugins?” entirely dependent on Article 5(3) ePrivacy Directive. Passed in 2009, Article 5(3) requires online actors to obtain consent for any “storing of information” or “gaining of access to information already stored” on a terminal device. This was originally conceived as introducing consent rules for cookies, although debate has raged as to whether it was intended as an opt-in or opt-out rule. In any case, as a provision in a directive, Article 5(3) has no direct effect, and is only effective as implemented by statutes passed by each Member State. The Member States have implemented Article 5(3) ePrivacy Directive, albeit with approaches that differ significantly as to whether consent must be express, prior, and/or opt-in.
It is therefore curious that the ECJ entirely skips over any applicable national legislation, and has asked the Düsseldorf Court of Appeals to apply Article 5(3) ePrivacy Directive directly. Germany has statutes that the German government claims implement Article 5(3) (called the “Telemedia Act”), and the ECJ expressly referenced the Telemedia Act as potentially applicable law in the recitals to FahionID. But when it came time for a rule of decision, the ECJ instructed the Düsseldorf Court of Appeals to apply Article 5(3)’s standard, without reference to Germany’s national law. This is not insignificant – as we reported in Bloomberg, there is currently a live debate in Germany as to whether the Telemedia Act’s opt-out approach applies to websites’ third-party integrations, or has been superseded. If unchallenged, the ECJ’s approach here could create the precedent of the ECJ ordering a national court to disregard its own applicable domestic law in favor of applying Article 5(3) directly. There appears to be no reason to do this; if a Member State failed to implement Article 5(3), the generally-accepted remedy is an EU Commission suit against that Member State, not disregard of the allegedly insufficient legislation until it is updated. And while the ECJ undoubtedly has the authority to rule on the relationship between Article 5(3) ePrivacy Directive and national laws, the ECJ nowhere expressly states that it is doing so. Again, this would be an area where competent amici could potentially raise flags in remand proceedings.
3. Publishers are the front where the EU is pushing back against Facebook. This is another case where, instead of enforcing data protection concepts against Facebook directly, enforcement was brought against a publisher. Some of this likely has to do with early attempts to enforce directly against Facebook, which failed in a number of instances based on jurisdictional and/or choice-of-law limitations that kept litigation in Facebook’s preferred Irish forum. The data protection agency of the German state of Schleswig-Holstein pioneered the concept of indirectly enforcing against Facebook via publishers, on the rationale that publishers are “jointly” responsible with Facebook for certain processing. Thus far, the ECJ has supported this approach. At least at present, the target of these actions largely appears to be Facebook, not publishers, although this could change.
In FashionID, the ECJ appears to have taken precautions to limit the burden on publishers while opening enforcement avenues against Facebook. Publishers do not need to disclose everything Facebook might do with “Like button” data, or obtain consent for all of it. Instead, publishers only to inform users about the initial phases of collection and transmission. Indeed, if publishers ultimately have to obtain consent from users, it must only be a consent to collect “Like button” data and send it to Facebook. This has the consequence of leaving Facebook’s subsequent processing of such data “unconsented-to” by the user, potentially requiring Facebook to find an alternative legal basis for any use of the data it hopes to make.
4. It is unclear whether FashionID is a purely Facebook-facing decision, or also applies to third-party integrations more broadly. Or: Adtech, start getting ready for your turn. The big question of FashionID is whether its reasoning can be neatly cabined to Facebook plugins, or will spread to other routinely-integrated third-party technologies such as cookies, pixels, tags, or scripts. The ECJ found that website publishers are joint controllers of “Facebook like button” data because (a) publishers integrate the Like button to optimize advertising; (b) in doing so, publishers “tacitly consent to the collection of personal data” of their users, and (c) the processing operations that result are in the economic interest of both Facebook and the publisher. This setup – optimized advertising in exchange for data that benefits the third-party provider – is common across almost all third-party technology that is integrated into publisher platforms, be they websites, apps, streaming services, television, or the like. Currently, it is only a Facebook plugin that is in the ECJ’s express focus, but the reasoning that the ECJ is applying to Facebook is not tightly cabined, and could arguably be extended to other third parties.
This is important because the interests of the advertising ecosystem vary widely from publishers and the supply side to advertisers and the demand side. This is not always apparent to those outside the industry, who can sometimes view “adtech” as an undifferentiated whole whose participants are represented by Facebook and Google. It is important for participants in the advertising ecosystem to start making their interests known now. The ECJ’s data protection case law is beginning to reach tipping points that can have industry-wide effects, and the constituencies of the online advertising space will want to join the discussion sooner rather than later.
Alston & Bird is closely monitoring all issues affecting online commerce and advertising, both in the US and in the EU. For more information, contact Jim Harvey, David Keating, Peter Swire, or Daniel Felz.