Facebook Users “Like” Data Protection
When browsing consumer websites you may have noticed the Facebook “like” button which is now a common feature. The “like feature” has recently been the subject of an investigation by data protection officials in Germany. The reason being that when a Facebook user clicks on the “like” button on a third party’s website, Facebook is able to recognise the user via their Facebook ID which is linked to the user’s Facebook profile (containing personal information). Once more people use the same “like” button, Facebook can collate information such as the number of visitors based on age, locality, and gender. This type of profiling infringes German and European data protection law.
In addition, if a non Facebook user was to select the “like” button, their IP address would be passed to Facebook without the user’s knowledge or permission.
Facebook may be outside of German jurisdiction for the purposes of enforcing data protection laws however, data protection officials in Germany have reminded third party website owners who carry the “like” button that the website owners are responsible for any infringements caused by the content of their websites which may breach data protection laws.
Website owners in the UK should be aware of this issue, as although the point is still contentious, some believe that the Personal Information Online Code of Practice published by the Information Commisioner’s Office shows the regulator’s view that IP addresses (and other ‘non-obvious identifiers’) are properly construed as “personal data” under the Data Protection Act 1998 (“the 1998” Act), so that the action of forwarding users IP address to Facebook would be “processing” (of that personal data) under the 1998 Act. On that basis, and unless the informed consent of the user was sought and obtained, collating and forwarding the IP addresses would breach the “fair and lawful processing” requirement of the 1998 Act.
It is expected that there will be an investigation into this issue by the Information Commissioners Office in the UK and there may also be an EU investigation which could determine whether a two step “like” process will be required which would establish the users consent before passing on any information.