LG Düsseldorf of 19.01.2017 – 12 O 151/15 – Data protection compliant use of social media plugins.

In May 2015, several companies were warned by the NRW consumer advice centre because they had integrated the Facebook Like button on their website. In one of these cases, the Regional Court (LG) of Düsseldorf ruled on 9 March 2016 (Case No. 12 O 151/15) that online shop operators violate applicable data protection law if the Facebook plugin is used without sufficiently informing site visitors in advance. The Regional Court found fault with the fact that the integration of the plugin on the website enables Facebook to access the user’s IP address without informing the visitor in advance and giving him the opportunity to refuse this. In the case of conventional social media plugins, the data transfer already takes place when the website is called up and regardless of whether, for example, the Facebook function is used by clicking on it. The case before the LG Düsseldorf went to appeal and the OLG decided on 19 January 2017 to refer some of the case-specific questions to the ECJ for a preliminary ruling. Pending a response from the ECJ, a decision on this matter is postponed.

Depending on the outcome of the case, the use of social media buttons may violate applicable data protection law in the future. This does not only concern the Facebook plugin, but may also include other social media plugins, provided that they carry out unauthorised data collection. The decisive factor here is whether the plugin is designed in such a way that data is collected without the prior consent of the person concerned. The previous ruling of the Düsseldorf Regional Court indicates that even a corresponding reference in the data protection statement is no longer sufficient to comply with the website operator’s duty to inform and to allow the visitor freedom of choice.

Since the ruling of the Düsseldorf Regional Court relates to a warning notice under competition law, more warning notices against online shops and company websites are to be expected in this matter in the future. Commercial website operators in particular should therefore consider removing integrated social media plug-ins (if they are incompatible with data protection law) or switching to solutions that prevent unauthorised data transmission to the plug-in provider. In addition, check the privacy policy of your social media providers to see whether and in what form personal data is collected via their plug-ins, and also pay attention to whether the social media company has chosen a company headquarters outside the EU.

There are privacy-compliant alternatives to traditional social media plugins: Shariff buttons use CSS-formatted HTML links that do not require the client browser to connect to the social media website’s server. A server-based script retrieves relevant data via API from the social media website, but does not transmit user data. As long as the visitor does not click on any of the links, he or she remains invisible to the social media provider. In addition to the Shariff buttons or the two-click method, other privacy-compliant solutions are available on the market.