With the recent ruling by the Courts of Justice for the European Union (CJEU) that website operators who install Facebook “Like” buttons means that Facebook are a joint controller with the website operator*, this post looks more closely at the contractual relationship between website operators and 3rd party technology solutions that collect personal information from an operator’s website, with a few tips for both brands and 3rd parties so as to help foster a trustworthy (and compliant) user experience.
For those still wondering why this ruling is so important, if you – the website operator (such as an e-commerce brand/retailer, or a publisher/news site) – have a Facebook “Like” button on your website (for example either on a news story or a product page) and a user clicks on that “Like” button, then that user’s personal information is being sent to Facebook who then have control of that user’s personal information and can determine what happens with that user’s information (such as inform that user’s friends via their news feed that the user clicked “Like” on a product or news content). There is also the capability of Facebook collecting all of that user’s “Like” activity in order to create a profile of him/her and then serve targeted ads or content (and possibly sell that users profile to other advertisers who are looking for a similar profile to serve their ads to). All of this is possible from what seems like an innocent act of appreciation for a product or news story that was published on the website operator site (the e-commerce brand/publisher/news site) who (as soon as the user interacts with any tracking or plugin) has no control as to what happens with that users information.
The CJEU ruling is also significant in that it doesn’t just apply to Facebook. The website operator is ultimately accountable for any Advertising /Marketing technology tracking and/or social media plug-in that is deployed on its website (that collects personal information) that collects personal information – either on its own right (such as IP address) or if overlaid with other data (for example “click reference/id”+”source”+”device id”+”location”+”products viewed”+”other websites visited” + “order ID”) on an electronic device (such as desktop, mobile/handheld or any other form of device) through:
- Sponsored Search Engine (Pay Per Click) listings
- Content Ads (for example – like those “Sponsored Links” that you often see on news/media sites)
- Product Listings Adverts on Search Engine Shopping channels and comparison shopping engines/sites
- Affiliate Marketing & influencer (blogger) marketing ads and text links
- Social Media sharing
- Display advertising
- Behavioural Targeting & Re-targeting adverts
Using an advertising agency doesn’t shield you from responsibility
Even if a website operator outsources their marketing/advertising activity to an agency, and allows that agency complete free reign in how they achieve commercial & marketing objectives, it is the responsibility of the website operator to know what information has been collected about a user from those marketing channels, and what subsequent processing takes place with that users information so as to inform the user of who that website operator is working with that collects data.
How can website operators ensure they’re working towards compliance?
Before commencing the relationship with any 3rd party vendor, whether that be for marketing/advertising technology solutions/social plugins or agency management for marketing strategy & activity, there needs to be a written agreement in place that defines the boundaries and where responsibility begins and ends in accordance with Article 26 (Joint Controllers) of the official GDPR text, and include the rights of the website operator within these agreements. The agreement (also known as a “controller:controller” agreement) needs to include the contact details of the joint controller, purposes of the joint controllers’ processing, categories of data being processed, details of where that data will be transferred to (if outside of the EEA – and safeguards being applied), how long that data will be kept for, and a description of the technical & organisational measures taken by that joint controller.
What else does the website operator need to do?
The website operator also needs to fully inform users in accordance with the lawfulness, fairness and transparency principle (as per Article 5) of the tracking/social media plugins on their site that will collect their data if they interact with (click on or “Like”) them. The website operator will need to list exactly what data is collected, the purposes for which it collected and processed, and include the contact details of the social media/3rd party tracking/plugin provider/agency for any queries or to obtain access to their information (as per the users’ rights to information, access, rectification, erasure, restrict use, or not to be subject to automated decision making such as profiling, the right to object, or to have their moved/ported to another provider/competitor as stated in Articles 12-22).
The website operator will have to obtain a lawful basis for the advertising/marketing technology provider and/or agency collecting and processing that data also have to obtain explicit, unambiguous, freely given and informed Consent from the user in order for the website operator and joint controller to collect and process that information. Legitimate Interest will not suffice as a Legitimate Interest Assessment proves quite clearly that the benefit to the user is outweighed by the commercial interests of the website operator.
Ignoring these requirements when it comes to Joint Controller or Controller:Processor agreements could leave the website operator completely exposed to the maximum financial penalty or possibly be faced with a stop order (which could be even worse than the fine for most organisations). It is vital that those 3rd party contracts are reviewed and updated to reflect Data Protection Laws and Regulations.
Of course – if the 3rd party is acting only on the strict instruction of the website operator then that would be a “Controller:Processor” relationship and that requires a differently worded agreement but still requires the processor to have adequate security measures, policies and processes in place to protect user data if it of a personal nature.
For further information and guidance on 3rd party Contracts (Controller:Controller, Controller:Proessor, and Processor:Processor), email firstname.lastname@example.org today.