Websites liable for Facebook ‘Like’ button, EU court rules


The European Court of Justice has ruled that the ‘Like’ function created by Facebook makes third-party websites responsible for processing user data under the GDPR, reports reveal.

Europe’s highest court was forced to step in after a web-based fashion store embedded a Like plugin into the social network, only to find itself accused of violating the GDPR. According to a consumer association, Facebook was permitted to collect data on the website’s users.

A Luxembourg-based court declared earlier this week that the website’s owner can be liable for “the collection and transmission to Facebook of the personal data of visitors to its website.”

On the other hand, “that operator is not, in principle, a controller in respect of the subsequent processing of those data carried out by Facebook alone,” the court said. No appeals to the ruling are being permitted.

Privacy lawyers around the world will have taken note of the decision; many companies may not know the risks associated with sharing liability with big tech firms such as Facebook, when it comes to embedding social plug-ins and bearing Facebook’s ‘Like’ function on their website.

In Belgium in 2018, the data protection regulator said that a ruling which made websites jointly liable could lead to “serious” consequences for website owners.

Facebook’s associate general counsel, Jack Gilbert, said:

“Website plugins are common and important features of the modern internet. We are carefully reviewing the court’s decision and will work closely with our partners to ensure they can continue to benefit from our social plugins and other business tools in full compliance with the law.”

Speaking before the ruling was made, technology and data protection lawyer, Tom de Cordier brought attention to the likelihood of major companies using technology to track user data on their websites.

“The impact will be that if something goes wrong on the data collection side, you may be on the hook as much as Facebook is,” he said.

“If the court takes a fairly broad interpretation of the concept of joint controllership, the risk exposure for companies becomes much bigger. The level of awareness of this risk is still very low.”

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.