back to article Facebook Like, social sharing buttons on your website may land you in GDPR hot water if data goes a-wanderin'

In a case being considered by the European Court of Justice (CJEU), Advocate General Michal Bobek argued on Wednesday that website operators should share some responsibility with providers of embedded web widgets for ensuring that any data collection complies with legal requirements. In other words, if you embed a Facebook ' …

  1. Pascal Monett Silver badge
    Thumb Up

    "website operators should obtain the consent of site visitors before collecting data"

    Music to my ears.

    Seems like GDPR is going to throw one hell of a monkey wrench in the current ad paradigm.

    And that's a Good Thing (TM).

    1. big_D Silver badge

      Re: "website operators should obtain the consent of site visitors before collecting data"

      I was sent a link to an article for a UK newspaper by a friend, I opened the site and they had the privacy policy shown up front, OK to continue or control privacy settings. I chose control...

      It displayed me a list of 275 tracking sites that were linked to the site and all were defaulted to ON! On top of that, there was no option to disable all of them, I had to literally click 275 times on the page to turn off the tracking. It is the last time I will visit that site or any other site that takes the Michael like that!

      1. Joe W Silver badge

        Re: "website operators should obtain the consent of site visitors before collecting data"

        And AFAIK default on is against the gdpr, or should be.. but yes, that is oh so nasty. I simply refuse to view those sites.

        1. OhThatGuy

          Re: "website operators should obtain the consent of site visitors before collecting data"

          And 275 different controls doesn't fulfill the "simple to use" req in GDPR. I think it has to be much closer to the 3-5 classes of controls that GDPR lists.

      2. Anonymous Coward
        Anonymous Coward

        Re: "website operators should obtain the consent of site visitors before collecting data"

        You'll probably find there is a button to turn them all off, however it won't be marked as such. The site you are talking about may have had a button called "measurements" which when clicked killed all the individual providers.

        However, this very site probably does not have GDPR compliant cookies in place and the only options for logging out are by going to the individual mentioned sites and trying to work out how to do it from there. They also rely incorrectly on "legitimate business reasons" which, does not actually mean what the companies who rely on it think it means.

        1. big_D Silver badge

          Re: "website operators should obtain the consent of site visitors before collecting data"

          I did look for any method of disabling them all, there wasn't one. I've landed on a few other sites that did have such an option. This one was just plain hostile.

          1. Doctor Syntax Silver badge

            Re: "website operators should obtain the consent of site visitors before collecting data"

            "I did look for any method of disabling them all, there wasn't one. I've landed on a few other sites that did have such an option. This one was just plain hostile."

            Let me guess. What used to be Trinity Mirror Group? I think it's now called Reach.

          2. Anonymous Coward
            Anonymous Coward

            Re: "website operators should obtain the consent of site visitors before collecting data"

            Which site was it? If it was one of the Mirror(Reach) group then there is a button - I was wrong about measurement it is called information and storage.

            1. Doctor Syntax Silver badge

              Re: "website operators should obtain the consent of site visitors before collecting data"

              "f it was one of the Mirror(Reach) group then there is a button - I was wrong about measurement it is called information and storage."

              And it does absolutely nothing to the huge list of pre-ticked opt-in boxes. At least it doesn't in my browser. Possibly it might if I opened up to the huge list of sites that want to run scripts on that page but that defeats the object. And in any case it doesn't affect the basic offence against GDPR. By being pre-ticked they're opt-out not opt-in.

            2. Allan George Dyer Silver badge
              Coat

              Re: "website operators should obtain the consent of site visitors before collecting data"

              "If it was one of the Mirror(Reach) group then there is a button - I was wrong about measurement it is called information and storage."

              Ah, I understand. The information is: Beware of the Leopard

              The storage, of course, is locked, in a disused lavatory, in the basement. There are no stairs. Or lights.

              The one with the electronic thumb in the pocket, of course.

        2. Anonymous Coward
          Anonymous Coward

          Re: "website operators should obtain the consent of site visitors before collecting data"

          "You'll probably find there is a button to turn them all off, however it won't be marked as such."

          There's one opt-out page I've encountered several times which has a big "conitinue" button which takes you nack to the opt-out selection unless you have opted-in and the way to retian the opt-out is to cliick the word "leave" which is in much smaller fontsize just below the the huge "continue" button.

    2. DougS Silver badge

      Re: "website operators should obtain the consent of site visitors before collecting data"

      Seems like GDPR is going to throw one hell of a monkey wrench in the current ad paradigm.

      I really hope you're right, but I think if it does the corporate lobbyists will start a whisper campaign that the GDPR will hamstring the EU economy and some holes will be carved in it before long.

      1. Doctor Syntax Silver badge

        Re: "website operators should obtain the consent of site visitors before collecting data"

        "corporate lobbyists will start a whisper campaign that the GDPR will hamstring the EU economy and some holes will be carved in it before long."

        They'll find FB et al have irretrievably fouled the nest.

        1. Doctor Syntax Silver badge

          Re: "website operators should obtain the consent of site visitors before collecting data"

          There's another aspect of that. The EU folks are smart enough to realise that far from harming the EU economy there are competitive advantages in establishing data sovereignty.

  2. Anonymous South African Coward Silver badge

    This will be interesting going forward.

    Of course you are liable for any data slurpage as soon as you put on a fb icon and link to fb. Same goes for google.

    Only way to prevent that is not to link to anything google or facebook.

    1. Len Silver badge
      Thumb Up

      Some more conscientious site operators do not embed the Facebook button from a FB server (as that means a user is actually downloading an asset from FB servers, giving them the metadata mentioned in the article). Instead you can just locally host the image on your own servers with a link behind it that only gets activated if someone clicks on it.

      It is a great way to take your visitor's privacy seriously but still have the option of some of them choosing to 'Like' your site.

      1. Doctor Syntax Silver badge

        "It is a great way to take your visitor's privacy seriously but still have the option of some of them choosing to 'Like' your site."

        And as Facebook's public reputation sinks, it'll cause more people to dislike your site for having it there.

      2. Anonymous Coward
        Anonymous Coward

        That's exactly what I do on my sites. There's no need to embed yet more dodgy JS or images from Facebook, a plain old locally generated link does the job.

    2. Mark 85 Silver badge

      Once upon time, having link on webpage was just that, link. No data collected, just link that would take you to the site. Most people (sheeple?) seem to think that is all the links do now. The damn things are shipping everything back to the mothership whether you click on them or not.

      The best we can probably hope for is a return to the old method. But then the cool kids won't be able to tell the world where they're having lunch without actually logging in and posting.

  3. big_D Silver badge

    This was the case...

    long before GDPR. Under the previous data protection rules it was still illegal.

    That is why heise publiching in Germany (also runs the Heise Security website) published the Shariff module in 2014, which can be added to any website.

    It shows greyed out social media icons with sliders next to them. When you explicitly want to share with a specific social media site, you can change the slider of the relevant icon and it becomes active and only then does the relevant code for that website get loaded.

    1. sabroni Silver badge

      Re: This was the case...

      Where does the icon come from? If it's served from facebook then it doesn't matter that the code doesn't run, they'll have your tracking cookie from the icon request.

      1. big_D Silver badge

        Re: This was the case...

        The greyed out icons are stored locally, only after they are activated are the official (coloured) icons loaded, along with the relevant scripts.

    2. Warm Braw Silver badge

      Re: This was the case...

      Until the social media giants exercise their rights and prevent third parties publishing colourless images of their trademarks...

      Making the tracking optional doesn't really solve the problem - people really don't have any clue about the full consequences of opting in and are unlikely to accept that, say, foreign governments could start influencing their voting intentions as a result. The whole business model needs to be outlawed.

      1. Doctor Syntax Silver badge

        Re: This was the case...

        "Until the social media giants exercise their rights and prevent third parties publishing colourless images of their trademarks."

        In that case the site owners would have to weigh up their options and not having the media buttons seems increasingly likely for someone who has taken this precaution in the first place.

    3. Charlie Clark Silver badge

      Re: This was the case...

      Yep, pretty much an open and shut case. The "like" button is very clever marketing by Facebook but it really is just a tracking beacon and one of the reasons for the GDPR. More importantly, companies that use gimmicks like this are fooling themselves: while they can collect some data, they can only get what Facebook will give them, while Facebook gets to keep everything and aggregate it so that they can track users across the internet; they can (and do) even sell the data collected to companies' competitors. Would be nice to see more emphasis on the business aspects in these kind of stories.

  4. malle-herbert Silver badge
    Big Brother

    Good...

    Maybe that will stop them shadow-profiling everyone...

    1. Wellyboot Silver badge

      Re: Good...

      First they'd need to find where MZ buried his morals & ethics.

      I've never used FB but I'd really like to see my profile they've derived from everyone else.

      1. OhThatGuy

        Re: Good...

        "First they'd need to find where MZ buried his morals & ethics" - I don't think he's ever been bee troubled with either of those...

      2. John Brown (no body) Silver badge

        Re: Good...

        "First they'd need to find where MZ buried his morals & ethics."

        Probably in the same hole as Jimmy Hoffer.

  5. Mage Silver badge
    Flame

    This has ALWAYS been abusive

    The problem is that Facebook, Pinterest, Twitter etc offer little code snippets for a site builder. People thoughtlessly include them.

    If you MUST promote these toxic parasites, (Pinterest and Youtube are not just personal info thieves but serial copyright infringers), then put an icon/image and an HTML link. NO script. The scripts are tracking* people that load the page, not just those clicking. Surely that's been illegal even before GDPR?

    (* i.e. ALL the browser info that the host page gets, which is still too much due to idiotic deliberate design. Browsers share too much).

  6. Anonymous Coward
    Big Brother

    Anyone care to hit the Facebook like button at the bottom of this article ?

    1. Mage Silver badge
      Headmaster

      The Register SM icons

      "care to hit the Facebook like button"

      It's just an image with an HTML link, not the snippet that FB offers. Unless I'm missing something due to uMatrix. AFAIK El Reg has used "polite" legal SM icons for some time. Right click and "inspect element" if using Waterfox or Firefox.

      1. Anonymous Coward
        Anonymous Coward

        Re: The Register SM icons

        >It's just an image with an HTML link

        Thank you for the info, anything with an F icon I always treat as hostile as in Fucking do not click here.

        1. Mage Silver badge

          Re: ... do not click here

          That's the problem with the FB (and others) supplied snippit. It tracks using scripts. If you have facebook scripts but not the facebook domains hosting the image etc blocked, then to an extent FB still senses the traffic and maybe even get your browser stats. I'm not sure how much a non-unique URL of an image exposes. Usually "clear" pixels as trackers have a unique per page URL. Also why ALL remote content, not just scripts, but remote images are blocked in my email client. Often email remote images have unique "fake" url suffixes after the / for the main domain to enable per destination delivery verification. Website image trackers are similar.

          It's time that the ONLY 3rd part content on a website is a non-unique URL that is only an HTML link, no image loading, script or tracking suffix. It may even be a legal requirement already, even before GDPR in Europe, it's just people like Irish Data Commissioner are "lazy" (Google moves ALL EU T&C to Google Ireland from Google LLC in Jan, yet STILL has no clear opt out and by defaults tracks).

          Time to ditch Google API, Google Fonts and Google Analytics etc. All the equivalents can be hosted free on your own server. Stop giving Google a free ride. No Google service is free. Ordinary users pay via their usage.

          1. JohnFen Silver badge

            Re: ... do not click here

            "Also why ALL remote content, not just scripts, but remote images are blocked in my email client."

            Me too. I also don't allow my mailreader to interpret HTML.

            Someone where I work didn't realize that this was possible, and asked me why I never read her emails. I told her that I do, and why does she think I don't? Turns out it's because the program she uses embeds a tracker that lets her know who has opened it, but since I block all that stuff, she never got notification that I did.

            That made me very happy.

      2. A K Stiles
        Thumb Up

        Re: The Register SM icons

        Interesting that (at least on my screen) the reddit, twitter and linkedin icons are all anchor links to a sharing url but the facebook one is 'just' an image, not a link, although the cursor reacts to it so presumably (cba to look) some scripting to do 'stuff' with it when clicked.

        Reg at least gets a thumb up for them not being evil tracking things, assuming the above mentioned script isn't doing that...

  7. brym

    Backdoors

    Facebook don't only use their own code snippets for like/share/etc buttons. They backdoor their trackers into popular 3rd party web apps like Disqus.

    1. JohnFen Silver badge

      Re: Backdoors

      A website that uses Disqus for its comment section is a website without a comment section.

  8. Chris G Silver badge

    In answer to the sub heading; yes, anyone using embedded links should be responsible for subsequent data acquisition. Perhaps such links should have a data health warning next them as well.

  9. Voland's right hand Silver badge

    Facebook Like is the "harmless one"

    The current fashion is to use Instagram (and several similar sites). The difference between them and Facebook is that they are designed to be embeddable and provide resources without which you cannot read the page - f.e. pictures. If you are Joe Average luser and you have an Instagram account appropriate information is collected and the page owner gets it by being subscribed to the relevant APIs as an "advertiser" or a "partner".

    A good example (apologies for linking RT, but they are one of the most exemplary slimef*cks to use it): https://www.rt.com/news/445645-miss-universe-iceland-russian-origin/

    Seemingly harmless article with some blond beauty queen clickbait. It is set up for data collection of who you are. By the way a significant chunk of the material USA now blames to be Instagram election interference was probably uploaded on Instagram for similar purposes - use it as a CDN which captures detailed user data in the process and it is not something to which they fess up openly so they are at present a GDPR fair game. They are not the only ones too - there are USA sites working for their "adversaries" doing that.

  10. JohnFen Silver badge

    I would love to see that happen

    It sounds fair to me -- if a site decides to expose its users to trackers, including Facebook's, it only seems right that they should have to take responsibility for that decision.

  11. Will Godfrey Silver badge
    Linux

    Damage Limitation

    One thing I never do these days is to directly go from site to site. If I'm looking for something I get a list from the search engine (usually startpage), then close the browser. My browser is configured to delete all cookies on exit. When I go to one of the sites on the list in a new session they get very little info about me - and if I see that 'Like' button it's immediate shut down.

    The only time I ever use google is when looking up software and programming info (it does tend to be quite good for that), so they must have a very slanted profile for me!

    That might seem tedious and overkill, but it's surprising how quickly it becomes a habit and it doesn't actually slow me down - just a few seconds against many minutes actually on a site.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019