If the Facebook landscape were a real spatial entity, it would look like an infinite meadow filled with thumbs-up likes swaying in the warm breeze like dandelions sparkling in the morning sun, still covered by pearls of dew. The sun always shines in like-like land, where neither rain nor dislikes are to be found. Or at least that’s what the travel agency would say. The photos never show the thick pipelines sunk beneath, pipes carrying data – ‘the new oil’ – to offshore tax havens.

Facebook has been in trouble a lot in recent years, particularly with regard to questionable data practices. One recent story that has received less media attention is the EU’s ruling on websites embedding Facebook’s ‘like’ widget.

Facebook’s ‘like’ widget and the GDPR

One dark cloud in like-like land recently rolled onto the horizon, quite unceremoniously and with little fanfare from the Court of Justice of the European Union. They recently ruled that websites embedding Facebook’s ‘like’ widget are sending browsing data to Facebook whether the user clicks the widget or not, leaving the user no way to opt out. The court found that such a website would be violating the EU General Data Protection Regulation (GDPR), and that the website operator is required to receive consent before transmitting the information to Facebook. As of time of writing, there is no way to get permission before sending the data with the Facebook plugin, so the only way to be compliant with the judgement is by removing the widget completely while waiting for a possible fix from Facebook.

While most news sources have reported the story centring on Facebook, speaking as somebody with a legal background, the specific terminology used in the judgement should send cold shivers down the spine of every website operator. The Court of Justice specifically found that the website operator becomes the Data Controller concerning any personal data that is transmitted to Facebook.

The term ‘Data Controller’ is capitalised, because it has a very specific meaning as defined in Article 4 of the GDPR. The Data Controller is the party that is ultimately responsible for the behaviour of any third parties (called ‘Data Processors’) that they share personal data with. Therefore, by simply embedding the Facebook widget on their pages, the website operator has become legally and financially responsible for the operations of their Data Processor – in this case, Facebook.

And the fun doesn’t end at Article 4. The Data Controller – the website operator – now needs to comply with all the provisions for Data Controllers, including but not limited to collecting consent from all website visitors (now ‘Data Subjects’), enabling Data Subjects to review the data stored about them, and ensuring that every Data Processor will not transfer or share data with anybody else without written authorisation and that they will delete the personal data on request.

Social Sign-On – ‘Log in with Facebook’

It’s scary how little coverage this ruling received. It seemingly came as a surprise that tracking people across the internet without their consent would be judged so harshly. What is even scarier though, is the use of Facebook login methods in the light of this ruling – the familiar ‘Log in with Facebook’ option.

Prior to 21/3/18, there were no controls over the attributes that Facebook returned, and no option for an end user to review them. Any site/application being logged into via Facebook would get anything your Facebook account had access to – e.g. all the text, photos etc. from yourself and your Facebook friends that you could view. Then came the Cambridge Analytica scandal and now the site/application should get only global Facebook ID, gender, location, age range, name, profile image and email address without prompts. If you have a Facebook account, you can check yourself: settings > account settings > apps and websites > logged in with Facebook. Go here for further reading on this.

Facebook sign-on can serve as a convenient identity verification method, but if an innocent configuration error can potentially turn into GDPR-compliance nightmare, perhaps developers should consider strong authentication methods instead. With an Identity and Access Management (IAM) platform that has been designed for customers from the start, the strong authentication methods are strong, not hard, so are just as convenient as social media sign-on methods. It’s also possible to give users options, so they can choose how to verify their identity when accessing apps and services.


Legislation can feel glacial when compared with like-like land memes that live and die within days, but eventually the real world will catch up. Social media has great potential and power to change the way people perceive the real world, but with great power comes great responsibility.

While Facebook cannot (or at least should not) ignore this responsibility for much longer due to growing pressure on all sides, website operators and business owners must make sure they’re not caught out in the meantime. Data privacy practices must be airtight – find out why now more than ever in our other blog, ‘What the hype around FaceApp and Netflix’s The Great Hack documentary means for businesses storing consumer data‘.


Disclaimer: The writer has a leveraged short position against Facebook (NASDAQ: FB).