Recently, the Belgian Privacy Commission addressed issues of personal privacy concerns with Facebook social plug-ins, such as the "Like" and "Share" buttons.
These plug-ins allow Facebook to track individuals who use these plug-ins outside of the Facebook platform by installing permanent cookies on users devices, whether the person is logged in to Facebook or not, or even a registered user of Facebook or not. These cookies are then used to collect browsing data, and for advertising purposes.
While registered Facebook users have given their clear and specific consent during the registration process, Facebook non-users have not given it.
Because of this, the Privacy Commission has made a few recommendations:
- Facebook should not place unique identifier and long-lasting cookies on devices that belong to users who are not registered Facebook users/ users who have not given clear and specific consent that this would be acceptable to them;
Similarly, website owners are encouraged to create new relevant policies, such as a "Social Share Privacy" policy, where users can find out about cookies that may be installed when clicking "Like" or "Share" buttons.
While the above points reference Facebook, these points are very important for other websites and mobile apps as well. These recommendations should be applied to all embeddable plug-ins used by websites or mobile apps that place cookies on a device when used.
If your business is developing an embeddable web plug-in that is similar to the Facebook "Like" and "Share" buttons, you will want to pay attention to the recommendations above.
SoundCloud and YouTube are examples of websites that offer popular embeddable plug-ins.
The following image is a SoundCloud page where users can choose and customize options for the plug-in before embedding it. The code is automatically created and generated to allow for the easy sharing on all websites.
From video sharing to commenting on blog posts to re-posting news articles, this kind of plug-ins help websites and media outlets spread their content.
Follow these steps with your plug-in to ensure compliance with important global privacy laws.
Recommendations for web plugins
Always obtain consent
In the image below, note how Facebook makes all users who sign up agree to Facebook's Terms, the Data Use Policy, and the Cookie Use Policy.
Facebook then, in one or more of these policies, describes practices of how personal information is collected and how cookies are placed. By providing this information to users who wish to sign up, and by making acceptance and agreement to these terms part of the sign up process, Facebook is ensuring that registered users will be considered to have given consent for what is found in those legal agreements.
- What data you collect
- Why you collect this data
- How you collect it
- What the data will be used for
No consent, no cookies
If you have not obtained clear and actual consent from a user to place cookies on their device, do not place them.
There's also no consent or agreement given by people who don't use Facebook to have these cookies placed:
This leads to the second recommendation of the Privacy Commission that all businesses with embeddable web plugins should pay attention to.
If your plugin can be embedded on a third party site and used by individuals who are not registered with your actual website, and if cookies are placed on these users' devices after using the plugin, this fact should be made clearly known to people who will potentially be using your plugin.
Consider having a separate link on your website homepage that says something like "Social Sharing Plug-in Privacy Information" so that users can easily notice that there is a separate informative section that would be relevant for people who aren't registered with the entire website but who do use the social sharing plugin.
Not only should the business behind the embedded plugin make this information readily available to the public and potential users, but third party websites that embed the plugin should also take steps to let users know that personal data is being transferred and processed when the plug-in is used.
SoundCloud offers an embeddable plugin that allows users to share their music and audio with others on the internet by sharing the plugin on a website or blog. This plugin makes it easy and convenient to share information with your website visitors.
Within that agreement, note how SoundCloud includes information about how activities such as Likes, Follows, and Plays are tracked within the app and sent to a third party, Localytics.
Similarly, Disqus, the popular social media sharing platform, allows for easily embedding their website plug-in on other websites and platforms to include a comment section:
The image below shows how Disqus is incorporated into The Next Web website at the bottom of articles.
The applicable language states:
We may receive personally identifiable information about you from third parties, including, for example, information about your transactions, purchase history, or relationships with various product and service providers, and your use of certain applications.
For example, if you access our website or Service through a third-party connection or log-in, for example, through Facebook Connect, by "following," "liking," linking your account to the Disqus service, etc., that third party may pass certain information about your use of its service to Disqus
This is why both Facebook, Disqus, and any other business or website that either creates or utilizes the third party embedded plug-ins should make this information much more easily accessible and well-known.
By following these guidelines for your embeddable web plug-in, you will stay compliant and help promote good privacy law practices.
For example, Facebook could follow the approach that SoundCloud and Disqus have taken by providing these legal agreement links directly on the "Like" page embeddable plugin.
In the image above, the area within the yellow box would be a great area to place links to legal agreements because the area is prominent and would not be missed by anyone who would be about to click the "Like" button.
This placement would make sure that no matter what website the "Like" plugin is being used on, a user is aware that by clicking "Like" there may be personal data collected or cookies placed.