Embedded Code = Joint Control => Joint Liability
Embedding someone else’s code in your website may seem a like great idea – embedding a “Like” button from Facebook or a “Share” button from LinkedIn. The buttons provide your visitors with an opportunity to interact with your site, share an article, or like a picture. But, the embedded code for those buttons may be collecting more information than the site owner may be aware and creating liability for the site owner as well.
The Court of Justice for the European Union (CJEU) recently ruled that the site operator or website owner can be a “joint controller”. A joint controller is a processor of information for a common economic interest. An embedded button, such as a “Like” button for Facebook, can collect information for the benefit of the code provider (e.g., Facebook, LinkedIn, etc.) and the website owner / operator. To understand the benefits of embedded code we have to dive into the world of web browser usage trackers known as cookies.
Generally, a website “cookie” allows the website to provide the user with a better experience by saving options such as preferences, usernames, browsing history, and/or other data. By accepting the use of the cookie, the user does not have to enter the same information each time they visit the website. An example of such a benefit might be if a user were to search a website for car parts and filters, or searches the information for a particular car based on the make, model, and/or year. Using cookies, the site can store or associate this information with the user and each time the user visits the site this cookie will allow the site to automatically narrow the search results for the user. Cookies can save users’ time, help the website owner track site usage, help reduce the possibility of shipping the wrong part, and have many other benefits. Cookies, however, can also be used to track things like users’ browsing history or users’ information if the information has been provided to the website.
Websites are not the only beneficiaries, recipients, or processors of the information captured by cookies, however. Companies that provide embedded code (e.g., Facebook for “Like” buttons), share links, or other interactive code objects can use that code to capture the same information as the cookie might capture. So in addition to the capturing the user data on a website to provide the user with better interactive experience and the website owner with helpful operational data, the data may also be sent to the companies such as Facebook who have provided the embedded code to the site.
The practical effect of this linked interest is that the website owner can become responsible for the information captured by the embedded code and the subsequent use and processing of such information. This can be true even if the website owner is not aware of or has access to the information captured by the embedded code. Within the opinion the court noted:
[T]he fact that the operator of a website …does not itself have access to the personal data collected and transmitted to the provider of the social plugin with which it determines jointly the means and purposes of the processing of personal data does not preclude it from being a controller.
The CJEU ruling creates liability in that website owners are responsible for the information being captured by a social media site, such as Facebook, through the embedding of the social-media provided buttons on their website. Website owners are now responsible for the collection of personal information through embedded code on their website whether or not the website owner may even be aware of the information being captured and the owner may not even benefit from the information.
As more and more states begin to regulate the data captured by websites, they too may look to hold website owners responsible for the data captured on their sites, regardless of where the data is ultimately sent, whether the owner knew about the information, and whether the site owner benefited from the data capture. It will become increasingly more important for website owners and developers to know:
- What data privacy laws, if any, are applicable;
- What code is embedded on the site;
- What information the code captures;
- What information the code transmits to third-party providers;
- If the state laws for the business or the customer regulate the capture or distribution of such information;
- If the contract or statement of work for site developer addresses the issue of embedded code; and
- How the business can protect itself from claims by users or customers if a third-party’s embedded code collects more information than allowed.
 C-40/17, Fashion ID GmbH & Co. KG vs. Verbraucherzentrale NRW eV.
 IBID at paragraph 82.