Embedded Code = Joint Control => Joint Liability

Embedding someone else’s code in your website may seem a like great idea – embedding a “Like” button from Facebook or a “Share” button from LinkedIn.  The buttons provide your visitors with an opportunity to interact with your site, share an article, or like a picture.  But, the embedded code for those buttons may be collecting more information than the site owner may be aware and creating liability for the site owner as well.

The Court of Justice for the European Union (CJEU) recently ruled that the site operator or website owner can be a “joint controller”.[1]  A joint controller is a processor of information for a common economic interest.  An embedded button, such as a “Like” button for Facebook, can collect information for the benefit of the code provider (e.g., Facebook, LinkedIn, etc.) and the website owner / operator.  To understand the benefits of embedded code we have to dive into the world of web browser usage trackers known as cookies.

Generally, a website “cookie” allows the website to provide the user with a better experience by saving options such as preferences, usernames, browsing history, and/or other data.  By accepting the use of the cookie, the user does not have to enter the same information each time they visit the website.  An example of such a benefit might be if a user were to search a website for car parts and filters, or searches the information for a particular car based on the make, model, and/or year.  Using cookies, the site can store or associate this information with the user and each time the user visits the site this cookie will allow the site to automatically narrow the search results for the user.  Cookies can save users’ time, help the website owner track site usage, help reduce the possibility of shipping the wrong part, and have many other benefits. Cookies, however, can also be used to track things like users’ browsing history or users’ information if the information has been provided to the website. 

Websites are not the only beneficiaries, recipients, or processors of the information captured by cookies, however.  Companies that provide embedded code (e.g., Facebook for “Like” buttons), share links, or other interactive code objects can use that code to capture the same information as the cookie might capture.  So in addition to the capturing the user data on a website to provide the user with better interactive experience and the website owner with helpful operational data, the data may also be sent to the companies such as Facebook who have provided the embedded code to the site. 

“Like” buttons and such may be embedded on the many different websites, but the information captured by them is transmitted back to the social media website.  The button is based on JavaScript, which can contain any code the provider desires.  Social media sites allow and encourage the use of embedded code so they can follow, capture, and process the infarction of the user on many different sites.  Through this process, the website owners become facilitators, often unwittingly, of the social media organization’s massive data collection operations.  By enabling and facilitating these collection efforts, the website owner and the provider of the button have similar economic interests and are considered “joint controllers” for the CJEU analysis.

The practical effect of this linked interest is that the website owner can become responsible for the information captured by the embedded code and the subsequent use and processing of such information.  This can be true even if the website owner is not aware of or has access to the information captured by the embedded code.  Within the opinion the court noted:

[T]he fact that the operator of a website …does not itself have access to the personal data collected and transmitted to the provider of the social plugin with which it determines jointly the means and purposes of the processing of personal data does not preclude it from being a controller.[2]

The CJEU ruling creates liability in that website owners are responsible for the information being captured by a social media site, such as Facebook, through the embedding of the social-media provided buttons on their website. Website owners are now responsible for the collection of personal information through embedded code on their website whether or not the website owner may even be aware of the information being captured and the owner may not even benefit from the information. 

This liability can be further compounded if the website’s privacy policy either, 1) represents that personal information is not being captured on the site despite what the embedded code is capturing, or 2) does not the address capturing of personal information at all. 

As more and more states begin to regulate the data captured by websites, they too may look to hold website owners responsible for the data captured on their sites, regardless of where the data is ultimately sent, whether the owner knew about the information, and whether the site owner benefited from the data capture.  It will become increasingly more important for website owners and developers to know:

1. What data privacy laws, if any, are applicable;
2. What code is embedded on the site;
3. What information the code captures;
4. What information the code transmits to third-party providers;
5. Whether the privacy policy of the site addresses the issue;
6. If the state laws for the business or the customer regulate the capture or distribution of such information;
7. If the contract or statement of work for site developer addresses the issue of embedded code; and
8. How the business can protect itself from claims by users or customers if a third-party’s embedded code collects more information than allowed.

Robert L. Kardell

[1] C-40/17, Fashion ID GmbH & Co. KG vs. Verbraucherzentrale NRW eV.

[2] IBID at paragraph 82.