Facebook cookie case: Why even the 'Like' button infringes EU 'informed consent' privacy law
Is Facebook violating European privacy laws?
To maintain its citizens' right to privacy, the EU requires all websites with a European user base to inform visitors about the use of cookies. It's a process called obtaining 'informed consent'.
But the informed-consent rule is widely open to interpretation by EU privacy regulators, as the ongoing case involving Facebook's use of cookies in Belgium demonstrates.
In November, a Belgian court ordered Facebook to stop tracking non-Facebook web users through social plugins on third-party websites. Facebook has been able to follow the web activity of individuals who do not hold Facebook accounts through a special cookie.
"Notice and consent are only part of the equation," Brendan van Alsenoy, a legal researcher at the KU Leuven Centre for IP & IT Law, told ZDNet. Van Alsenoy acted as an independent adviser to the Belgian Privacy Commission's Facebook investigation.
"EU data-protection laws also prohibit processing of personal data that is excessive in relation to the purposes pursued," he said.
Facebook hides a cookie called 'datr' in the code of its social plugins and on Facebook.com. The firm argues that the datr cookie is necessary to secure its services from data breaches.
But the informed-consent cookie policy does not go far enough in protecting users from what the EU considers "excessive" personal data-tracking by cookies and other methods, van Alsenoy said.
In particular, the EU is careful to limit how data-tracking cookies are used on health and government websites.
Van Alsenoy said Facebook's Like button is the most ubiquitous social plugin used by third-party websites. It is present on more than 13 million sites, covering almost all website categories, including health and governmental websites.
Most EU member states see health and government websites as essential citizen services, where the user has no other option but to use them. Their content should be open to all users, regardless of their privacy preferences.
Accepting a data-tracking cookie through the Like button on health and government websites then becomes a pre-condition for using these essential services. Therefore, most EU countries believe it is unlawful to place this type of cookie on these websites.
"The Belgian judge considered that Facebook's tracking of non-users, even if it were undertaken only for security purposes, was excessive and violated their reasonable expectation of privacy," van Alsenoy said.
Every time a person visits Facebook.com, their browser downloads or updates the datr cookie, regardless of whether they belong to the social network.
By blocking non-Facebook users from Facebook.com, Facebook can ensure these users avoid downloading the cookie in the first place.
Facebook wrote to Belgian authorities in early December, saying that it would block non-Facebook users from accessing content on Facebook, though it is not clear when and if the block has yet taken effect. The court ruled that Facebook must pay €250,000 for each day that Facebook does not comply with the order.
Facebook continues to use the datr cookie outside Belgium and is currently appealing against the Belgian court's decision.
Meanwhile, political pressure at the European level could give the EU more leverage against Facebook. A data-privacy consortium, comprising Belgian, Dutch, German, French, and Spanish privacy regulators, now expects Facebook to comply with the Belgian court order across the entire EU.
Legislation recently approved by the European Commission will also give more power to national data-protection authorities to police the privacy policies of more internet companies.
Following the Belgian Privacy Commission's precedent, national privacy regulators across the EU may legally be able to fine and order corrective action against any website operator that they deem is infringing on a country's privacy rules.