Privacy implications when embedding third party widgets

By Cody Haricombe on 10 October 2019

Finding a Facebook "Like" button or similar social plugin on a website is commonplace these days.  Website operators often embed these plugins on their websites in order to enhance their presence, as well as the visibility of their products, on social media.  This post highlights a recent ruling of the Court of Justice of the European Union (herein "CJEU"), where it was held that if you have embedded such a plugin on your website then you are a joint data controller with the provider of the plugin, and considers the potential impact of such ruling from a South African legal perspective.

The CJEU ruling in a nutshell

The CJEU handed down the ruling in their judgment of 29 July 2019 (cited as "Fashion ID (C-40/17)").  In this case, an online fashion retailer embedded a Like button on their website that collected and then transmitted visitors' personal information (think IP addresses, browser data, etc.) (herein "Personal Information") to Facebook automatically, with transmission apparently occurring without the visitor being aware of it, without the visitor having to be a member of the Facebook social networking platform and without the visitor having to click on the Like button itself.

To summarise for purposes of this post, the CJEU ruled that:
  • a website operator that embeds such a plugin on their website, which causes the collection and transmission of Personal Information to the plugin provider, can be considered a joint data controller of the Personal Information with the plugin provider under relevant EU privacy law; and
  • the liability of the website operator in such circumstances would, however, be limited to its collection of the Personal Information and the transmission thereof to the plugin provider.
In other words, by embedding a plugin on its website that causes the collection and transmission of Personal Information to the plugin provider, the website operator acted as data controller as it determined the purpose and means of the collection and transmission of the Personal Information.  The designation as data controller in such a situation naturally carries with it several compliance obligations, but the website operator would only be liable in that regard up to the point that the Personal Information is transmitted through the plugin, and would not be liable for the actions of the plugin provider following transmission.

One such compliance obligation (among others) is that the website operator would have to obtain the consent of a visitor before the collection/transmission of the Personal Information, this being regardless of whether the Like (or similar) button is clicked or not.  Think of how websites eagerly ask you to confirm your cookie preferences these days – the same might soon occur with Like buttons and other plugins.  It would also be good practice for the website operator and plugin provider, as joint data controllers, to put a data sharing agreement in place, to contractually regulate their respective rights and corresponding obligations in respect of the Personal Information being collected and transmitted.

The POPIA context

In South Africa, the Protection of Personal Information Act, No. 4 of 2013 (herein "POPIA"), while not yet fully in force, is substantially aligned with trends set by the EU, including its privacy laws.  In the context of the CJEU's ruling:
  • while you wouldn't be called a data controller for purposes of POPIA, section 1 of POPIA defines a "responsible party" as any "…person which, alone or in conjunction with others, determines the purpose of and means for processing personal information" (the writer's underlining for emphasis), which is effectively the equivalent of a data controller in EU terminology.  Further, the definition of "processing" in section 1 of POPIA includes the "collection" and "dissemination by means of transmission" of Personal Information, which is also aligned with EU terminology; and
  • as is the case with being designated as data controller for purposes of EU privacy law, the designation as responsible party for purposes of POPIA similarly carries with it the burden of several compliance obligations.
Given the substantial alignment between EU privacy law and POPIA, it is the writer's view that the CJEU's ruling would prove instructive in cases where South African website operators embed Like (or similar) buttons on their websites.  Looking ahead to the day when POPIA comes into full force and effect (herein "POPIA-Day"), South African website operators should heed the CJEU's ruling as our courts may very well follow suit if/when faced with similar issues.


As with just about anything, it always makes sense to rather plan ahead and put appropriate safeguards in place, than to only deal with issues as they arise.  In preparing for POPIA-Day, South African website operators should seriously consider putting a roadmap in place to ensure compliance with their privacy law obligations, including as prescribed under POPIA.  We've posted some thoughts developing such a roadmap before, which you can read  here:

Back to top

Please note that the legal topics informally discussed here are general discussions of certain aspects and therefore certainly not intended as legal advice.  We look forward to discussing your particular case with you.