News and Publications

To be or not to be a Facebook fan

Posted: 14/08/2018

A recent decision by the Court of Justice of the European Union (CJEU) will have particular significance to retailers and other organisations who may be Facebook ‘fan page’ administrators. The CJEU ruled in Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein that an administrator of a Facebook fan page is a controller in its own right for data protection purposes in respect of personal data that it collects and uses from its Facebook fan page. The administrator of the Facebook fan page therefore has direct compliance obligations in relation to personal data that it processes from that fan page.

What is a Facebook fan page?

A Facebook fan page is a business account for a company or organisation. It is different to a Facebook profile, in that users can ‘follow’ or ‘like’ the page, rather than request to be friends with the account. Facebook fan pages are often used by artists, celebrities and brands because they feature unique tools for tracking visitors, via the ‘Facebook Insights’ tool.

Many high profile companies and individuals will have both a website and a Facebook fan page. For example, retailers may use their Facebook fan page to communicate brand messages to visitors, market to visitors, such as advertising a 50% off sale or the launch of a new product, or present their products as part of designated shop section on the fan page. Visitors can then be redirected to the retailer’s website to make a purchase.

The Facebook fan page in the CJEU case

Facebook Insights collects personal data of visitors (irrespective of whether they have a Facebook account or not) through the use of cookies. However, the Facebook fan page of the Wirtschaftsakademie, a German educational and training services company, did not inform visitors that their personal data would be collected by the cookies. In addition, demographic data was gathered by Facebook including age, sex, occupation, relationship status and geographic information, with the purpose of providing marketing information to the Wirtschaftsakademie. Browsing history data was also used by Facebook to allow them to target advertisements at visitors.

The question asked was whether the Wirtschaftsakademie – ie the Facebook fan page administrator – could be “deemed a data controller of the information?”

A controller is defined by the Data Protection Directive 95/46/EC (which has since been replaced with the General Data Protection Regulation) as the natural or legal person who determines the purposes and means of processing personal data. A data controller is responsible for demonstrating compliance with data protection legislation, such as ensuring all necessary consents have been obtained and for informing data subjects how their personal data is collected and used. Retailers will be familiar with this concept, such as ensuring the correct consents are in place to market to customers about offers and new products, having cookie policies on their websites and having to be transparent about how personal data is used. But what about personal data obtained via a Facebook fan page?

The CJEU decision

Using the ‘Facebook Insights’ tool, the Wirtschaftsakademie was able to define the parameters of the personal data they received and could specify and target certain audiences. This particular element of control available to the Wirtschaftsakademie contributed toward the CJEU’s decision to determine that the company is a joint controller when operating under a Facebook fan page, alongside Facebook Ireland in the EU and Facebook Inc. who were also data controllers. The CJEU held that Facebook fan pages would otherwise be used as a way of avoiding the data protection laws.

It was emphasised that by agreeing to the means and purposes of the data collection, the Wirtschaftsakademie was considered to have participated in the determination of such means and purposes. In other words, it did not matter that the Wirtschaftsakademie was not processing the personal data themselves, it was a controller by choosing to use the Facebook Insights tool and agreeing to the terms outlined by Facebook.

The fan page also allowed Facebook to place cookies onto the computers of visitors who did not have a Facebook account. This was argued to increase the responsibility of the Facebook fan page administrator.

What does this mean for Facebook fan page administrators?

Administrators of Facebook pages need to inform visitors that their personal data is collected via the ‘Facebook Insights’ tool. Although this decision was issued pre-GDPR, it still has relevance in the heightened GDPR-compliance world. Many individuals and brands use Facebook fan pages as a marketing channel and should therefore approach GDPR compliance for their Facebook fan pages in a similar way as for their own website.

  • The Facebook fan page should contain a prominent link to the organisation’s privacy and cookies notice so that visitors (including those without a Facebook account) are clear when and how their personal data is collected. 
  • That privacy and cookies notice should be checked to ensure that it informs visitors to the Facebook fan page that personal data is collected and used via Facebook Insights. This is important as the GDPR requires data controllers to inform individuals about the sources of personal data that they collect.
  • Administrators will also need to communicate the legal basis for processing when using the Facebook Insights tool, the cookies used, and what personal data is collected. This will ensure compliance with the principle of transparency. If cookies are used for profiling for advertising and to generate personalised content, this should be drawn to the user’s attention and mentioned as part of any request for consent for marketing purposes.

Facebook fan pages are a useful tool for retailers, particularly in terms of brand exposure. However, retailers should be mindful of the obligations that come with such use. The same consumer protection laws and data protection laws will apply to potential customers that visit a Facebook fan page as with any direct interaction via a retailer’s own website.

Arrow GIFReturn to news headlines

Penningtons Manches Cooper LLP

Penningtons Manches Cooper LLP is a limited liability partnership registered in England and Wales with registered number OC311575 and is authorised and regulated by the Solicitors Regulation Authority under number 419867.

Penningtons Manches Cooper LLP