Why German Privacy Officials Don’t Like Facebook’s “like” Button

Schleswig-Holstein is a small German state located at the very northern tip of the Federal Republic. It is home for enchanting cities such as Kiel and Lübeck, long coastlines overlooking the Baltic See to the east and the North See to the west. Other than scenic landscape, rich culture and a border with Denmark, Schleswig-Holstein also has a dynamic privacy commissioner. Dr. Thilo Weichert heads the ULD, which translates as the SH’s Independent Center for Privacy Protection. His administration published last week a press release (English version here) that has been attracting much attention since (e.g., here and here).

The LDU found the incorporation of Facebook's “like” button on websites (translated as “gefällt mir") to violate state and federal privacy laws:

ULD expects from website owners in Schleswig-Holstein to immediately stop the passing on of user data to Facebook in the USA by deactivating the respective services. If this does not take place by the end of September 2011, ULD will take further steps.

Website operators are warned that the popular app likely breaches a series of regulations designed to guard the privacy interests of site visitors. The consequences of keeping the app might be dire: The statutory fine might go up to 50,000 Euro.

What is it about the mini Facebook application that privacy watchdogs find so outrageous?

To begin with, once users click on the “like” button, information is being transferred to Facebook’s data centers in the United States. It appears that users do not have to maintain a Facebook account for having information related to them channeled to data warehouses in the Silicon Valley. Simply put, as you click “like”, the website you visit causes information about your session to be automatically transferred to Facebook. Facebook, in turn, stores the data for some time, during which it analyzes your data for various purposes. According to some accounts, a user who once “liked” a webpage must live with the fact that his or her online activity will be tracked for the next two years… (I have not yet found an official statement by Facebook that explains in detail its data retention policy and practice. Tips are welcome.)

This cannot leave European privacy officials indifferent, especially as the system does not discriminate between users based on their geographical location, and, almost needless to say, it does not ask users for permission or tells them what is being done with their data. According to Commissioner Weichert, this is a plain violation of the law, and thus, after completion of the formal proceeding against site operators, punishable.

It does not necessarily follow that the “like” button cannot be applied legitimately in Germany. To such end, however, website operators must provide very detailed information about the consequences of “liking” their websites. The corresponding statement must be prominently displayed and its language must be intelligible to the average Internet users. (For those still unconvinced that state regulation is necessary here, it suffices to point out to the clear lack of incentive by site operators to voluntarily do the same. Not to mention Facebook).

The “like” privacy statement must expressly describe the entities the plug-in actually serves, including Facebook. It is probably necessary to provide a link to Facebook’s privacy policy page, although this policy does not say much about the consequences of “liking” for users' privacy interests.

At any rate, the declaration should state that a direct connection is being made between the user’s browser and Facebook’s servers and explain the resulting transfer of personal data. In my opinion, it must also state (1) the time frame during which Facebook retains the data, (2) what Facebook intents to do with the data, including matching it with Facebook profiles, (3) the identity of third parties to which the data is transferred, if applicable, and the purpose of such transfer.

To be sure, according to German law, websites here probably have to obtain the affirmative consent of their visitors regarding transfer and use of personal information. Something akin of a click-box might suffice – warnings printed in minuscule font size that are buried at the bottom of a website’s TOS might not. At present, few German websites (if any) come even close to complying with such requirements.

Reading what I wrote above, I doubt I'll ever “like” a website again, no matter how great I think it truly is.


German data protection advocates often take aim at Facebook, most recently in the state of Schleswig-Holstein, which aims to ban the website's "Like" button. But tensions may be easing. On Thursday, the country's interior minister managed to coax Facebook into sharing in the creation of a voluntary privacy code.

here: http://www.heise.de/newsticker/meldung/Like-Button-Facebook-erklaert-Det...
This explanation is attributed to Richard Allen, the FB chief lobbyist for Europe, who has a lot to do in Germany these days. I wonder why FB does not bother to produce such elaborate clarifications on its data retention practice for the U.S. public, in English. Or, has it done so already?

I think that the "...After that, we combine the data with other people's data in a way that it is no longer associated with you..." can be interpreted in many different ways. Too much freedom here, which can be used (if wanted) in a bad manner. What will they do with the data exactly instead of "... in a way..."? Nobody knows... I think it's good to have some presure on FB, let them know they cannot just do whatever they want... Let them know there is people watching them and making sure they keep thier ethics in place. Just my opinion...
Slechte Adem

Maybe it´s the right way to get facebook to do a little bit more privacy security. and not passing everything to the usa-Facebook servers. trying to get as most data from all over the world. Now its the right time to do something about it bevore its tooo late.

I am not a Facebook user so why should I be tracked? Surely the "like" button is just a a scam to capture data on non FB users? (I'm not overly keen on you sharing my contact with this site with Google either. Can't you just analyse your own server logs?)

When you visit a web page with a social plugin, Facebook sees the date and time you visited, the web page you are on (commonly known as the URL), and other technical information about the IP address, browser, and operating system you use. This is industry standard data that helps us optimize your experience depending on which browser you are using or whether you are logged into Facebook.
We keep this data for 90 days. After that, we combine the data with other people's data in a way that it is no longer associated with you. You can learn more about the specific types of data we collect here

I still find the sentence "[w]e keep this data for 90 days. After that, we combine the data with other people's data in a way that it is no longer associated with you" rather cryptic. Data retention policies usually tell you how long personal information is being stored before being DELETED, not how long it is being stored before further use takes place. This statement supports the argument that Facebook actually tracks *everyone* who visits a webpage with a fb plug-in, not only those with fb accounts, and even not only visitors who voluntarily click on the "like" (or other plug-in) button. I cannot confirm this allegation technically but have seen papers that apparently do. In that case, putting regulatory pressure on websites is not such a crazy idea, especially in jurisdictions that cannot crack down on fb directly.

I am not a Facebook user and therefore do not want my experience "optimised". I do not and will not share what and where or how I browse with that organisation. With respect to non Facebook users, the "like" button is just a data collection scam.

Add new comment