Introduction

The integration of third-party social plugins on professional websites has become a standard feature of digital strategies. Sharing buttons, advertising pixels, and analytics tools are widely perceived as levers for audience growth and commercial performance. However, these technical choices now entail legal responsibility for economic operators, particularly under European personal data protection law.

The Fashion ID judgment, handed down by the Court of Justice of the European Union, the July 19, 2019, constitutes a structuring decision in this respect. By recognising, under certain conditions, joint responsibility between a website publisher and Facebook as a result of integrating the “Like” button, the Court profoundly reshaped the analysis of digital chains of responsibility.

This solution, grounded in a functional and pragmatic approach, nevertheless continues to give rise to doctrinal and practical debate as to its actual scope and its operational implications.

The Fashion ID decision : a landmark in European data protection law

In the Fashion ID case, the company operating an online retail website had integrated Facebook’s “Like” button. This plugin triggered, as soon as the page loaded, the automatic transmission of visitors’ personal data (IP address, browsing data), regardless of any voluntary interaction with the social network.

The central question concerned Fashion ID’s legal qualification : could it be regarded as a controller even though it neither had access to the transmitted data nor exercised control over their subsequent use by Facebook ?

The Court adopted a resolutely concrete approach. It held that the voluntary integration of the social plugin, for purposes of visibility and commercial promotion, was sufficient to characterise participation in determining the purposes and means of processing, at least for the data-collection phase.

Fashion ID was therefore classified as a joint controller, alongside Facebook, for that specific phase of processing.

The concept of joint controllership applied to social plugins

The Court confirms that joint controllership does not require equality of roles or identical access to data. It is based on a functional analysis, taking into account the effective involvement of each actor in the processing chain.

Accordingly, a website may be deemed a joint controller where it :

• deliberately chooses to integrate a third-party tool ;
• derives an economic or marketing benefit from that integration ;
• facilitates, even indirectly, the collection of personal data.

This analysis aligns with the positions adopted by European data protection authorities, in particular the recommendations issued by the CNIL regarding trackers and third-party tools.

The Court is careful to specify that joint responsibility is neither global nor unlimited. It is strictly confined to the operations over which the website publisher exercises real influence, namely the initial collection and transmission of data.

web publisher liability

The limits set by the Court : a strictly circumscribed responsibility

One of the key contributions of the Fashion ID decision lies in the clear delineation of responsibility. The website publisher is not held responsible for subsequent processing carried out by Facebook, insofar as it does not determine either the purposes or the modalities thereof.

This clarification is essential to preserving a balance between data protection and legal certainty for economic operators.

The decision does not establish a principle of automatic responsibility for any integration of a third-party module. Each situation must be assessed on a case-by-case basis, taking into account the reality of data flows, the intended purpose, and the degree of involvement of the website publisher.

Practical takeaways for companies and trademarks

Website publishers must clearly inform users of data collection through third-party modules, identifying joint controllers and the purposes pursued.

This transparency requirement is fully consistent with the General Data Protection Regulation of April 27, 2016 (GDPR) framework and the CNIL’s guidelines.

Where the data collected are not strictly necessary for the operation of the website, prior consent is required. Such consent must be effective, specific, and technically enforced, which often entails revisiting the default settings of social plugins.

Best practices and risk-management strategies

To limit legal exposure, companies may usefully implement the following measures :

• regular audits of integrated tools and plugins ;
• removal of non-essential modules ;
• use of deferred loading solutions (lazy loading) ;
• contractual framing of relationships with third-party providers ;
• documentation of technical and legal choices made.

Conclusion

The Fashion ID case clearly illustrates how the law now addresses digital architectures. Joint responsibility is no longer a theoretical construct, but a concrete operational risk for companies, particularly those whose reputation relies on their digital presence.

Dreyfus & Associés law firm assists assists its clients in managing complex intellectual property cases, ensuring GDPR compliance, and providing legal protection for their digital strategies.

Dreyfus & Associés works in partnership with a global network of specialised intellectual property lawyers.

Nathalie Dreyfus, with the support of the entire Dreyfus firm team.

Q&A

1. Can joint responsibility be established in the absence of a contractual relationship with Facebook ?
Yes. The existence or absence of a formal contract with Facebook is not decisive. The Court reasons outside any contractual logic, relying exclusively on the facts and the reality of data flows. A website may therefore be classified as a joint controller even if it has entered into no specific agreement with the provider of the social plugin.

2. What concrete risks arise in the event of an inspection by the CNIL or a European authority ?
The risks are multiple and cumulative: formal notice, injunctions to comply, administrative fines, as well as potential compensation claims by users. Beyond the financial aspect, reputational risk is often decisive, particularly for exposed trademarks or those operating in sensitive sectors.

3. Does removing the social plugin eliminate all legal risk ?
Not necessarily. Removal puts an end to future risk, but it does not erase past processing. Authorities may examine previous practices, especially where data were collected without proper information or valid consent. Hence the importance of documenting audits carried out and corrective measures implemented.

4. Can this case law extend to tools other than social networks ?
Yes, and this is a central point. The Fashion ID reasoning goes far beyond “Like” buttons alone. It is transposable to other technologies such as advertising pixels, audience-measurement tools, chat services, video players, or interactive maps, insofar as they entail the transmission of personal data to third parties.

5. How should joint controllership be distinguished from processing on behalf of a controller under the GDPR ?
The distinction is fundamental. A processor acts on behalf of the controller and in accordance with its instructions, which was not the case in Fashion ID. Where a third party pursues its own purposes, qualification as a processor is excluded.

6. Can a publisher rely on technical complexity to escape responsibility ?
No. The Court adopts a clear position : technical complexity does not constitute grounds for exemption. Companies are required to understand, at least in broad terms, the legal effects of the tools they integrate. This requirement reinforces the need for legal support upstream of technical decisions.

This publication is intended to provide general guidance and to highlight certain issues. It is not intended to apply to specific circumstances or to constitute legal advice.