The problem with “Likes”

Almost every single website these days offers “Like” and “Share” Buttons or other forms of social media interactions. While this is definitely a convenience and important for website owners, it is quite problematic from GDPR point of view. It’s no complete no-go from as far as user privacy is concerned. To understand it’s implications we have to look “what’s happening under the hood” so to speak.
Take for example the Facebook “Like” button. It integrates an iFrame into the website. This is basically an mini-site of the website and it’s source code comes from Facebook. This by itself wouldn’t bad. It’s what’s happening under the hood so to speak. As soon as the user opens up the website in his browser, the Facebook iFrame gets embeded into to website without the user even having hit the “Like” button. The referer URL gets now transmittet to Facebook. The same happens with a previous set cookie. If the user is logged into Facebook in another browser window the cookie transmits the users session ID to Facebook. This allows Facebook to track this particular website call a specific user, without the user having taken any action at all by himself.
To put it another way. Facebook is able to track a specific users websurfing habits without the users knowledge and without any interaction of the user himself. One might now argue the Google Analytics or similar services do pretty much the same. Well, this doesen’t even come close to the truth. Google analytices works with pseudonymized data. In the worst case scenario the work with IP addresses. But they are not able to track a certain web surfing behavior to a specific user. Furthermore Facebook has all the private personal data like Name, Birthdate, phone number of that specific user that just has been tracked through a Like button on a website.
One could now argue that it’s the users own fault if he surfs the web while being logged into Facebook. But this is not how it actually works. Even if you are not logged into Facebook private usere data is being transmitted to Facebook, if a website consits of active Facebook elements such as “Like” and “Share” buttons. All that data collecting goes on without the user knowledge. While this is already bad anough from a privacy point of view, it gets even work if you dig deeper into the mechanics of the “Like” button. Every single time a website with active Facebook elements is being opened up a cookie containing a special ID like “E9dcTgVq3xnuDQAAFw47QTAZ” is being set. This cookie is valid fro 2 years. This cooke is being transmitted every single time to Facebook, without the users consent. This gives Facebook expecially but the websites owner as well the ability not only to track the user, but to create profile which websites the user that belongs to that particular ID has benn visiting in his absence from the website that set this particular cookie in the first place.
And now it gets really creepy. Facebook has the ability to connect the “special” ID set by the cookie with the users private personal data. And lets not forget this cookie is valid for 2 years. An you can be sure that at a certain point in time this colledted data will be used to make money for Facebook in some form. This is not a Facebook bashing, since the exact same technique is used for other social media sites such as Twitter, Google+, Instagram, WhatsApp usw. just to name a few.
One way for the user to regain some control of that privacy nightmare, he most likely isn’t even aware of, is for example to block cookies from thrid party providers in the browser. This way the information of cookies isn’t being sent to the third party that set the cookie in the first place. That of course means that the “Like” and “Share” button won’t work properly anymore. And the functionality of other services of Social Media Plugins might be affected as well.
This approach still isn’t really a solution for website owners since the GDPR regulations require us to keep users private data safe and secure and deploy the necessary methodes to keep user data out of datacollecting companies, unless the user has giving his explicit consent.
To make a long story short. It doesn’t that website owners have to remove Social Media Plugins all together. We just have to go at it via a different route. Instead of doplying a iFrame website owners have to make sure that a simple Link is being used to open a separate window and there the user can wirte his comment an “Like” or “Share” a certain website actively on his social media accounts. This might mean some lack of convenience on the one hand, but on the other hand it means that no data is being transmitted to Facebook an other social media services, unless the user actively chooses to do so.
By deploying this approach we make our website GDPR compliant. Or to put it into simple words: “2 Clicks for more user privacy”.