So you want to go viral? Or maybe just make it a little easier to share your content. Either way, social-media companies are here for it with plugins and widgets that you can conveniently install right on your site.

These plugins allow users to connect with the website through their social network profiles. This lets users promote the page to their own social feed, whether it be from liking, sharing, pinning, tweeting, ticking, tocking … you get the idea. Some plugins allow websites to embed a timeline or a video, or a specific post into the website. These extensions can be a low-effort and cost-effective way of expanding your company’s presence.

But watch your step!

Website operators that integrate these tools into their website can be held liable under data-protection and consumer-protection laws.

Companies like Facebook are able to surveil the digital activity of users and non-users across the web. When someone in America visits a website with a Facebook “like” button, Facebook receives a notification, along with the user’s unique ID number and the URL, containing what the user visited on the website or mobile app. Even if the user doesn’t click on the button! Sometimes, depending on the website operators’ preferences, the social media company is able to place tracking cookies on the visitors’ computers who are not even members of the social media platform but just visit sites that contain the plugins.

Understandably, this is a concern for many internet users. It’s an even bigger concern for governments.

In 2019, the Court of Justice of the EU held that a website operator using a social media plugin is a joint controller with the social media company and could be held jointly liable in relation to the processing activities. Following this ruling, the website operator’s use of the plugin must be in compliance with the GDPR. This means that website owners that use social plugins need to have and state a legal basis for their processing. This also means that a site owner needs user consent and adequate notice to users before collecting and transmitting data to the social media provider. This has caused some websites to avoid social plugins, implement 2-click solutions, or implement security plugins.

Maybe these measures are overkill for websites targeting users in the United States. But maybe not. Many plugins collect unique personal identifiers, like a cookie. And cookies are considered personally identifiable information under California’s data privacy laws. So at this point a responsible website owner operating in the EU or the US—at least the California part of the US—will want to give adequate notice and get prior user consent before plugging users in to social.

We hope you “liked” this message. Please give us a thumbs up on LinkedIn 😉