On May 13, 2015, the Belgian Data Protection Authority (the “DPA”) published a recommendation addressing the use of social plug-ins associated with Facebook and its services (the “Recommendation”). The Recommendation stems from the recent discussions between the DPA and Facebook regarding Facebook’s privacy policy and the tracking of individuals’ Internet activities.

In taking the position that Facebook is subject to Belgian data protection law, the Recommendation focuses on the legitimacy of tracking user activities through Facebook’s social plug-ins. When used to track Internet activities, the DPA asserts that Facebook should obtain a user’s unambiguous and specific consent prior to placing or obtaining cookies through social plug-ins. The DPA further finds that it is excessive to systematically collect information concerning individuals’ visits to websites that contain social plug-ins, even where individuals do not interact with the social plug-ins.

The Recommendation advocates that Facebook be transparent regarding its use of cookies and cease collecting information through cookies and social plug-ins from non-Facebook users or users who have de-activated or logged out of their Facebook account without first obtaining opt-in consent. With respect to active Facebook users, the DPA noted that Facebook should only collect and use information through cookies and social plug-ins when strictly necessary to provide a service explicitly requested by the particular user. In all other cases, opt-in consent from Facebook users is required, according to the DPA.

Furthermore, the Recommendation warns against automatically sharing information with Facebook based on the mere presence of a social plug-in. As a final recommendation to Facebook, the DPA emphasizes that Facebook should modify its user interface to facilitate opt-in consent from its users for the collection and use of information obtained through cookies, in particular, for the use of this information for advertising purposes.

The Recommendation also includes guidance aimed at owners and hosts of websites using social plug-ins from Facebook, as well as Internet users. With regard to website owners and hosts, the DPA points out that they should ensure that social network buttons are only activated after the website users’ consent has been obtained. To comply with this obligation, the DPA recommends the use of instruments, such as “Social Share Privacy,” to help ensure that third-party plug-ins only connect to the third party’s servers after the user has clicked on the social plug-in button.

The DPA has indicated in the media that an enforcement action against Facebook may be necessary if the recommendation is not followed.