In taking the position that Facebook is subject to Belgian data protection law, the Recommendation focuses on the legitimacy of tracking user activities through Facebook’s social plug-ins. When used to track Internet activities, the DPA asserts that Facebook should obtain a user’s unambiguous and specific consent prior to placing or obtaining cookies through social plug-ins. The DPA further finds that it is excessive to systematically collect information concerning individuals’ visits to websites that contain social plug-ins, even where individuals do not interact with the social plug-ins.
Furthermore, the Recommendation warns against automatically sharing information with Facebook based on the mere presence of a social plug-in. As a final recommendation to Facebook, the DPA emphasizes that Facebook should modify its user interface to facilitate opt-in consent from its users for the collection and use of information obtained through cookies, in particular, for the use of this information for advertising purposes.
The Recommendation also includes guidance aimed at owners and hosts of websites using social plug-ins from Facebook, as well as Internet users. With regard to website owners and hosts, the DPA points out that they should ensure that social network buttons are only activated after the website users’ consent has been obtained. To comply with this obligation, the DPA recommends the use of instruments, such as “Social Share Privacy,” to help ensure that third-party plug-ins only connect to the third party’s servers after the user has clicked on the social plug-in button.
The DPA has indicated in the media that an enforcement action against Facebook may be necessary if the recommendation is not followed.