The CJEU has ruled in a recent case that a company with a Facebook “fan page” is a controller of the fan page visitors’ personal data, despite the fact that the personal data it receives about the visitors is anonymised.

Fan pages are set up by companies or individuals on Facebook in order to promote their business, or even just to create a community of like-minded people.

The administrator can choose in advance which anonymised information it receives via the ‘Facebook Insights’ service which provides reports including anonymised data about their visitors’ age, sex, occupation etc. The administrator can then use that data to help further its business.

The CJEU ruled that the administrator’s use of Facebook Insights gave them the ability to direct or agree how the personal data is processed. This makes administrators joint controllers of the personal data with Facebook and therefore, among other things, obliges them to ensure that appropriate privacy policies and cookie policies are in place.

The case revolved around the fact that neither Facebook nor the administrator had such policies in place. It seems now, that both Facebook and the administrator involved have made such policies accessible from the fan page.

It remains to be seen how Facebook will manage its services going forwards. However, one thing is certain – data controllers must ensure they have adequate policies and procedures in place, which cover all the relevant uses of personal data and cookies from which they benefit.