Hungary’s Data Protection Authority (NAIH) has issued a statement on the application and legal assessment of social media modules used on websites, how to obtain consent legally, and the obligations of website operators.
The NAIH examined two issues:
Who is the data controller when embedding social media modules?
The website operator is the data controller for all personal data collected and transmitted over its website. This includes all data processed by the social media module used by it.
For example, a website operator is a data controller by embedding a “tracking pixel” in its own website, which enables the user’s browser to transmit personal data about the user to the social-media provider. The collection and transmission of the personal data of website visitors to social media would not have been possible without embedding the pixel. At the same time, social media has developed and ensured the availability of pixels as software code that allows social media to automatically collect, transmit and evaluate personal data. As a result, the website operator and the social media provider are joint data controllers in relation to the collection and transmission of personal data through pixels.
However, the website operator’s control is limited to the operations for which it defines the underlying purposes and means. The website operator is not considered a data controller after the transfer of the personal data when the social media provider has conducted further data processing. The NAIH's statement is in line with the draft Guidelines of the European Data Protection Board 08/2020 on the targeting of social media users.
What are the consent requirements?
The use of the social-media module requires user consent. Users must be able to decide individually whether or not to consent to the operation of a given type of cookie. (The user must be able to decide whether he agrees to the data processing in question, such as the operation of a particular cookie.) This is possible in the case of cookies where the user can browse the site without any restrictions, even if he does not consent to the placement of the given cookie. The consent is voluntary if access to the website's services and functionalities is not conditional on granting consent to the storage of information on the user's terminal equipment or to having access to information already stored there.
For example, if a website operator uses a script that prevents website content from being visible (except for the interface for accepting cookies) so that the content can only be accessed by clicking on the "Accept cookies" button, then the user of the website has no real choice. His consent would be invalid.
Based on the NAIH statement, website operators should:
- examine exactly how the use of a social-media module involves the recording and transmission of personal data;
- provide appropriate data processing notices on the application of the social-media module; and
- provide a valid consent option for users in relation to the social-media module.
In addition, website operators should monitor the data protection terms of the social-media provider in regard to joint controllership and take into account the Guidelines of the European Data Protection Board 08/2020 on the targeting of social media users, which is currently being finalised.