This is a guest post by Klaus Holzapfel of conceptbakery, a social media marketing company with offices in Germany and the United States.
The Facebook Like button is now at the forefront of privacy rights conversations in Germany, following much discussion of Google Analytics and pixelated homes on Google’s Streetview and Microsoft’s Streetside. A post on Mashable from August 19 mentioned that a German data protection commissioner is planning to ban the Facebook Like button. Since then, commissioners in three other German states have taken the same position.
Safe Harbor Agreement
German authorities are generally sensitive to personal user information leaving the country. The 1998 Safe Harbor Agreement puts strict rules on how American entities can collect data from European individuals. One stipulation: the “choice” principle, which mandates organizations give individuals the opportunity to choose whether and how personal information is used.
What information does Facebook collect?
The question really revolves around what information Facebook really collects when a user visits a website using Facebook social plugins. Here’s what they’ve revealed:
|Not logged in users:||IP address + browser settings + operating system information|
|Logged in users:||User ID + IP address + browser settings + operating system information|
Note: Information is collected regardless of users clicking on Like button or not.
Facebook’s collection of IP addresses and browser settings are at the center of the current debate.
Tracking by IP – possible or not?
The vast majority of German users have dynamic IP addresses which change daily, making tracking users by IP addresses nearly impossible. One could argue the issues of German officials are only relevant to the small number of users with a static or permanent IP address.
Either way, court orders must be obtained to determine which user had a particular IP address at a certain time (Service providers keep 6 months of records). Without that, it’s not accurate to call it personal information, an IP address is not personal information unless you know the specific user.
How about browser settings?
There’s also a test by the Electronic Frontier Foundation (EFF) to learn how unique your browser settings are. Apparently, my settings are unique amongst 1.7 million test takers.
Old news, frankly
Since the first widely-used web browser launched in 1993, it’s been possible for website providers to embed images (or other content) from another website onto their own. Each time a user accesses the secondary website, the original image provider could also learn about said user. Long before social plugins (or monitoring tools like Google Analytics) were even conceived, a visitor potentially shared his IP address with multiple locations.
Tip for website visitors
To be clear, any Facebook user should know their browsing history will be collected by the social network if they surf the web while logged in. You could use browser plugins to ban tracking, ad services or even all scripts, if you wish. But you’d never see the Facebook Like button, or other Social Plugins, again. The more restrictive you are, the more functionality you lose. It’s a balancing act required for all Internet browsers.
Tip for website owners
Feel free to copy and paste onto your site. We won’t assume any liability for that, of course.
Has anyone taken action yet?
It’s still business as usual for our clients and German businesses in general. Leading German news portals (such as spiegel.de) continue to use the Like Button, Google+, Twitter, etc. Their Facebook Fan pages are still maintained and active.
We simply recommend monitoring the situation.
What could Facebook do?
Of course, Facebook (and Google and other social web service providers) could be more proactive. They could do a better job in disclosing what data they’re collecting and what exactly is happening with it. Why be secretive if you have nothing to hide?
One of the current trends is (behavioral) retargeting in which ads are served based on users’ prior brand interaction and buying a product on Amazon results in a related or follow-up ad on eBay or YouTube. One can only imagine how much information flows back and forth between multiple entities. The data flow would certainly go beyond the IP address and would easily cross national borders.
Typically, public preference is being ignored here. The vast majority of Germans enjoy using Facebook and sharing online findings with others. They are no less educated than the rest of the online world and deserve no more (or less) protection than any other browser.
Ultimately, we don’t foresee a German social plugins ban. But, perhaps, this will increase pressure to remove grey zones in the personal data protection jungle.
Germany has a long history of highly prioritizing data protection. In 1970, it introduced the world’s first Data Protection Act. Since then, legislation has been developed to try and govern every aspect of data protection. Germans have probably put more thought into this debate than any other nation in the world. These laws can be potentially used to debate what should and what shouldn’t be governed by national or international law.
Some of Germany’s privacy laws is already superseded by the European Union. More EU law will likely follow.
Most users, marketers, developers and service providers alike would prefer common legal standards that addresses privacy and copyright rules in a practical manner. Time to dream a little: How nice would it be to have a one paragraph privacy law on any website that basically states the same thing and a set of common rules that are easy to understand and interpret?