Need a web designer, SEO advisor or other ecommerce expert?
Quickly and conveniently find solutions for your online business before making your next planning or purchasing decisions. Gather key insights and information before selecting your vendors.
Visit ALL EC today.

Facebook has millions of users in the European Union, and a German court recently ruled against the company in a case involving its Privacy Policy. Few ever read privacy policies except judges, who must examine them when challenges arise.

The new EU General Data Protection Regulations, which go into effect on May 25, will make things even more complicated.

If you have any customers who are EU residents, the new GDPR will impact you.

What Happened to Facebook?

The GDPR, an overhaul of the 1995 European Data Protection Directive (Directive 95/46/EC), extends extraterritorial jurisdictions and unambiguously affirms certain decisions asserted by European case law.

However, the language of the GDPR does not mean there are not still outstanding questions. A German court earlier this year ruled that Facebook’s terms of use did not comply with informed consent.

Informed consent is specific under EU rules. Article 4(11) of the GDPR defines consent as

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

Five criteria must be met to constitute consent:

  • freely given
  • specific
  • informed
  • unambiguous
  • affirmative

Unambiguous consent must include a statement or a clear affirmative action indicating agreement, which is primarily where Facebook ran afoul.

Facebook and many U.S. websites use default privacy settings. The German court found several of those settings were difficult for the user to find and change. By implementing default settings, Facebook had failed to get informed consent.

What Did Facebook Do?

The intent of this article is not to attack Facebook. In fact, Facebook has made several changes to the way it handles privacy protections since the German case was filed. It is meant to be a wake-up call to other companies that may have a similar approach to pushing privacy settings by default and assuming that privacy declarations buried in their terms-of-service will suffice.

“If consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given,” states Article 29 of the Data Protection Working Party Guidelines on Consent under Regulation 2016/679.

Said another way, if a…