Comment by fauigerzigerk
2 days ago
What I don't understand is the responsibility of Facebook vs the operator of the website where the tracking takes place. I thought that under GDPR it was the responsibility of the website to get consent from users before passing on data to ad networks.
Both are liable. From TFA:
"The court’s decision exposes all websites and apps using tracking technology to significant lawsuits, experts said."
Only if the ruling holds up on appeal. What I'm wondering is whether it will hold up.
What do you mean by website as a "place"? I'm not so sure the GDPR mentions tracking. Here's what the court said was relevant:
"Meta, Betreiberin der sozialen Netzwerke Instagram und Facebook, hat Business Tools entwickelt, die von zahlreichen Betreibern auf ihren Webseiten und Apps eingebunden werden und die Daten der Nutzer von Instagram und Facebook an Meta senden. Jeder Nutzer ist für Meta zu jeder Zeit individuell erkennbar, sobald er sich auf den Dritt-Webseiten bewegt oder eine App benutzt hat, auch wenn er sich nicht über den Account von Instagram und Facebook angemeldet hat. Die Daten sendet Meta Ireland ausnahmslos weltweit in Drittstaaten, insbesondere in die USA. Dort wertet sie die Daten in für den Nutzer unbekanntem Maß aus."
I mean that under GDPR, website owners as data controllers must get user consent before embedding third party tracking technologies on their websites to pass on data to Facebook.
It doesn't matter whether GDPR mentions any specific word. What matters is what the technologies referred to by the word "tracking" actually do. And what they do clearly requires consent under GDPR.
The paragraph you posted implies (but does not explicitly state) that Facebook's ability to identify individual users would still be noncompliant even if the website has received consent from the user to embed Facebook's technology. Or does the court blame the website's noncompliance on Facebook?