The social network must also delete all the data it has collected on Belgian citizens who aren’t users – or face fines of €250,000 a day
A Belgian court has ordered Facebook to stop tracking web users without their consent, or face fines of €250,000 (£221,000) a day, up to €100m.
The court also told Facebook it must delete all the data it had gathered on Belgian citizens who were not Facebook users, ruling the data was gathered in contravention of the country’s privacy laws.
Facebook acted illegally when it gathered data on web users via tracking code in “Like” buttons and invisible pixels placed on third-party sites, the court said. Such code tracks individuals when they click a “Like” button, visit a third-party site where the code is in place or visit a Facebook page.
Facebook uses the data to build up advertiser profiles on individuals regardless of whether they have subscribed to the site.
“Facebook informs us insufficiently about gathering information about us, the kind of data it collects, what it does with that data and how long it stores it,” the court said in its decision. “It also does not gain our consent to collect and store all this information.”
Facebook said it would appeal.
“The cookies and pixels we use are industry standard technologies and enable hundreds of thousands of businesses to grow their businesses and reach customers across the EU,” said the company’s vice president of public policy for EMEA, Richard Allan.
He said third-parties who use the technologies are required to notify users, and also noted that individuals can opt out of such data being used for advertisements.
The decision is the latest salvo in an ongoing dispute between Facebook and Belgium’s commission for the protection of privacy (CPP), which first took the US company to court in 2015 after a failed attempt at negotiating changes to its data-collection practices.
At the end of 2015 the Belgian court ordered Facebook to stop tracking users from the country, but Facebook appealed the following year, arguing the country lacked jurisdiction. Facebook also argued the court’s judgement, which included English words such as “browser” and “cookie”, broke a Belgian law that requires official documents limit themselves to Dutch, French or German.
Facebook won that appeal, but the court has now overturned the 2016 ruling.
Like other large US tech companies, Facebook faces mounting regulatory battles on a number of other fronts in Europe.
The European data regulator, the Article 29 Working Party, has taken the company to task for collecting user information from its WhatsApp messaging service without adequate consent, while a Berlin court recently ruled the social network’s default privacy settings were illegal.
France has ordered Facebook to stop collecting user data from WhatsApp, and the EU fined the company £94m for giving “misleading” information to regulators when it took over the messaging service.
The introduction of the Europe-wide General Data Protection Regulation (GDPR) on 25 May is also likely to prove a challenge to Facebook’s use of the large amounts of sensitive personal data it collects.
“We are preparing for the new General Data Protection Regulation with our lead regulator the Irish Data Protection Commissioner,” Allan said. “We’ll comply with this new law, just as we’ve complied with existing data protection law in Europe.”
How much do you know about privacy? Try our quiz!