The Court of Justice of the European Union (CJEU) issued an opinion concerning websites that use a social media plugin, such as the Facebook "like" button, that automatically collects and reports personal data from website visitors to the plugin company (summary and opinion are stored on Mega.nz).
The CJEU found that under the old Data Protection Directive (DPD) the website would be a joint controller with the plugin company for certain operations. Although the DPD has been superseded by the GDPR, the thrust of the opinion applies under the GDPR.
The website is a joint controller only for the operations for which it effectively co-decides on the means and purposes of the processing of the personal data, such as the the collection and disclosure of the personal data to the plugin company. The website is not a joint controller for any subsequent processing after the personal data has been transmitted to the plugin company.
As joint controllers, the website and the plugin company must arrange between themselves how they shall comply with the GDPR (see Art 26). Compliance is important because a data protection authority could fine the website and plugin company up to 20 million Euros or 4% of the total worldwide annual turnover (see Art 83(5)).
In order to collect personal data from website visitors, the website and the plugin company need to have a lawful basis, such as consent or a legitimate interest.
If they rely on consent, the consent needs to be explicit, free and specific and it needs to be collected before the button collects any personal information.
If they rely on legitimate interests, they need to have performed an assessment (Art 6(1)) demonstrating that their legitimate interests were not overriden by the data subject's interest or rights and freedoms.
Given that plugins automatically collect and transmit personal data, it seems likely that their function will have to change to comply with this ruling. One potential change could be more pop-up windows to gather consent for the operation of plugins.