Technical explanation for embedding social network buttons in a website: the two-click solution

Technical explanation for embedding social network buttons in a website: the two-click solution

The reason why a new method of embedding social network buttons in a website is needed is because of a change in the way in which data is processed and protected by social networks like Facebook, Google+ and Twitter.

Standard buttons used on websites transfer personal data directly to the corresponding social network, without the user having clicked on the relevant button.

This is made possible through so-called iFrame integration. Here, in addition to the website you want to download, your browser also downloads a mini website (i.e. a website within a website) which contains the relevant button. In the case of Facebook’s “like” button for example, the content and source text of this mini website originates from and is controlled by Facebook. The operators of the website you are visiting have no influence on this mini website.

Also, when visiting a page which makes use of plug-ins in this manner, it is generally irrelevant whether the user is a member of the social network concerned and if the user is a member, whether that user is logged in to an account.

Whether the user is logged in or not and even if the user is not a member of the social network, a cookie is stored. In the case of Facebook, the cookie has an identifier like B7dcTqgWq3fuDgIIFw47QPIO and is valid for two years.

If a connection is then made from this same browser to the social network at some point in the future, the cookie is then transferred and the information can be utilised to hone the user’s new social network profile. This means that information stored in the cookie can be catalogued, even where the user visited a website before becoming a member of the social network.

If the user is logged in to a social network account, the details of the website the user is visiting as a well as the cookie are transferred directly to the social network. As a result, information pertaining to the visit can be assigned to the specific network account.

This means that Facebook can monitor which websites with embedded “like” buttons are visited. The number of websites with embedded social buttons is increasing.

The direct transfer of personal data is problematic. In contrast to an IP address, where the identity and address of a person can only be discovered after conducting investigations, social media buttons make personal information is directly available to a social network through the user account details.

If previous actions of social networks are evaluated in terms of use of the data collected in the above mentioned way, it is clear that personal data is exploited to its fullest potential. As experience shows, the transfer or even sale of the data to third parties cannot be excluded.

To stem this frenzy of data collecting by the social networks and to protect against possible warning letters from data protection authorities, it is advisable to adopt a “two-click” solution for embedding social media buttons. In this way, the website which is being visited is displayed first and the social media button is displayed in a “space filler”. The button is only activated by the user, if they click on it. When the user hovers over the button and before clicking it, a so-called mouse-over or hover box appears. This hover box contains a warning and explanation of the data protection implications of clicking the button. Upon first click of the button by the user a connection with the social network server is established. Upon second click the button’s function is activated.
WARNING: The above detailed procedure does not absolve you from your obligation to provide a privacy policy for your website.

For more privacy policy templates click here:

Muster Datenschutzerklärung

Advice from Christian Solmecke

The website “Heise” has provided a detailed and user friendly technical explanation of how to embed social network buttons on a website:



Please be advised: the true extent of the way in which Facebook uses data transferred to it is unknown. As a result it is not possible to produce a privacy policy statement which satisfies every legal eventuality.

Even if the “two-click” solution advocated on these pages is adopted, it cannot be excluded that data protection rules may be broken when transferring data to Facebook.

WILDE BEUGER SOLMECKE therefore accepts no liability for third party claims arising either directly or indirectly as a result of the use of the privacy policy templates provided on these pages or as a result of the adoption and/or reliance on the “two-click” solution to embed Facebook plug-ins as advocated on these pages.

Christian Solmecke is a partner at the law firm WILDE BEUGER SOLMECKE. He is the author of numerous legal publications in the area of internet and IT law. He is also an associate lecturer for social media law at the Cologne University of Applied Sciences.

Do you like this article? Feel free to rate it now:

1 Stern2 Sterne3 Sterne4 Sterne5 Sterne (Not rated yet)