For data protection reasons, social media plugins such as those from Facebook or Twitter are highly critical. What about simple links to social media platforms and other websites? The question of responsibility applies to every website operator who uses external links on their website.
Introduction
Almost every website links to third-party content. This is done using so-called hyperlinks, which I also refer to as external links. Every website should have a few of these links, so that search engines can assess the quality of the website (SEO = Search Engine Optimization = Search Engine Optimization). SEO measures are particularly carried out on the website itself, which is also referred to as Onpage Optimization. The externally linked content should naturally fit the topic of the website and be embedded at an appropriate place in the text. In contrast, Link Building is assigned to Offpage Measures. Here it's about getting as many backlinks as possible. Whoever sets a backlink must again take on some responsibility for this external link. Exactly that's what this article is about.
Update:
According to Section 19 (3) TTDSG, the user must be notified of any forwarding (via external links) to another website.
§ Section 19 (3) TTDSG
Update May 2024: The TTDSG was incorporated into the TDDDG with the same wording. Wherever TTDSG is written, TDDDG must be written from now on.
Besides, there are always internal links, which point to the website itself that was just visited. Examples include menu points such as imprint, contact form, press releases, blog articles etc.
External and internal links** are often indistinguishable from one another. Most websites I'm familiar with use underlined text to indicate links. Whether it's a link to a third party, such as a Google Maps address, is often unclear. Here's an example from the t3n website:
The internal link points to your own website, the external link to gesetze-in-bayern.de. The two links are visually indistinguishable from each other.
Responsibility for hyperlinks
At least when clicking on a link, personal data of the user as a visitor of a website is transmitted. The website operator could be held responsible for causing this transmission. Not infrequently, the linked website is in American hands. Here many people ask themselves about the Schrems II problem (Privacy Shield, American intelligence services).
The aforementioned personal data essentially consist of the network address of the user, which is also referred to as an IP address. This has been considered personal since the ECJ ruling “Breyer“ since 2016. Already in 2011, the ECJ had decided this for static IP addresses. The judgment from 2016 made it clear that this also applies to dynamic IP addresses. The BGH confirmed the judgment a year later for Germany. By the way, cable-bound IP addresses are predominantly of a static nature, even if they occasionally change. On the other hand, DSL connections have more dynamic IP addresses, which often only have an attachment lifetime of one day or a few days. Fully static IP addresses can now be booked in addition to an internet connection for a few euros per month. With such static addresses, one's own network can be reached from outside more reliably.
External links on your website should be marked as such.
This reduces the legal risk for links to virtually zero.
In addition comes person-related data, which is also considered personal (cf. statements of the Article 29 Data Protection Group, predecessor of the European Data Protection Board EDSA). These data are metadata or (technical) traffic data. This includes, for example, information about the browser and operating system used. These data are also used for Fingerprinting.
For data processing at the link target, i.e., the website called up via a link, the provider is initially not responsible. It can be different if it is known or should be known that the link target commits unlawful contents or data processing. Making works accessible can mean an infringement of copyright (but does not have to). Not only links, but also so-called framing play a role here (cf. BGH judgment of 09.07.2015 – Az. I ZR 46/12). On this I cannot go into further detail for technical reasons due to complexity.
It is clear to me: When providing a link to a third party's website, there is a certain risk of liability. This risk may not be great, but I consider it to exist.
I have already extensively examined the question of responsibility for external links some time ago in a separate piece. Please use the link from the previous sentence! It can certainly be that one day a court will decide that an external link leads to liability. Then I'd like to see the excitement on the internet among those who were not prepared for it.
Recommendations
To eliminate the risk and achieve a constructive result with as little effort as possible, I recommend the following:
- Mark all external links.
- Provide a clearly visible reference to the labeling for external links on every page.
- Provide information on external links in your privacy policy.
Labeling external links** can be done, for example with a suitable symbol that appears after the link text. You see an example here on Dr. GDPR. I'm inserting an external link here, so you can see how it looks: That's what Wikipedia has to say about hyperlinks.
Above on every one of my contribution pages, there should be a hint like the following to be seen:
I have therefore not only provided a note on labeling, but also linked to my data protection information. I have also referred to my knowledge article.
My privacy policy explains to the user what external links are all about. Here you can see the text in the image, together with the symbol for external links:
By the way, I have even converted my data protection guidelines into speech, so that my website is a bit more barrier-free. The text-to-speech was done with a free program that translates text into an audio file. I did this for each section of my data protection guidelines. On the one hand, the audio files are easier to listen to. Secondly, changes in the data protection text do not result in a huge new audio file being generated, but only a small one out of many. Thirdly, the Text-To-Speech programs are often limited by text length.
You may now be wondering how to make it possible to mark external links with an icon like the one shown above. I recommend either using a plugin for this, if this is available for your website system (WordPress, Typo3, Drupal, Magento …).
You can either use a CSS rule to automatically mark every external link. For this, you need some technical experience. A rule like that could look something like this:
a\[href^="http://"\]:not(\[href\*="dr-dsgvo.de"\]):after,
a\[href^="https://"\]:not(\[href\*="dr-dsgvo.de"\]):after {
content: url('/fonts/external-link\_sm2.png');
vertical-align:unset;
padding-left:4px;
}
This code does the following:
- For all links that do not point to the http- or https-version of the address dr-dsgvo.de:
- Insert an image after the link text, with a small space of 4 pixels between the link text and the image.
That's about it. The code needs to be embedded in a CSS file that is loaded on every page of your website. You'll have to replace the address with yours, otherwise all links on my website won't be marked as external (you do link back to my website, don't you? Feel free to do so if you'd like to support me).
Because I keep getting asked about it: You can do the following on your website without having to worry about violating data protection laws:
- Linking to your Social Media Presence (but NOT: Embedding a Facebook Plugin, such as the Facebook Like Button or a Twitter Widget that shows the current number of your followers).
- Button “Plan Your Route” (best instead of a Google Maps plugin) with drop-off on a map that shows your location.
Instead of Google Maps, you can also use my map plugin. For route planning, I recommend GraphHopper.
Remove so-called disclaimers from your legal notice. They are of no use, but may do some harm.
Details: See article.
Finally, one more recommendation. You have probably seen a Disclaimer in the imprint of some website already. Disclaimer means Liability Exclusion. With this disclaimer, liability for contents of third parties that are only linked to is supposed to be excluded. Someone had come up with the nonsense of the disclaimer once. In reality, it's not possible to exclude liability further than what the law does anyway. Instead, the disclaimer could have a harmful effect. Because it might give the impression that the person responsible already knew about illegal contents they were linking to. Therefore, I recommend you to strike out such harmful disclaimers without replacement. It's even more critical with the disclaimer "No warning without prior contact".
If you would like me to send you my Print brochure on digital privacy, please send a message to me (button at the bottom) with your postal address mentioned. I will only use the address for sending the brochure.
Key messages
Website owners are responsible for external links on their sites because clicking on them can transmit user data, potentially raising privacy concerns.
Linking to external websites carries a certain risk of liability, so it's important to clearly label them as such.
Disclaimers on websites are ineffective and potentially harmful because they cannot legally exclude liability beyond what the law already allows!
Remove harmful disclaimers, especially the one about needing prior contact before issuing a warning.
My name is Klaus Meffert. I have a doctorate in computer science and have been working professionally and practically with information technology for over 30 years. I also work as an expert in IT & data protection. I achieve my results by looking at technology and law. This seems absolutely essential to me when it comes to digital data protection. My company, IT Logic GmbH, also offers consulting and development of optimized and secure AI solutions.
