Bit of a technical one for the privacy nerds here. There’s an interesting update from the ECJ:
The Advocate General proposes to rule that under the Data-Protection-Directive the operator of a website who has embedded on its website a third-party plugin (such as the Facebook Like button), which causes the collection and transmission of the user’s personal data, shall be considered to be a joint controller, along with such third party (here Facebook Ireland). However, that controller’s (joint) responsibility should be limited to those operations for which it effectively co-decides on the means and purposes of the processing of the personal data.
https://curia.europa.eu/jcms/upload/docs/application/pdf/2018-12/cp180206en.pdf
How entirely expected.
Wait. What?
The interesting point here isn’t that the website owner is a controller – that was always obvious to anyone with a brain. It’s that the third party must be a controller. A lot of the tracking cookie and analytics plug-in types like to paint themselves as processors. This will stop that, and will bring them inside the fold of GDPR transparency requirements. Many of them are also based outside the EEA, which makes the use of the plug-in an international transfer.
You might want to have another look at the EULAs, contracts and other data-sharing agreements you have for every plug-in, cookie, tracking service, lead identification service and so on and so forth that you have on your website.
And if you run one of those services, you should probably move reviewing your privacy and compliance provision to the top of your to-do list.
A bigger picture 