Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Twitter Analytics, now branded X Analytics, is the audience and content measurement platform of X Corp. It tracks impressions, engagements, and profile activity, and works alongside X widgets that set cookies on embedding websites.
Twitter Analytics, now usually called X Analytics, is the audience and content measurement platform of X Corp, the company that operates the social network previously branded Twitter. It gives account owners metrics on impressions, engagements, video views, profile visits, and follower demographics. The same telemetry powers ad reporting in the X Ads Manager and feeds the conversion measurement of the X Pixel.
Pages that embed Tweets, X timelines, follow buttons, or the X Pixel cause the browser to load resources from x.com, twitter.com, and abs.twimg.com. X writes identifiers such as guest_id, personalization_id, ct0, twid, lang, and the session cookie _twitter_sess. These cookies allow cross site tracking, ad attribution, and profile linkage for logged in X users, even on third party websites.
The cookies fall squarely within Art 5(3) of the ePrivacy Directive and the German TTDSG. X Corp acts as a separate controller for the data captured through its widgets, and a CJEU style joint controllership applies to the embedding website for the collection phase (Fashion ID, C 40/17). Because the processing involves profiling, the only realistic legal basis under Art 6(1) GDPR is the visitor''s freely given, specific, informed, and unambiguous consent.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Operators must block all X widgets, timelines, and the X Pixel before a visitor opts in through the consent banner. A pre ticked box, scroll based consent, or implicit acceptance is invalid (CJEU Planet49, C 673/17). The banner needs to describe the purposes, retention periods, the third country transfer, and offer a refuse option that is as easy as the accept button, in line with the EDPB 03/2022 guidelines and CNIL recommendations.
X Corp processes personal data in the United States. The company withdrew from the EU US Data Privacy Framework in May 2023, so transfers now rely on Standard Contractual Clauses combined with supplementary measures. The Schrems II ruling requires a documented Transfer Impact Assessment covering US surveillance laws (FISA 702, EO 12333). Several EU regulators have already issued warnings about embedding US social media without solid safeguards.
Load X embeds only after consent, use a CMP that exposes a granular X category, sign the X Pixel data processing addendum, run a Transfer Impact Assessment, and consider server side proxies or static screenshots of Tweets where possible. Document everything in the records of processing, list X Corp in the privacy notice, and offer a clear withdrawal path so visitors can revoke consent at any time.
Websites using Twitter Analytics must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA under Art 35 GDPR is strongly recommended. Twitter Analytics relies on systematic profiling, behavioural tracking across sites, and transfers to a US controller that withdrew from the Data Privacy Framework in 2023. The DPIA should document Schrems II supplementary measures, retention, and joint controllership for X embeds.
Sample consent text
We use Twitter (X) Analytics and X embeds to measure how our content performs on the X network. With your consent, X sets cookies such as guest_id and personalization_id, profiles your interaction, and transfers data to X Corp in the United States. You can refuse or change your choice at any time.
Third-party domains contacted
x.comtwitter.comabs.twimg.complatform.twitter.comanalytics.twitter.comads-twitter.comt.coCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| guest_id | third party tracking | around 2 years | Unique identifier assigned by X to non logged in visitors, used for analytics, fraud prevention and ad attribution across pages embedding X content. |
| personalization_id | third party advertising | around 2 years | Cross site identifier used by X to personalise advertising and content based on browsing behaviour on any page that loads X widgets or pixels. |
| ct0 | third party security and tracking | 6 hours to 1 year | CSRF token that also enables authenticated and unauthenticated tracking of interactions with X widgets and the X Pixel. |
| twid | third party tracking | persistent | Identifier of the logged in X account, linked to the X user profile and used to attribute embed interactions to a known account. |
| lang | third party preference | session | Stores the language preference used by X widgets and analytics so embedded content is rendered in the right locale. |
| _twitter_sess | third party session | session | Session cookie of the X platform that maintains state when a visitor interacts with embedded Tweets, login flows or video players. |
Twitter Analytics collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Pages with X widgets or the X Pixel write cookies from x.com and twitter.com. Typical entries are guest_id (visitor identification, around two years), personalization_id (cross site targeting, around two years), ct0 (CSRF token, six hours to one year), twid (logged in user id, persistent), lang (language preference), and _twitter_sess (session). All are used for tracking, advertising, and analytics.
Yes. The cookies trigger Art 5(3) ePrivacy Directive and constitute profiling under Art 22 GDPR. Operators must collect prior, freely given, specific, informed, and unambiguous opt in consent before any X tag is loaded. A simple website notice or implicit consent is not sufficient under EDPB 03/2022 and CJEU Planet49.
Only consent under Art 6(1)(a) GDPR is realistic. Legitimate interest under Art 6(1)(f) is ruled out by the systematic profiling, the cross site reach of the X graph, and the international transfer. Performance of a contract under Art 6(1)(b) is also unavailable because the data subject has no contract with the embedding website concerning the X cookies.
Yes. X Corp processes personal data in the US and withdrew from the EU US Data Privacy Framework in May 2023. Transfers rely on Standard Contractual Clauses with supplementary measures. Following Schrems II (C 311/18), operators must run a Transfer Impact Assessment that addresses FISA 702 and EO 12333 risks.
A DPIA under Art 35 GDPR is strongly recommended because the processing combines large scale profiling, behavioural cross site tracking, and a transfer to a third country without an adequacy decision. The DPIA should address technical safeguards, joint controllership, retention, and the right to object, in line with the EDPB list of high risk processing.
Block X widgets and Pixel by default in your tag manager, expose a granular consent category, only load the X scripts after opt in, document the joint controllership with X Corp, sign the X Data Processing Addendum, and run a Transfer Impact Assessment. Keep server logs of consent and provide a one click withdrawal.
For audience measurement, EU based analytics such as Matomo, Plausible, Piwik PRO, or AT Internet (Piano Analytics) offer comparable insights with consent friendly modes. For social measurement, consider Buffer Analyze, Hootsuite, Iconosquare, or native LinkedIn and Mastodon analytics, ideally combined with static screenshots instead of live X embeds.
List X Corp as a third party recipient with US transfer, name the cookies (guest_id, personalization_id, ct0, twid, lang, _twitter_sess), state the retention periods, link to the X privacy policy, and explain how visitors can withdraw their consent. Update the policy whenever you add or remove X widgets or the X Pixel.