Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Medium is a US publishing platform whose embeds and widgets set cookies for analytics and personalization. Embedding Medium content requires prior consent under the ePrivacy Directive.
Medium is an online publishing platform launched in 2012 by Evan Williams, co-founder of Twitter and Blogger. Operated by A Medium Corporation from San Francisco, California, Medium hosts articles written by individual authors and professional publications on a wide range of topics. Readers can browse for free with limits or subscribe to the paid Medium Member program for unlimited access. Authors can earn money through the Medium Partner Program based on reader engagement.
Beyond its native website and apps, Medium offers JavaScript embeds that allow third-party websites to display a Medium post, a follow button or a profile widget. These embeds are commonly used by company blogs, portfolios and newsletters that want to surface Medium content without rehosting it. The embedded scripts are served from medium.com and related domains and execute in the visitor''s browser as soon as the page loads.
When a Medium embed loads, the visitor''s browser establishes a direct connection to Medium servers. Medium can read existing cookies (such as a persistent visitor identifier uid and a session identifier sid) and may write new ones for personalization, preferences (pr), timezone (tz) and cross-site request protection (xsrf). Medium also relies on its internal analytics stack and historically on third-party analytics such as Mixpanel and Google Analytics.
In addition to cookies, Medium automatically receives the page URL where the embed appears, the visitor IP address, the user agent string and the language/timezone of the browser. When the visitor is logged into a Medium account, these signals can be linked to a known profile and used to refine the recommendation engine on medium.com. From a data protection standpoint this constitutes personal data processing by Medium and creates a joint or independent controller-processor relationship with the website operator.
Because Medium embeds store and read information on the visitor''s terminal equipment, Article 5(3) of the ePrivacy Directive (as transposed in national law) requires prior, informed and freely given consent before any non-essential cookie is set. The GDPR adds a layer of obligations: the website operator must identify a lawful basis under Art. 6, perform a balancing test for any legitimate interest claim, inform users in a clear privacy notice and keep a record of processing activities.
For embeds that load advertising or profiling cookies, EDPB guidance and consistent case law from the CJEU (Fashion ID, Planet49) treat the website operator and Medium as joint controllers for the collection and transmission phase. The website is responsible for collecting valid consent; Medium is responsible for what it does with the data afterwards.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
A Medium Corporation is established in the United States and processes the data collected through embeds on infrastructure located in the US (AWS and Google Cloud regions). Transfers from the EU/EEA to the US are subject to Chapter V of the GDPR. In practice, controllers must rely on Standard Contractual Clauses under Art. 46(2)(c) GDPR or, where applicable, on a self-certification of Medium under the EU-US Data Privacy Framework. A Transfer Impact Assessment is required to evaluate US surveillance laws (FISA 702, EO 12333) and, when needed, implement supplementary measures.
To embed Medium content lawfully, integrate the embed script through a Consent Management Platform that blocks third-party JavaScript until the visitor opts in to the Statistics or Marketing category. Display a contextual placeholder (a click-to-load card) explaining that loading the content will transfer data to Medium in the United States. Update the cookie notice and privacy policy to list the cookies, the categories of recipients, the retention periods and the transfer mechanism. Keep a written assessment of joint controllership where the embed includes the follow button or other profiling elements.
Lower-impact alternatives include republishing the article on your own site under a canonical link, using Medium''s RSS feed to render static excerpts, or hosting your blog on a self-managed platform such as Ghost or WordPress when the editorial workflow allows it.
Websites using Medium must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Medium embeds are used at scale or combined with other tracking. Assess data minimisation, the risk of cross-site tracking, profiling for recommendations and the international transfer to the United States. Document mitigation measures such as conditional loading after consent and the use of Standard Contractual Clauses with a Transfer Impact Assessment.
Sample consent text
This page contains content embedded from Medium (A Medium Corporation, USA). Loading these embeds places cookies on your device used for analytics, personalization and recommendations, and transfers your IP address and browsing data to the United States. Do you accept the loading of Medium content?
Third-party domains contacted
medium.com*.medium.comcdn-images-1.medium.commiro.medium.commedium.statuspage.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| uid | tracking | 1 year | Persistent visitor identifier used by Medium to recognise returning readers across sessions and to feed the recommendation engine |
| sid | functional | Session | Session identifier maintaining the visitor state while interacting with Medium embeds and pages |
| _ga | analytics | 2 years | Google Analytics client identifier set when Medium loads its analytics stack; used to distinguish unique visitors |
| pr | functional | 6 months | Stores reader preferences such as content density and display options on the Medium interface |
| tz | functional | 6 months | Stores the visitor timezone to display localised dates and times for articles and notifications |
| xsrf | security | Session | Cross-site request forgery token protecting authenticated actions performed against Medium services |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
A typical Medium embed can store or read several cookies including uid (persistent visitor identifier used to recognise returning readers), sid (session identifier), pr (preferences), tz (timezone) and xsrf (cross-site request forgery protection). Depending on the configuration, analytics cookies such as _ga (Google Analytics) and Mixpanel identifiers may also be set. None of these are strictly necessary for the website operator and therefore require consent.
Yes. Because the embed reads and writes information on the visitors device for purposes that are not strictly necessary, Article 5(3) of the ePrivacy Directive requires prior, informed and freely given consent. The embed script and any associated cookies must remain blocked until the visitor opts in through a compliant Consent Management Platform.
For non-essential cookies, ePrivacy already mandates consent and consent (Art. 6(1)(a) GDPR) is the most appropriate basis for the subsequent processing. Legitimate interest (Art. 6(1)(f) GDPR) is generally not available where profiling cookies are involved because the balancing test rarely favours the controller in light of the visitor s expectations.
Yes. A Medium Corporation is headquartered in San Francisco and processes the data on US-based infrastructure (AWS, Google Cloud). Transfers from the EU/EEA rely on Standard Contractual Clauses under Art. 46(2)(c) GDPR and, where applicable, on a self-certification under the EU-US Data Privacy Framework. A documented Transfer Impact Assessment is required.
A DPIA is not automatic but is strongly recommended when Medium embeds are widely deployed, when they are combined with other tracking technologies or when they appear on pages targeting children or vulnerable audiences. The DPIA must address profiling, the international transfer and the rights of data subjects.
Wrap the Medium embed code in a script type "text/plain" or use the data-attribute pattern recognised by your CMP. Display a contextual placeholder explaining the data transfer and giving access to a granular consent choice. Activate the script only after the visitor opts into the relevant category. Document the implementation in your records of processing activities.
You can republish the article on your own website with a canonical link pointing back to Medium, use Medium s RSS feed to render static excerpts on the server side, or move to a self-hosted publishing platform. Substack, Ghost, Hashnode, Dev.to, WordPress and LinkedIn Articles are the most common alternatives, each with their own compliance trade-offs.
Yes. Your cookie notice should list the Medium cookies with their name, purpose and retention, and your privacy policy should identify Medium as a recipient of personal data, describe the purpose of the processing, mention the transfer to the United States and the safeguards in place, and explain how visitors can exercise their GDPR rights.