Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
AddThis was an Oracle owned social sharing widget that installed advertising cookies and fed visitor data into the Oracle Data Cloud (BlueKai). The service was discontinued on 31 May 2023, but legacy code on websites still poses a GDPR risk and should be removed.
AddThis was the most widely used social sharing widget on the web from 2008 to 2022. Acquired by Oracle in 2016, it offered Share Buttons, Follow Buttons, Recommended Content units and embedded inline polls. Behind the scenes, the script reported the visitor URL, page title, IP, user agent and engagement signals to the Oracle Data Cloud audience graph (formerly BlueKai), which monetised the audience through programmatic advertising deals. Oracle officially discontinued AddThis on 31 May 2023; the addthis.com domain returns a sunset notice and the JavaScript is no longer maintained.
When still operational, the AddThis script wrote the cookies __atuvc (counter of social shares, 13 months), __atuvs (session counter, 30 minutes), bt2 (audience id, 1 year), di2 (Oracle Data Cloud device id, 1 year) and uvc (visitor counter, 13 months). The widget called addthis.com, addthisedge.com and the Oracle BlueKai network (bk.bluekai.com, tags.bluekai.com), feeding the Oracle programmatic stack with detailed cross site behaviour.
Because AddThis combined visitor data with the Oracle Data Cloud advertising graph, consent under GDPR art. 6(1)(a) and ePrivacy art. 5(3) was the only realistic lawful basis. Legitimate interest was excluded by the EDPB and the CNIL because users could not reasonably expect their share interactions to feed a programmatic auction. After Schrems II (CJUE C 311/18, July 2020) the transfer of personal data to Oracle Corporation in the United States lost its Privacy Shield safe harbour, which contributed to Oracle decision to retire the product.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Publishers that still embed the AddThis script (s7.addthis.com/js/300/addthis_widget.js) load a non functional resource that may now redirect or fail; the broken request still discloses the visitor IP and Referer to Oracle infrastructure. Audit your codebase, WordPress plugins, theme partials and third party widgets to remove every reference to addthis.com, addthisedge.com and ot.addthis.com. Replace the share buttons with static anchor tags using the Facebook, X, LinkedIn or email sharing URLs, or a privacy first alternative.
Search and remove every occurrence of addthis_widget.js, addthis_widget#, _atc, ATInternet, and references to the addthis namespace. Uninstall WordPress plugins such as Share Buttons by AddThis or AddThis Sharing Buttons. Update the cookie policy to remove the __atuvc, __atuvs, bt2, di2 and uvc entries and to inform users that the service has been replaced. Document the decommissioning in your records of processing (GDPR art. 30) and in the incident or change log of the website. Test the page in a browser to confirm that no addthis.com or bluekai.com request remains in the network tab.
The simplest replacement is a row of static anchor tags pointing to share intent URLs (Facebook share dialog, X compose, LinkedIn share article, WhatsApp click to chat, mailto:). For richer functionality without tracking, consider Shariff (German, developed by Heise to be GDPR compliant), social-share-kit (open source), Sharetoolkit and the native Web Share API on mobile.
Websites using AddThis must obtain user consent under GDPR regulations.
DPIA considerations
AddThis was a high risk advertising profiling tool and required a DPIA in its time. Today, the appropriate action is removal, not a DPIA.
Sample consent text
This site previously used AddThis, the social sharing widget operated by Oracle, to expose share buttons. The service was shut down by Oracle in May 2023; the AddThis script is no longer maintained and the addthis.com domain no longer serves a functioning product. We removed the script from our pages and replaced it with privacy preserving native share links that do not load any third party JavaScript and do not transmit your data to Oracle or any advertising network. No consent is required for the static links.
Third-party domains contacted
s7.addthis.comaddthis.coms7.addthis.comm.addthisedge.comsu.addthis.comm.addthis.comtag.bkrtx.comcm.addthis.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| loc | Third party (historical, .addthis.com) | 13 months | Geo location cookie used by AddThis to localise the sharing UI and feed Oracle Data Cloud. No longer set since 31 May 2023. |
| __atuvc | first_party | 13 months | Counted shares of a page and updated the social share button counters; remained accessible to AddThis JavaScript. |
| uvc | Third party (historical, .addthis.com) | 13 months | Frequency capping cookie used to limit AddThis impressions. Inactive since shutdown. |
| __atuvs | first_party | 30 minutes | Stored a short term sharing session identifier used by AddThis to recognise the latest share action. |
| di2 | third_party | 2 years | Oracle Data Cloud / AddThis cross site advertising identifier used to build advertising audiences. |
| di2 | Third party (historical, .addthis.com) | 13 months | Cross site identifier used by Oracle Advertising / BlueKai. No longer active. |
| vc | Third party (historical, .addthis.com) | 13 months | Visitor segmentation cookie used by AddThis. Inactive since 31 May 2023. |
| uvc | third_party | 2 years | Tracked the frequency of visits across AddThis enabled sites for advertising and analytics. |
| ouid | third_party | 2 years | Oracle BlueKai user identifier shared with AddThis to associate browsing with audience segments. |
| bku | third_party | 6 months | Oracle BlueKai cookie used for cross domain advertising and visitor profiling. |
AddThis places tracking cookies for advertising — comply with GDPR using FlowConsent.
AddThis set first and third party cookies including __atuvc, __atuvs, di2, uvc, ouid, bku, plus identifiers in local storage. They were used for visitor recognition and to feed Oracle Data Cloud (BlueKai) audiences.
Yes, AddThis was an advertising tracker that required prior, granular consent under Article 5(3) of the ePrivacy Directive and Article 6(1)(a) GDPR. Loading the script before consent was a frequent compliance issue flagged by the CNIL.
Consent (Art. 6(1)(a) GDPR) was the only valid basis. Legitimate interest did not apply because the tracking was used for cross site advertising profiling.
Yes. AddThis was operated by Oracle in the United States. After Schrems II, every transfer required Standard Contractual Clauses with supplementary measures and a Transfer Impact Assessment.
A DPIA was warranted because AddThis performed systematic profiling for advertising and exchanged data with the Oracle Data Cloud. Today the priority shifts from DPIA to removing all AddThis remnants.
Search your codebase for any reference to addthis.com, remove the script tags and CSS, purge legacy cookies via your CMP, run a cookie scan to confirm zero traffic to AddThis hosts and update the cookie policy to mark AddThis as decommissioned.
Privacy friendly alternatives include Shariff (heise), AddToAny in static mode, ShareThis (only with consent) or building plain HTML share links to mailto, X (Twitter), LinkedIn, Facebook share URLs that do not load any third party script.
Mark AddThis as decommissioned in your cookie policy, list any cookies that may persist on returning visitors, document the residual data deletion process, and add a note explaining that the service was shut down on 31 May 2023.
When active, AddThis set third party advertising cookies on .addthis.com: loc (geolocation, 13 months), uvc (frequency capping, 13 months), di2 (cross site identifier, 13 months) and vc (visitor segmentation, 13 months). Since 31 May 2023 none of these are set anymore.
No. The widget no longer loads and sets no cookies. The cleanest answer in 2026 is to remove the AddThis script tag from your website rather than worry about consent.
Historically consent (Art. 6(1)(a) GDPR + Art. 5(3) ePrivacy) was the only valid basis. Legitimate interest was never appropriate because AddThis fed advertising profiles to Oracle Data Cloud.
Yes. AddThis was operated by Oracle America, Inc. (USA). Data flowed into Oracle Data Cloud in the United States. The service has been discontinued since 31 May 2023.
Not today, since the service is offline. A DPIA was strongly recommended when AddThis was live because of the advertising profiling and US transfer.
Search your codebase for addthis_widget.js, s7.addthis.com, m.addthis.com or addthis classes. Remove the script tag and any DOM elements with addthis_*. Update theme/template files and clear any tag manager containers.
Privacy first sharing: Shariff (Germany), ShareThis cookieless mode, native HTML5 Web Share API, AddToAny (with consent), or simple anchor tags pointing to the share URL of each network. Avoid US advertising data cloud widgets.
Remove the AddThis entries from your cookie policy and any references to Oracle Data Cloud or BlueKai. Mention the historical use of AddThis only if you keep a privacy changelog.