Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
AddToAny is a free social sharing widget service operated from the United States. It provides a JavaScript snippet that renders share buttons on a webpage and tracks how often each network is used. Because the widget loads scripts and pixels from third party domains and transmits the visitor IP to US servers, AddToAny is treated as a non strictly necessary third party tag under the ePrivacy Directive and the GDPR.
AddToAny is a popular free social sharing service used to display Share to Facebook, X, LinkedIn, WhatsApp, Telegram, Email and many other buttons on websites and blogs. The widget is delivered as a JavaScript snippet from static.addtoany.com that renders the buttons, tracks impressions and exposes a small counter. A WordPress plugin and Drupal module exist that simplify the integration. AddToAny is operated by AddToAny LLC, based in the United States.
Loading the page.js script transmits the visitor IP address, User Agent and page URL to AddToAny servers. AddToAny stores a uvc cookie used as a click counter across visits on the merchant domain and reads existing cookies from social networks when the user hovers or clicks. When the user actually shares, the chosen network (Facebook, X, LinkedIn) becomes a recipient and may set its own cookies and gather profile information about the sharer. AddToAny states that it does not sell or share data for advertising, but the cross border data flow still triggers the GDPR.
AddToAny is a third party tag that loads automatically and reads or writes data on the user device, which puts it under Article 5(3) of the ePrivacy Directive. The widget is not strictly necessary for the visitor to access the page, so prior consent is required. Under the GDPR, the transfer of the IP address to the US falls under Chapter V and requires a transfer mechanism. The same considerations apply for the social networks invoked when the user clicks a share button: they are independent controllers and the privacy policy must list them.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Yes. EU regulators have consistently treated social plugins as requiring consent (CJEU Fashion ID C 40/17 for Facebook Like, but the principle extends to any third party share tag that loads automatically). Block AddToAny behind your consent manager and only load it once the user has accepted the relevant category, typically Marketing or Social Media. AddToAny also offers a Universal button mode that opens a sharing dialog only when the user clicks, which can be considered a lower risk pattern but still loads scripts proactively in most setups.
AddToAny LLC is a US company and processes data on US infrastructure. AddToAny is not on the public EU US Data Privacy Framework list at the time of writing, which means transfers must rely on Standard Contractual Clauses, on the user''s explicit consent for the transfer or on another Article 49 derogation, with the EDPB guidance that derogations should not be used systematically.
Add AddToAny to the cookie banner under Marketing or Social Media, load page.js only after consent, document the recipients (AddToAny LLC and the social networks invoked) and the transfer mechanism in the privacy policy, and consider the alternative of using simple share URLs (https://twitter.com/intent/tweet?... and similar) that do not load any tracking script. For WordPress, the official AddToAny plugin offers a no JavaScript fallback mode that helps minimise tracking.
Websites using AddToAny must obtain user consent under GDPR regulations.
DPIA considerations
AddToAny is generally not a DPIA trigger on a typical content site, but the integration adds AddToAny LLC and the underlying social networks as recipients. When AddToAny is combined with embedded post counters or social login buttons, the cumulative tracking may raise the risk level and justify documenting the assessment in a wider DPIA.
Sample consent text
We use AddToAny to display social sharing buttons. Loading them sends your IP address and the visited page to AddToAny in the United States, and uses cookies from the social networks you choose. Do you accept?
Third-party domains contacted
static.addtoany.comaddtoany.comm.addtoany.comd26b395fwzu5fz.cloudfront.netfacebook.comtwitter.comlinkedin.comwa.met.meCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| uvc | third party | 5 years | Used by AddToAny to count unique visitors and views of the share buttons across visits to the merchant site. |
| cf_clearance | third party | 30 days | Cloudflare bot mitigation cookie set on AddToAny domains to validate non automated requests. |
| __cf_bm | third party | 30 minutes | Cloudflare Bot Management session cookie set on AddToAny domains. |
| _ga | third party | 2 years | Google Analytics cookie set on addtoany.com when an administrator visits the dashboard, not on the embedded widget. |
AddToAny places tracking cookies for advertising — comply with GDPR using FlowConsent.
AddToAny sets a uvc cookie (unique visitor count) on the merchant domain and may read cookies from the social networks targeted by the share buttons (Facebook, X, LinkedIn). When a user actually shares, the destination network is loaded inside a popup or new tab and may set additional third party cookies.
Yes. The widget loads automatically and is not strictly necessary for the user to access the page. Under Article 5(3) of the ePrivacy Directive, prior consent is required. The CJEU Fashion ID case (C 40/17) confirmed that social plugins loaded on a website make the website operator a joint controller for the data transmission.
The recommended basis is consent under Article 6(1)(a) GDPR, combined with Article 5(3) ePrivacy consent for the cookies and the read of social network cookies. Legitimate interest is not generally accepted by EU DPAs for social sharing widgets that load before any user interaction.
Yes. AddToAny LLC is based in the United States and processes data there. The widget also enables transfers to the social networks invoked when a share is performed. The privacy policy should reference Standard Contractual Clauses or explicit consent as the legal mechanism for the transfer to AddToAny, and explain the role of each social network as an independent controller.
Not on a standalone basis for a typical content site. However, when AddToAny is used alongside other social plugins, the cumulative tracking on visitors can become significant. In that case, document the integration in the record of processing and consider including it in a broader DPIA that covers all third party widgets.
Gate the AddToAny snippet behind your consent manager, ensure the no JavaScript fallback is used for non consenting users, list AddToAny LLC and the relevant social networks in the privacy policy, and disclose the transfer mechanism. Provide a category in the cookie banner labelled Social media or Marketing that the user can refuse without losing core functionality.
The simplest privacy preserving alternative is plain share URLs (https://twitter.com/intent/tweet, https://www.facebook.com/sharer/sharer.php) wrapped in static HTML buttons, which load no third party scripts until the user actually clicks. EU based plugins such as Shariff (Heise) provide self hosted, consent friendly share buttons.
Add an entry under Social media or Marketing with the provider (AddToAny LLC, USA), the domains (static.addtoany.com, addtoany.com), the cookies set (uvc and any social network cookies fired through it), the purpose (display share buttons and track usage), the transfer mechanism, and the retention period.