Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Instagram Embed is the official way to display a public Instagram post, reel or profile inside another website using an oEmbed iframe and a script (embeds.js) loaded from instagram.com. The embed sets Meta tracking cookies (datr, fr, ig_did, mid, c_user when logged in) on the instagram.com domain and discloses the visitor IP and User Agent to Meta as soon as the script runs. Under GDPR and the ePrivacy Directive, this requires prior consent because the embed cannot be considered strictly necessary, and personal data is transferred to Meta Platforms Inc in the United States.
An Instagram embed is the official way to display a public post, reel, story highlight or profile inside another website. The integration consists of an iframe pointed at the instagram.com domain plus a small JavaScript file (embeds.js) hosted on Meta infrastructure. As soon as the iframe loads, the visitor browser contacts instagram.com, which reads and writes the same identifiers that Instagram uses on its own platform (datr, fr, ig_did, mid, and the c_user variant when the visitor is logged in). Even an apparently passive embed is a first party contact with Meta that triggers the same data flows as visiting instagram.com directly.
Meta receives the visitor IP address, the User Agent, the language, the referring URL (your page) and any cookies previously set on instagram.com. If the visitor is logged into Instagram or Facebook, Meta also receives the account identifier (c_user) and can re identify the visitor across the open web. The embed then becomes a piece of Meta tracking infrastructure on your domain. Without any Meta Pixel, the basic embed is enough for Meta to associate a visit to your page with a Meta Account and to feed its advertising graph.
The Instagram embed cannot rely on the strictly necessary exemption in Article 5(3) of the ePrivacy Directive because it is not essential to the requested service. It requires prior, informed and granular consent. On top of that, the transfer to Meta Platforms Inc in the United States is a Chapter V GDPR transfer. The CJEU in Schrems II (C 311/18) invalidated the Privacy Shield and EU regulators (CNIL, German DPAs, Italian Garante, EDPB) have repeatedly held that data sharing with Meta carries significant residual risk even under the EU US Data Privacy Framework due to US surveillance laws (FISA 702, Executive Order 12333).
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The recommended pattern is the two click or click to load embed. The embed is replaced by a static placeholder until the visitor explicitly accepts. The placeholder must clearly state that the content comes from Instagram, that loading it transfers personal data to Meta in the US, and that the visitor can refuse. Acceptance must be opt in (no pre ticked boxes), as easy to refuse as to accept, and revocable through a persistent consent panel. CNIL has fined several French operators for loading Meta embeds before consent.
Because the Instagram embed combines large scale processing by Meta, profiles that can reveal special category data (sexual orientation, political opinions, religion through the accounts visited) and a high risk international transfer, a DPIA is required in many EU member states. The DPIA must document the necessity of the embed, the proportionality of the data shared, the safeguards in place (consent, EU US DPF, SCCs, click to load) and the alternatives considered. Operators in regulated sectors (health, education, public administration) should generally avoid the embed.
Implement a click to load placeholder, expose Instagram in your consent banner as a social media or advertising vendor, and only fire the embed after granular consent. Document the processing in your Record of Processing Activities and update the privacy policy with the link to Meta privacy terms and the list of cookies set by instagram.com. Safer alternatives include hosting a screenshot of the post on your own CDN, using a static image with a link to the Instagram URL, or relying on official press use APIs that proxy the content without contacting Meta from the visitor browser.
Websites using Instagram Embed must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended whenever the Instagram embed is used on pages targeting EU visitors, because it triggers systematic transfers of personal data to Meta in the United States and is considered high risk by several European regulators (CNIL, Bundeskartellamt, Italian Garante). The DPIA should cover the consent mechanism, the absence of a strictly necessary justification, the residual risk after the EU US Data Privacy Framework, and the suitability of safer alternatives such as static images or self hosted screenshots.
Sample consent text
We embed content from Instagram. Loading this embed shares your IP address, User Agent and browsing context with Meta Platforms Inc in the United States, and Meta sets cookies on the instagram.com domain. The embed only loads after you accept advertising and social media cookies.
Third-party domains contacted
instagram.comwww.instagram.comcdninstagram.comscontent.cdninstagram.comfacebook.comstatic.cdninstagram.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| datr | http | 2 years | Meta browser identifier used for security, fraud detection and analytics. Set on the instagram.com domain when the embed loads. |
| fr | http | 90 days | Meta advertising cookie used to deliver, measure and personalise ads across Meta properties and the Audience Network. |
| ig_did | http | 2 years | Instagram device identifier used to recognise the browser across sessions. |
| mid | http | 2 years | Alternative Instagram device identifier set by the embed. |
| sb | http | 2 years | Meta security cookie used to identify the browser and detect suspicious activity. |
| c_user | http | 1 year | Meta logged in user identifier. Set on the instagram.com domain when the visitor is also logged into Instagram or Facebook. Enables cross site identification. |
| xs | http | Session | Meta session token used to maintain the logged in state and tie the embed view to a Meta Account. |
Instagram Embed places tracking cookies for advertising — comply with GDPR using FlowConsent.
As soon as the embed loads, instagram.com sets the standard Meta tracking cookies: datr (browser identification, 2 years), fr (advertising and analytics, 90 days), ig_did and mid (Instagram device identifiers, 1 to 2 years), sb (security, 2 years), and c_user / xs if the visitor is logged into Instagram or Facebook. These are third party cookies from Meta in the United States.
Yes. The embed loads scripts and writes Meta tracking cookies, and is not strictly necessary to the user requested service. Article 5(3) of the ePrivacy Directive requires prior opt in consent, and the GDPR adds that the international transfer to Meta must be transparently disclosed. The standard implementation is a two click placeholder that only loads the embed after consent.
The only realistic legal basis is consent under Article 6(1)(a) GDPR. Contract or legitimate interest are not available because the embed is decorative, not essential, and exposes the visitor to large scale Meta profiling. Meta itself uses several bases for its own processing, but the controller embedding the iframe must collect consent before any data leaves the visitor browser.
Yes. Even when EEA visitors interact with content controlled by Meta Platforms Ireland Ltd, the technical flows go to Meta Platforms Inc infrastructure in the US. This is a Chapter V GDPR transfer, currently relying on the EU US Data Privacy Framework (Meta is self certified) and Standard Contractual Clauses. Schrems II and subsequent EDPB guidance keep this transfer category at elevated risk.
It is strongly recommended in most cases, and explicitly required by some EU regulators when the embed is deployed at scale. The combination of behavioural profiling by Meta, potential inference of special category data and high risk international transfers usually crosses the threshold of Article 35 GDPR. Operators in regulated sectors should generally avoid the embed.
Use a click to load placeholder served from your own domain, expose Instagram in the consent banner as a social media or advertising vendor, and only inject the embed iframe after a granular opt in. Document the processing in your privacy policy, link to Meta privacy terms, list the cookies set by instagram.com, and keep a record of consent. Avoid the embed on pages with vulnerable audiences.
Common alternatives include hosting a screenshot of the post on your own CDN with a textual caption, using a static image that links to the Instagram URL, or rendering the post server side via the Instagram Graph API and serving the content from your own infrastructure. Some EU friendly third party services (Embedly proxies, self hosted snapshots) avoid contacting Meta from the visitor browser.
Document Instagram and Meta Platforms Inc as a data recipient, list the Meta cookies (datr, fr, ig_did, mid, sb, c_user) with their duration and purpose, disclose the transfer to the United States under the EU US Data Privacy Framework, name the legal basis (consent), and link to Meta privacy policy and cookie list. Refresh the entry whenever Meta updates its disclosures.