Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
ShareThis is a social sharing widget combined with an audience data platform. Buttons embedded on websites let visitors share content on social networks, while the script also collects clickstream and behavioural signals (page views, referrers, interests) that ShareThis syndicates to advertisers and data buyers. This dual purpose means ShareThis goes far beyond a simple share button and qualifies as a profiling tracker under GDPR.
ShareThis is a US company headquartered in Palo Alto, California, that publishes a JavaScript widget allowing website visitors to share content on social networks such as Facebook, X, LinkedIn, Pinterest, WhatsApp and many others. Behind the visible share buttons, the ShareThis script also collects clickstream and audience data, including page URLs, referrers, browser characteristics, IP address derived signals and interest segments, which the company syndicates to advertisers, data brokers and analytics partners. The widget is therefore both a user facing utility and a behavioural data collection point, and its compliance footprint is closer to an ad tech tracker than to a simple share link.
Once loaded, ShareThis sets and reads several third party cookies, including pxrc, rlas3, tuuid and tuuid_lu, used to assign persistent identifiers and to build audience segments across sites. Combined with the data the script returns to ShareThis servers, these identifiers allow cross site tracking and the construction of advertising profiles. Under GDPR and the ePrivacy Directive, this combination of non strictly necessary cookies and profiling for advertising purposes requires prior, informed and freely given consent before the script is loaded.
ShareThis Inc processes data primarily in the United States. Transfers from the EU and the UK rely on the EU US Data Privacy Framework, on UK extension where applicable, and on Standard Contractual Clauses for any partner not covered by the DPF. Controllers must verify that ShareThis is currently certified under the DPF, document the transfer mechanism, and run a transfer impact assessment if the data also flows to third party data buyers in non adequate jurisdictions. Documentation should include the categories of personal data transferred, the recipients, and the safeguards relied upon.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Where the legitimate goal is simply to let visitors share content, several alternatives offer a far lower compliance footprint. Native HTML share links (mailto, sms, share intents) and the browser Web Share API trigger sharing without any third party script. Self hosted button frameworks such as SHARE.JS or AddToAny configured in minimal, no tracking mode let you keep visual sharing widgets without third party cookies. These approaches usually avoid the need for prior consent because they do not load advertising scripts, and they remove the transfer of audience data to a US data broker.
To use ShareThis lawfully in the EU, the script and its cookies must be gated behind a Consent Management Platform compatible with the IAB Transparency and Consent Framework or with the equivalent CNIL guidelines. The ShareThis tag must not be inserted in the page until the user has given consent for the ''Social media'' and ''Advertising'' purposes. Refusal must be as easy as acceptance, and the cookie banner must list ShareThis as a named third party recipient, with a link to its privacy policy and to controls for objection and withdrawal of consent.
Because ShareThis combines large scale tracking, profiling and international transfers, deploying it on a public website usually triggers the criteria for a Data Protection Impact Assessment under Article 35 GDPR. The DPIA should describe the data flows, the necessity test, the lawful basis (consent), the risks for data subjects, and the mitigation measures (CMP gating, data minimisation, contractual safeguards). Records of processing, joint controllership analysis and a periodic review of the ShareThis cookies inventory should be maintained as part of ongoing privacy governance.
Websites using ShareThis must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when ShareThis is deployed at scale because audience data monetisation and behavioural profiling are core to the service. The DPIA must cover: identification of joint controllership with ShareThis Inc, scope of personal data collected (IP, cookie IDs, referrer, page URLs, interest segments), retention periods, transfers to the United States under DPF and SCC, profiling logic and downstream data buyers, rights of data subjects (access, objection, erasure), and necessity vs purpose. Where the controller cannot demonstrate strict necessity, native share buttons (mailto, Web Share API) should be preferred.
Sample consent text
We use the ShareThis social sharing widget to let you share our content on social networks. ShareThis also collects audience and clickstream data that may be transferred to ShareThis Inc in the United States and shared with advertising partners for profiling purposes. By clicking 'Accept', you consent to these cookies and to this processing. You can refuse or withdraw consent at any time from the cookie settings panel.
Third-party domains contacted
sharethis.complatform.sharethis.combuttons-config.sharethis.comcount-server.sharethis.coml.sharethis.coms7.sharethis.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| __sharethis_cookie_test__ | third_party | session | Short lived test cookie written by the ShareThis script to detect whether third party storage is available in the current browser context |
| pxrc | third_party | 2 months | Persistent identifier set by ShareThis to recognise the browser across sites and to feed audience segments used in the data syndication products |
| rlas3 | third_party | 1 year | Cross site identifier used by ShareThis to build behavioural and interest profiles for advertising and audience monetisation purposes |
| tuuid | third_party | 2 years | Long lived unique user identifier set by ShareThis to track activity across websites and to power audience targeting and data licensing |
| tuuid_lu | third_party | 2 years | Companion cookie storing the last update timestamp of the tuuid identifier, used by ShareThis to manage identifier refresh and synchronisation |
| sharethis_session | third_party | session | Session level identifier used to correlate share events and audience signals within a single browsing session before persistent identifiers are written |
ShareThis places tracking cookies for advertising — comply with GDPR using FlowConsent.
ShareThis sets several third party cookies on the sharethis.com domain, including pxrc, rlas3, tuuid and tuuid_lu. These cookies act as persistent identifiers used to recognise the same browser across websites, to build audience segments and to fuel ShareThis own data syndication products. The widget also writes a short lived __sharethis_cookie_test__ key to detect whether third party storage is available, and may store session ids in local storage. None of these cookies are strictly necessary for content delivery, so they all fall within the scope of the ePrivacy consent requirement.
Yes. ShareThis combines third party cookies, cross site tracking and behavioural profiling for advertising data monetisation. Under the ePrivacy Directive, storing or reading information on the user device for these purposes requires prior, freely given, specific, informed and unambiguous consent. Under GDPR, the profiling and audience segmentation activity needs an explicit Article 6(1)(a) consent. Implied consent, pre ticked boxes or simple cookie walls are not sufficient. The script must remain unloaded until the user has actively accepted in the consent banner.
The relevant legal basis is consent under Article 6(1)(a) GDPR. Legitimate interest is generally not appropriate because the processing is intrusive, includes cross site tracking and serves the commercial interests of ShareThis and its data buyers rather than the user. Where special categories of data could be inferred from interest segments (health, religion, sexual orientation), an Article 9 explicit consent would also be required. Controllers must be able to demonstrate consent and to honour withdrawal with the same level of granularity as acceptance.
Yes. ShareThis Inc is established in the United States and processes audience data on infrastructure located primarily in the US. EU and UK transfers rely on the EU US Data Privacy Framework where ShareThis is certified, on the UK extension where applicable, and on Standard Contractual Clauses for any data buyer or sub processor outside the DPF scope. Controllers should document the transfer mechanism, identify the recipients, and perform a transfer impact assessment that accounts for downstream onward transfers to ad networks.
In most cases yes. ShareThis triggers several of the criteria flagged by the EDPB and national supervisory authorities for mandatory DPIAs: systematic monitoring of users on a large scale, evaluation or scoring (audience segments and interest profiling), innovative use of new technological solutions, and data transfers to third countries with onward sharing to data buyers. The DPIA should describe data categories, flows, retention, risks for data subjects, and mitigation measures including CMP gating, contractual safeguards with ShareThis and minimisation.
Implement ShareThis behind a Consent Management Platform that blocks the script until the user accepts the social media and advertising purposes. Disclose ShareThis as a named third party in the cookie banner and in the privacy policy, with a link to its policy and to the controls for opposition and withdrawal. Configure your CMP to delete ShareThis cookies on refusal or withdrawal. Document the data protection assessment, the transfer mechanism (DPF or SCC), and the retention period. Review the configuration periodically because ShareThis cookies and partner lists evolve.
The most privacy friendly alternative is to use native HTML share links and the browser Web Share API, which trigger sharing without loading any third party script or cookie. For visual share buttons, self hosted libraries such as SHARE.JS or AddToAny in minimal, no tracking mode let you keep familiar icons while avoiding third party cookies and US data transfers. These options usually remove the need for prior consent because they do not perform profiling, and they reduce the controllers compliance footprint significantly.
Add an entry in the cookie policy that names ShareThis as a third party recipient, with its corporate identity (ShareThis Inc, Palo Alto, California, United States) and a link to its privacy policy. List the main cookies (pxrc, rlas3, tuuid, tuuid_lu) with their purpose (audience profiling, data syndication, sharing widget), duration, and category (advertising). Mention the transfer to the United States under the DPF and SCC, and the right to withdraw consent. Keep the cookie list under regular review because ShareThis updates its identifiers and partners over time.