Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Twitter, rebranded as X, is a US based social network operated by X Corp. Websites typically integrate Twitter through embedded tweets and timelines (platform.twitter.com/widgets.js), the X advertising Pixel for conversion tracking, the Sign in with X login button, or share buttons. Each integration loads third party JavaScript and sets identifying cookies that allow X to recognize visitors across the web, including those who do not hold an X account. From a GDPR perspective Twitter or X embeds are treated like other social plugins: they require prior, informed, explicit consent, a clear privacy notice, and a legal basis under Article 6(1)(a). Data is transferred to the United States under the EU US Data Privacy Framework and Standard Contractual Clauses.
Twitter, rebranded as X in 2023, is operated by X Corp, a private company based in San Francisco, California. On websites it appears in several forms: embedded tweets and timelines loaded through the script at platform.twitter.com/widgets.js, the X advertising Pixel used for retargeting and conversion measurement, the Sign in with X authentication button, share buttons that open intent URLs, and server side API integrations. Each of these touchpoints involves loading code from twitter.com or x.com and, in most configurations, setting persistent cookies that allow X to recognize the same browser across many websites. For European websites that means Twitter or X embeds fall squarely under the GDPR and the ePrivacy Directive, with the same treatment as other social plugins.
As soon as a Twitter or X widget loads, several cookies are written on the .twitter.com and .x.com domains. The guest_id cookie identifies the browser even for users who are not logged in, personalization_id powers ad personalization across the web, ct0 acts as a CSRF token for the session, muc_ads tracks advertising interactions, lang remembers the interface language, and for signed in users _twitter_sess and auth_token carry the authenticated session. Most of these cookies have a lifetime of one to two years and are accompanied by network calls that log the URL of the host page, the visitor''s IP address and the user agent. Because they enable user level tracking they are not strictly necessary, and they require consent under ePrivacy Article 5(3) before being written.
The X Pixel, formerly the Twitter Pixel, is a small JavaScript tag that fires when a user visits a page or performs a conversion action such as a purchase, signup or lead. It sends the event together with cookies, page URL, IP address and optionally hashed identifiers such as email or phone to X Corp, which uses the data to build audiences, attribute conversions and optimize ad delivery. Because the pixel is used for advertising and profiling, the only valid legal basis in the EU is consent. It must never load by default, the consent banner must reject it until the user clicks accept, and once consent is withdrawn the pixel must be unloaded and any cookies it set should be removed.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
X Corp is established in the United States and processes the data collected by embeds and pixels on US infrastructure. Transfers from the EEA, the UK or Switzerland rely on the EU US Data Privacy Framework, with Standard Contractual Clauses as a fallback when the importer or the data type is outside the DPF scope. Controllers should document the transfer mechanism in their record of processing activities, verify the DPF certification of X Corp on the official DPF list, and complete a transfer impact assessment that considers US surveillance laws (FISA 702, Executive Order 12333). Supplementary measures such as IP truncation or limiting the data sent through the pixel are recommended.
Under the EDPB guidelines on social plugins, the website operator and X Corp are joint controllers for the moment of collection. Consent must therefore be obtained before the widget loads, with a clear description of the recipient, the purposes (display of social content, advertising, analytics) and the transfer to the United States. A Data Protection Impact Assessment is required when the deployment is large scale, when the pixel processes sensitive categories, when content targets children, or when Sign in with X is used as the primary authentication method. The DPIA should map data flows, justify the necessity of the integration, document the consent mechanism and list mitigations.
For sites that want to reference Twitter or X content without exposing visitors to tracking, several alternatives exist. A static screenshot or a typographic blockquote with a link to the original post communicates the content without any third party JavaScript. A facade pattern shows a click to load placeholder and only injects the official widget after explicit user interaction, which then counts as consent. Server side rendering of the tweet using the public oEmbed API can avoid setting cookies if the response is stripped of remote assets. For analytics, server side conversion APIs reduce the data sent through the browser. Whichever option is chosen, the cookie policy and privacy notice must clearly describe Twitter or X as a third party recipient and the transfer to the United States.
Websites using Twitter (X) must obtain user consent under GDPR regulations.
DPIA considerations
A Data Protection Impact Assessment is strongly recommended when Twitter or X is used beyond simple embedded tweets, in particular when the X Pixel is deployed for advertising or conversion tracking, when Sign in with X is offered as an authentication option, when timelines or share buttons are placed on pages targeting children, sensitive categories or political content, or when integrations are used at scale on a high traffic site. The DPIA should describe the data flows to X Corp in the United States, the cookies set (guest_id, personalization_id, ct0, muc_ads, auth_token), the legal basis (consent), the transfer mechanism (DPF and SCCs), retention, and the technical and organizational measures, including consent gating and a do not load by default strategy.
Sample consent text
We use Twitter (X) to display embedded posts, timelines and to measure the performance of our advertising campaigns. With your consent, X Corp may read and set cookies on your device (guest_id, personalization_id, ct0, muc_ads) and process your IP address and browsing data in the United States under the EU US Data Privacy Framework. You can accept, refuse or change your choice at any time from our cookie preferences.
Third-party domains contacted
twitter.comx.complatform.twitter.comsyndication.twitter.comanalytics.twitter.comads-twitter.comt.coCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| guest_id | third_party | 2 years | Identifies the browser for users who are not logged in to X, enabling visitor recognition across sites that embed Twitter or X content. |
| personalization_id | third_party | 2 years | Used by X to personalize advertising and content recommendations across the web, including on third party sites that load X widgets or pixels. |
| ct0 | third_party | 6 hours to 1 year | CSRF token used to protect authenticated actions on the X platform and supporting widgets, also leveraged for security and fraud prevention signals. |
| muc_ads | third_party | 2 years | Tracks interactions with advertising on X properties and through the X Pixel, supporting conversion measurement and audience building. |
| lang | third_party | Session | Stores the preferred interface language used by Twitter and X widgets to display embedded content. |
| auth_token | third_party | 5 years | Authentication cookie set for users logged in to X, used by widgets and Sign in with X to keep the session active. |
| _twitter_sess | third_party | Session | Session cookie set by twitter.com and x.com when a user interacts with embedded content or signs in, used to maintain server side session state. |
Twitter (X) places tracking cookies for advertising — comply with GDPR using FlowConsent.
When a Twitter or X widget loads, several cookies are written to .twitter.com and .x.com, including guest_id which identifies the browser for non logged in users, personalization_id used for cross site ad personalization, ct0 acting as a CSRF token, muc_ads to track advertising interactions, lang to remember the interface language, and for signed in users _twitter_sess and auth_token to carry the authenticated session. Lifetimes typically range from session to two years. All of these are non essential and require prior consent under ePrivacy Article 5(3).
Yes. The script at platform.twitter.com/widgets.js loads third party JavaScript and sets cookies on the visitor's device, and the connection itself transmits the IP address and the URL of the host page to X Corp. Under the EDPB guidelines on social plugins, the website operator and X Corp are joint controllers at the moment of collection, so consent must be obtained before the widget loads. A click to load facade is the most common way to defer the integration until the user accepts.
The only valid legal basis is consent under GDPR Article 6(1)(a), combined with the consent requirement of ePrivacy Article 5(3) for cookie storage and access. Legitimate interest is not appropriate because the embeds, pixel and login button enable cross site profiling and advertising, which the EDPB and national DPAs consider to override user expectations. Consent must be freely given, specific, informed, unambiguous and as easy to withdraw as to give.
Yes. X Corp is established in the United States and processes data on US infrastructure. Transfers from the EEA, the UK and Switzerland rely on the EU US Data Privacy Framework when X Corp is on the DPF list, and on Standard Contractual Clauses as a fallback. Controllers should document the mechanism, monitor the DPF certification status and complete a transfer impact assessment that addresses US surveillance laws (FISA 702, Executive Order 12333).
A DPIA is recommended whenever the integration goes beyond a few isolated tweet embeds. It is required when the X Pixel is deployed for advertising or conversion tracking, when Sign in with X is offered as authentication, when content is targeted at children or sensitive categories, or when integrations run at scale on a high traffic site. The DPIA should map data flows, justify the necessity, list mitigations and document the consent mechanism.
Do not load widgets.js by default. Use a facade with a click to load placeholder, integrate Twitter or X with your consent management platform so it only fires after a positive choice, prefer static embeds or screenshots for low value uses, limit the data sent through the X Pixel and consider hashing identifiers, document the integration in your record of processing, name X Corp as recipient in your privacy notice and cookie policy, and provide a clear way to withdraw consent.
Common alternatives include a static screenshot of the tweet with a link to the original, a typographic blockquote with attribution, server side rendering via the public oEmbed API with remote assets stripped, a facade pattern with click to load, or simply a text link out to twitter.com or x.com. For analytics, server side conversion APIs reduce the amount of data flowing through the browser and limit cookie usage.
List Twitter or X as a third party recipient, mention X Corp as the data importer in the United States, describe the purposes (display of social content, advertising, analytics, authentication), name the main cookies (guest_id, personalization_id, ct0, muc_ads, lang, _twitter_sess, auth_token) with their durations, indicate the transfer mechanism (DPF or SCCs), and link to the X privacy policy. Ensure the cookie banner allows refusing Twitter or X with the same prominence as accepting.