Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Twitter Widgets (now also branded X Widgets) is the JavaScript library that lets a website embed live tweets, timelines, follow and share buttons, and conversation threads from X (formerly Twitter). The widgets load scripts from platform.twitter.com and platform.x.com, set X session and tracking cookies on the visitor's browser, and transmit IP, User-Agent and referrer back to X Corp. servers in the United States. For European publishers, this falls squarely under the ePrivacy consent requirement and the GDPR cross-border transfer regime.
Twitter Widgets (rebranded as X Widgets since 2023) are a family of embeddable components offered by X Corp. to render live X content on third-party websites. They include single embedded tweets, timelines, follow buttons, share buttons, and conversation threads. The widgets load JavaScript from platform.twitter.com or platform.x.com which then renders the content in iframes hosted on syndication.twitter.com or syndication.x.com.
Twitter Widgets set or read cookies including guest_id, personalization_id, ct0, auth_token (if the user is logged into X), kdt and twid. They transmit the visitor''s IP address, User-Agent, the URL of the embedding page, the referrer, screen resolution, language preferences, and (for logged-in users) the X account identifier. Data is sent to X Corp. in the United States.
Twitter Widgets fall squarely under Art. 5(3) ePrivacy: they set non-essential third-party cookies and require prior consent. X may also use embedded widget impressions to enrich advertising profiles, which the EDPB has repeatedly flagged in social plugin guidance. The widget operator (your website) may be a joint controller with X for the collection of personal data on page load, following the Fashion ID CJEU ruling. Since X is a Very Large Online Platform under the EU Digital Services Act, additional transparency obligations apply.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
All data collected by the widget is processed by X Corp. in the United States. The transfer relies on the 2021 Standard Contractual Clauses and, where applicable, on X''s certification under the EU-US Data Privacy Framework. Note that X has been subject to scrutiny by EU regulators about its data handling and has had its DPF certification status questioned in some periods; verify the current status before relying on it.
The Twitter Widgets script must not be loaded before the visitor has consented to marketing or social media cookies. Implement a click-to-load pattern: show a placeholder with a Load tweet button and only inject the platform.twitter.com script once the user clicks or accepts the relevant CMP category. Cookieless alternatives include rendering a static screenshot of the tweet with a link to X.
1. Block the Twitter / X script behind your CMP. 2. Use click-to-load placeholders for individual tweets. 3. Document X Corp. in your privacy notice as a joint or independent controller, with US transfer disclosure. 4. Run a DPIA. 5. Consider EU-friendly alternatives such as Mastodon embeds or static screenshots. 6. Verify X''s current DPF certification status. 7. Ensure the widget is removed from AMP pages where consent management is harder.
Websites using Twitter Widgets must obtain user consent under GDPR regulations.
DPIA considerations
Twitter Widgets transmit personal data to X Corp. every time the widget loads, even without user interaction. Key DPIA considerations: (1) third-party cookies (auth_token, guest_id, personalization_id) enable cross-site behavioural profiling; (2) X may correlate the visit with the user's logged-in X account, building a behavioural profile usable for ad targeting; (3) all data transferred to the United States; (4) X has been the subject of multiple national DPA decisions (Italian Garante, Irish DPC) raising concerns about lawful basis; (5) the DSA classifies X as a Very Large Online Platform (VLOP) with additional transparency obligations; (6) AI feed personalisation may trigger Art. 22 GDPR. A DPIA is required for any production embed on a European site.
Sample consent text
This page can embed live tweets and X (formerly Twitter) buttons. When loaded, the widget shares data with X Corp. in the United States, including your IP address, browser information, the URL of this page, and X cookies if you are logged in. We do not load the widget until you click below to accept. Read more in our cookie policy.
Third-party domains contacted
platform.twitter.complatform.x.comsyndication.twitter.comsyndication.x.comtwitter.comx.compbs.twimg.comvideo.twimg.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| guest_id | Marketing / Tracking | 2 years | Persistent visitor identifier used by X to recognise the browser across visits and embedded widget impressions. |
| personalization_id | Marketing / Advertising | 2 years | Used by X to personalise ads and content recommendations, including across sites that embed X widgets. |
| ct0 | Strictly necessary (X) | Session | CSRF protection token for X interactions; required for logged-in widget actions like Like or Follow. |
| auth_token | Functional | Persistent | Authentication token set if the visitor is logged into X. Lets the widget recognise the X account and personalise. |
| twid | Functional | 6 years | Stores the X user identifier when logged in, allowing rapid recognition across widget loads. |
| kdt | Security | 10 years | Trusted-device identifier used by X for security checks on login. |
Twitter Widgets places tracking cookies for advertising — comply with GDPR using FlowConsent.
Common cookies include guest_id (visitor identifier, 2 years), personalization_id (cross-site ad personalisation, 2 years), ct0 (CSRF token), auth_token (logged-in session), kdt and twid. All are non-essential and require prior consent.
Yes. Twitter / X Widgets set non-essential third-party cookies and transmit personal data (IP, browsing context) to X Corp. on page load, so prior consent under Art. 5(3) ePrivacy is required. Implement click-to-load so the widget only fetches after the visitor explicitly accepts.
Consent (Art. 6(1)(a) GDPR) for the cookie placement and data transmission triggered by the widget. The embedding website may be a joint controller with X for this data collection, following the CJEU Fashion ID ruling, which means a Joint Controller Agreement (Art. 26 GDPR) is technically required, although in practice no agreement is offered by X.
Yes. X Corp. processes data in the US. The transfer relies on the 2021 Standard Contractual Clauses and, where applicable, on X's EU-US Data Privacy Framework certification. Note that the DPF status can change; check X's current public certification before relying on it.
Yes for any production deployment, especially if you embed many widgets or run a site with significant European traffic. The combination of behavioural profiling, US transfer and potential joint controllership with a VLOP under the DSA satisfies multiple Art. 35(3) GDPR criteria.
Implement click-to-load: render a static placeholder (tweet author, date, preview text) and only inject the platform.twitter.com script after explicit consent. Document X Corp. in your privacy notice and cookie policy. Add joint controllership disclosure if relevant. Consider alternatives like static screenshots or Mastodon embeds.
For EU-friendly alternatives: render a static screenshot of the tweet with a link to X, use server-side rendering of public tweet content (subject to X TOS), embed Mastodon or Bluesky instead, or use third-party privacy-friendly embed services like Iframely or Embedly with no-cookie mode.
List guest_id, personalization_id, ct0, auth_token and any other X cookies you observe in production with their purpose, duration and third-party source. In your privacy notice, identify X Corp. as a (joint) controller, disclose the US transfer with SCCs and DPF status, and link to X's privacy policy.