GDPR and AddThis: Your Questions Answered!

A big topic of conversation around the internet these days is GDPR. The General Data Protection Regulation (“GDPR”), is a new regulation with comprehensive privacy and security requirements intended to strengthen and unify data protection in the European Union.

The deadline for complying with GDPR is just around the corner (May 25, 2018!) and we want to make sure that all your questions are answered, so we’ve assembled some of the top inquiries we’ve heard from AddThis users:

Q: How do you store, process, retain and use the data you collect?

A: General information on our privacy practices, including storage, processing, retention, and use of personal information is available in our AddThis privacy policy, available at:


Q: At what point in the process is the AddThis user data collected?

A: The AddThis cookie is “dropped” when an end user visits a publisher site that uses the AddThis Website Tools. Certain consent tools allow for cookies to be suspended (or “not dropped”) if the user has not consented to cookies on the site. Publishers are encouraged to use consent tools that are appropriate given their particular business needs.


Q: What do I need to do to prepare for the GDPR?

A: It will be the responsibility of each publisher to assess the legal and operational implications of GDPR on their business and implement changes as necessary. This may include changes to site functionality such as cookie consent mechanisms, terms and conditions, and privacy policy. Oracle does not mandate a particular set of mechanisms or even standard language that should be used to capture consent. If you are not sure what to do, we recommend you contact your compliance and legal advisors.


Q: Will you provide a Data Processing Agreement, or are you able to sign our agreement?

A:  A Data Processing Agreement is not appropriate for a controller to controller relationship. The relationship between Oracle and our AddThis publishers are governed solely by the AddThis Terms of Service which clarifies the respective rights and obligations between Oracle and our publishers in connection with the publishers’ access to and use of the AddThis Services and Oracle use of Publisher Data. The AddThis Terms of Service also fully incorporate EU Standard Contractual Clauses for controller to controller relationships. Please see the AddThis Terms of Service if you have any questions about Oracle’s obligations towards Publisher Data.


Q: Since the AddThis tools use 3rd-party services (ex: Facebook, Pinterest, Tumblr, etc.), how do I update my privacy policy for GDPR to notify my visitors of potential tracking behaviors of each service?

A: The AddThis tools provide website visitors with the ability to share content with websites and social networks that are not affiliated with the publisher site. By clicking on those links or sharing that content, your website visitors may share personal information with these third parties. Publishers may want to encourage their website visitors to check the privacy policies and terms of use of any websites or services before providing personal information to those third parties.


Q: Email addresses are collected by both the AddThis email sharing service as well as the AddThis List Building tools. How is Oracle complying with the GDPR for its collection of email addresses?

A: As part of our AddThis List Building tools, Oracle collects email address on behalf of a publishers to assist the publisher in creating email lists. These email addresses are only used by the publishers and are not used by Oracle to provide interest-based advertising, or to provide Oracle marketing or other Oracle purposes. Oracle retains these email addresses for six months after collection. Any opt-in or consent language that may be required for email marketing is the responsibility of the publishers.

For the email addresses that are provided during the sharing process when a user uses the AddThis sharing tools, the email address is only used to deliver the content to the intended recipient. These email addresses are also not used by Oracle to provide interest-based advertising, or to provide Oracle marketing or other Oracle purposes.


Q: Is AddThis storing any user data? Is any of the data personally identifiable (that includes IP address)?

A:  AddThis data is collected online and indirectly identifies users. This data includes, for example:

  • Internet Protocol (IP) address, Mobile Advertising ID (MAID) (which allows mobile app developers to identify who is using their mobile apps), mobile application ID, browser type, browser language, type of operating system, and the date and time the user visited a publisher Site or a user used the Toolbar;
  • Behavior on a Publisher Site, such as how long a user visited the Publisher Site, a user’s sharing behavior of content on a Publisher Site, and a user’s scrolling behavior on a Publisher Site;
  • The referring URL and the web search a user used to locate and navigate to a publisher site;
  • Keywords entered into the AddThis Toolbar search functionality, and whether and when a user downloaded, installed, or uninstalled the AddThis Toolbar;
  • Information regarding how often a user used the AddThis Tools and how often a user used the AddThis Toolbar; and
  • Geo-location data derived from a user’s IP address.


Q: I understand that Oracle is transferring data to servers in the United States. Is this acceptable from a GDPR perspective?

A: In the AddThis Terms of Service, AddThis publishers are required to disclose that AddThis data will be transferred to the United States and collect the appropriate consents from users to transfer data to the United States.


Q: What is the AddThis user data retention policy?

A: We retain AddThis Data for up to 13 months.


Q: What do I need to do to comply with the GDPR?

A. You can review the AddThis Terms of Service for your legal obligations to Oracle when using the AddThis Tools. It remains AddThis Publisher’s responsibility to seek their own legal counsel to understand the applicability of any law or regulation on their processing of personal data, including through the use of any vendor’s products or services.



The information presented here may not be construed or used as legal advice about the content, interpretation, or application of any law, regulation, or regulatory guideline. Customers and prospective customers must seek their own legal counsel to understand the applicability of any law or regulation on their processing of personal data, including through the use of any vendor’s products or services.