AddThis and Data Protection – What Belongs in Your Privacy Policy

If a website operator uses AddThis, they typically process web server log data, click paths, device and browser information, and cookies for the purpose of providing social sharing buttons and – historically – user-related marketing on the basis of a marketing consent (Art. 6 (1) (a) GDPR in conjunction with Section 25 (1) TDDDG). This page explains in compact form what data AddThis typically processed, who the provider is, which legal bases come into question and – particularly important – the status of the service since its discontinuation by Oracle.

A. Purpose and Functionality of AddThis

AddThis was a widely deployed widget for websites that placed buttons on article and product pages allowing visitors to share content via social networks (e.g. Facebook, X/Twitter, LinkedIn, Pinterest), email or other channels. In addition, AddThis offered features for reach analytics, audience targeting and the setting of cookies for the purpose of advertising delivery within the provider's ad network.

Technically, AddThis was integrated as a JavaScript snippet (typically from s.addthis.com and m.addthis.com) embedded in the source code of the host website. When a page containing AddThis buttons was loaded, the visitor's browser established a direct connection to the provider's servers, transmitting request data and cookies.

This tool page focuses on the typical integration function – the share widget embedded in the page. Other AddThis features (e.g. Targeting Tools, Audience Builder) historically operated in the back-end and have had no practical relevance since the 2023 shutdown.

B. Mandatory Information about AddThis in the Privacy Policy

The GDPR requires website operators, in addition to the general information about the controller, the rights of the data subject and the supervisory authority, to include the following specific mandatory information about tools such as AddThis:

• the purposes of processing (Art. 13 (1) (c) GDPR),
• the legal bases for processing (Art. 13 (1) (c) GDPR),
• where processing is based on a balancing of interests (Art. 6 (1) (f) GDPR), additionally the specific legitimate interests pursued (Art. 13 (1) (d) GDPR),
• the recipients or categories of recipients (Art. 13 (1) (e) GDPR),
• whether data are transferred to an unsafe third country outside the EU/EEA and on what basis (Art. 13 (1) (f) GDPR),
• the storage period or the criteria for determining it (Art. 13 (2) (a) GDPR),
• as well as – where data are not collected directly from the data subject – the categories of personal data processed (Art. 14 (1) (d) GDPR).

These mandatory items are broken down for AddThis in sections C through H below.

It is, however, not necessary to list every single tool – including AddThis – in the privacy policy with its own text block, even though this practice has become widely established. The "boilerplate-per-tool" approach has become poor practice: it leads to long, lawyer-drafted texts that repeat content endlessly and make the privacy policy hard to maintain and barely readable – contradicting the transparency requirement of Art. 12 (1) GDPR. A more appropriate solution is a topic-oriented approach: processing operations are described in cross-cutting categories (third-party content, tracking, marketing), and the actual service providers used are listed in an annex of recipients. This is precisely the methodology pursued by the matterius generator.

C. Provider of AddThis

The provider of AddThis was, most recently:

• Oracle America, Inc., 2300 Oracle Way, Austin, TX 78741, USA (parent: Oracle Corporation).
• Country of seat: USA. Oracle had acquired AddThis in 2016 via Oracle Data Cloud.
• DPF status: According to publicly available information, Oracle America, Inc. is an active participant in the EU-U.S. Data Privacy Framework, the UK Extension and the Swiss-U.S. DPF (self-certification; verifiable at dataprivacyframework.gov). According to Oracle's own statements, the certification primarily covered "Services Personal Information" and may not have applied without limitation to the advertising and tracking data flows of AddThis.
• AddThis privacy policy: oracle.com/legal/privacy/addthis-privacy-policy.html.
• Status: Oracle discontinued the service on 31 May 2023; the privacy policy remains accessible for legacy purposes, but the service itself is no longer available.

D. Data Processing by AddThis – Step by Step

E. Data Collected by AddThis

According to publicly available information from the provider and the processing operations documented in cookie databases, AddThis collected in particular: IP address, date/time of the request, URL accessed, referrer, user agent (browser/operating system information), screen information, clicks on sharing buttons, derived usage and interest profiles, conversion events, and unique identifiers via cookies (including __atuvc, loc, ouid, uvc, xtc).

These data can be classified into the following standardised data category classes:

• Web server log data: data the provider's server receives with each request; in particular IP address, date, time, time zone, URL of the requested content, referrer, status code and data volume transferred.
• Click paths: pages of the host site visited, each with date and time; clicks on sharing buttons.
• Device data: device type, operating system, screen resolution, touch support.
• Browser information: browser name, browser version.
• Coarse location data: location at city or regional level derived from the IP address.
• User profiles: interests, segment assignments, usage histories, and derived metrics.
• Conversion events: user interactions defined by the website operator as relevant, e.g. clicks on share buttons, visits to specific pages.

In addition, AddThis set cookies and pixels used to synchronise unique identifiers between Oracle and advertising partners.

F. Purposes for Using AddThis

Website operators typically used AddThis to make it easier for visitors to share content on social networks, to measure the reach of articles and to collect data for advertising delivery within the Oracle Advertising Network (formerly BlueKai).

These purposes can be classified into the following standardised purpose-of-use classes:

• Function provision: rendering the share buttons and providing the sharing functionality.
• General marketing: reach analysis, content performance measurement, evaluation of communication channels such as social media as a whole.
• User profile creation: identification of interests and preferences, assignment to segments and target groups.
• User-individual marketing: targeting of advertising in advertising networks based on usage behaviour (remarketing/retargeting within the Oracle ad ecosystem).

G. Legal Bases for AddThis

According to the tool categorisation used in the relevant data protection templates, AddThis falls primarily under the category third-party content with a tracking/marketing component (social plugin). The following legal bases come into question:

• Consent (Art. 6 (1) (a) GDPR in conjunction with Section 25 (1) TDDDG) – regularly required for setting and reading cookies as well as for processing for marketing and profiling purposes. Because AddThis set cookies for advertising purposes and shared data with advertising partners, a marketing consent via the consent banner was as a rule required.
• Third-party content consent for the mere embedding of the third-party script (connection to the provider's server, transmission of web server log data).
• Subsidiarily, legitimate interest (Art. 6 (1) (f) GDPR) in advertising and efficiency – contested in the tracking/marketing context by supervisory authorities and as a rule not sustainable as soon as cookies or comparable identifiers are set for non-essential purposes.

H. Particularities and Notes on AddThis

• End of life: Oracle discontinued AddThis on 31 May 2023. Website operators should remove the snippet from their source code and either delete the corresponding references from the privacy policy or mark them as historical processing.
• Migration paths: Frequently mentioned successor options include ShareThis (sharethis.com), the native sharing buttons of the platforms (Web Share API), self-built plain HTML/CSS buttons without third-party scripts, or privacy-friendly alternatives such as the Shariff approach. Each switch constitutes new data processing and requires its own assessment.
• Third-country transfer: Processing regularly took place in the United States. According to publicly available information Oracle America, Inc. is an active DPF participant; the specific scope for AddThis data flows is not unambiguously documented. For residual deployments or comparison questions, Standard Contractual Clauses (SCC) should be considered as a supplementary safeguard.
• Joint controllership: For sharing plugins – in line with the CJEU's "Fashion ID" ruling – joint controllership (Art. 26 GDPR) between the website operator and the provider may apply, at least for the data collection and transmission phase. Whether Oracle provided a Joint Controller Agreement should be verified against the website operator's historical contract documentation.
• Opt-out: Oracle offered a central opt-out for its advertising network at datacloudoptout.oracle.com/#optout. This mechanism was tied to Oracle cookies.
• Cookies: AddThis set, among others, the cookies __atuvc, __atuvs, loc, ouid, uvc, xtc with lifetimes ranging from a few hours up to two years.

The above notes are based on publicly available information from the provider and generally researchable sources and do not replace a case-by-case assessment by the website operator.

I. FAQ on AddThis and Data Protection

J. Conclusion on AddThis and Call-to-Action

For years AddThis was one of the most widely used sharing widgets on the web. With Oracle's shutdown on 31 May 2023 the service is no longer available; remnants in source code are functionally worthless and should be removed. From a data protection perspective AddThis was a tool with high requirements due to its use of cookies, profile building and data transfers to the US – marketing consent was as a rule required, and there was a substantial risk regarding third-country transfers and joint controllership under "Fashion ID".

The website operator's task remains to keep the privacy policy clean – not least when a new sharing service is deployed. It is generally not advisable to add a separate text block for every single tool – be it AddThis, ShareThis, a newsletter service or a tracking system – to the privacy policy. This makes the policy long, cluttered, hard to maintain and contradicts the transparency requirement of Art. 12 (1) GDPR. The better path is a structured, topic-oriented approach that explains processing operations in cross-cutting blocks (server operation, third-party content, tracking, marketing) and refers to specific tools and providers only in the annex of recipients. This is precisely the methodology of the matterius generator.

K. Curator

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com