Instagram Embed and Data Protection – What Belongs in the Privacy Policy

When a website operator uses Instagram Embed, the rendering of the embedded post, reel or profile causes the visitor's browser to send web-server log data, device data, browser information, coarse location data and, where applicable, cookies and profile data to Meta – for the purpose of integrating social-media content, regularly on the basis of a third-party content consent. This page sets out compactly which data are sent to Meta when Instagram Embed is loaded and which mandatory information must appear in the website's privacy policy.

A. Purpose and how Instagram Embed works

Instagram Embed is the integration of individual Instagram posts, reels or profiles into a third-party website. Technically this is normally done via an HTML snippet provided by Instagram, which contains a <blockquote> element with the URL of the post and a script loaded from //www.instagram.com/embed.js. The script transforms the blockquote into an interactive preview by opening an <iframe> to Instagram servers (instgrm.Embeds.process()). Alternatively, the oEmbed endpoint of the Facebook Graph API can be used to obtain the embed code on the server side.

When the embed renders, the visitor's browser establishes a direct connection to Meta servers (Instagram, cdninstagram.com, Facebook). Only this third-party request makes the post visible; without it, the function is not available.

This entry page deals exclusively with the embed function on the website operator's site (third-party content / social-media embed). Other functions in the Meta universe – such as the Meta Pixel for tracking, Instagram Login as single sign-on, advertising in Ads Manager, Instagram Shopping tags or a stand-alone Instagram business page (comparable to a Facebook Page) – are not covered here. They have to be assessed separately under data-protection law.

B. Mandatory information in the privacy policy

Beyond general information about the website operator, the data subject's rights and the supervisory authority, the GDPR requires a set of tool-specific mandatory disclosures for tools such as Instagram Embed: the purposes of processing (Art. 13(1)(c) GDPR), the applicable legal bases (Art. 13(1)(c) GDPR), and where Art. 6(1)(f) GDPR is invoked, the specific legitimate interests pursued (Art. 13(1)(d) GDPR), the recipients or categories of recipients (Art. 13(1)(e) GDPR), information on transfers to insecure third countries and the relevant safeguards (Art. 13(1)(f) GDPR), the storage period or the criteria for determining it (Art. 13(2)(a) GDPR) and – where data are not collected from the data subject – the categories of data (Art. 14(1)(d) GDPR).

These disclosures are detailed below for Instagram Embed.

In practice, it has become common to include a separate text module for every single tool – including Instagram Embed – in the privacy policy. This "boilerplate-per-tool" habit is not legally required and produces long, hard-to-read texts with redundant passages that repeat the same data categories and purposes again and again. A more appropriate approach is topic-oriented: processing is described across all tools (e.g. "third-party content"), and the actual service providers used – including Meta for Instagram Embed – are listed in an Annex of Recipients. This is precisely the methodology of the matterius generator.

C. Provider of Instagram Embed

According to Meta's publicly available information, the contracting partner for website operators established in the EU/EEA is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. The parent company is Meta Platforms, Inc., 1 Meta Way, Menlo Park, CA 94025, USA. Processing takes place in Meta's group-wide infrastructure with servers worldwide, including in the United States.

According to the official US list, Meta Platforms, Inc. is certified under the EU-US Data Privacy Framework (DPF) (see Data Privacy Framework Search). On this basis, transfers to Meta in the USA can currently rely on the European Commission's adequacy decision under Art. 45 GDPR. In addition, Meta uses Standard Contractual Clauses (SCC) under Art. 46 GDPR for transfers not covered by the DPF.

Key primary sources for Instagram Embed:

• Instagram Privacy Policy / Privacy Center
• Meta Privacy Policy
• Instagram Help Center – Embeds
• Instagram oEmbed API (Meta for Developers)

D. Data processing by Instagram Embed – step by step

1. Collection: As soon as a page containing an embedded Instagram item is loaded, the visitor's browser fetches the Instagram embed script and/or the embed <iframe> directly from Meta servers (www.instagram.com, cdninstagram.com, connect.facebook.net). At that point, the IP address, user agent, referrer (URL of the embedding page), date/time and any existing Instagram/Facebook cookies are transmitted to Meta. Playing or interacting with the post (like, profile view, reading comments) generates further interaction data.
2. Storage: Processing takes place in Meta's group-wide infrastructure, including data centres in the USA and other third countries. Storage periods follow Instagram's privacy policy; product-specific retention periods are not published.
3. Use: According to Meta, the data are used to deliver the embed, for security and abuse prevention and – for users logged in to Meta – for personalisation and advertising within the Meta ecosystem. The website operator itself does not receive detailed data on individual visitors via the embed; its purpose is the provision of the social-media content.
4. Disclosure: Data flow to Meta group companies and their sub-processors worldwide. A product-specific list of all sub-processors for embeds is not published.
5. Erasure: The website operator's only effective control is to refrain from loading the embed (e.g. via the consent banner). Logged-in users can manage their activity and ad settings in their Instagram/Facebook account.

E. Data collected when using Instagram Embed

According to Meta's publicly available information, the following data are typically collected when an Instagram embed is loaded: IP address, date and time of the request, URL of the embedding page (referrer) and URL of the requested post, browser, operating system and device information, screen size, language settings, a coarse location derived from the IP address and – where the visitor is simultaneously logged in to Instagram or Facebook – an association of the request with the Meta account via cookies. In addition, interactions with the embedded content are recorded (clicks on the profile, like, navigation between multi-image posts, audio control on reels).

These data fall into the following standardised data categories:

• Web-server log data: IP address, date, time, URL of the requested post, referrer URL of the embedding page, status code, transmitted volume.
• Click paths: opening of the embedding page, clicks on profile, post URL or further links inside the embed.
• Device data: device type, operating system, screen resolution, orientation, touch support.
• Browser information: browser name, version, language settings, possibly extensions.
• Coarse location data: location at city/region level derived from the IP address.
• User content: content within Instagram posts or reels with which the visitor interacts.
• User profiles: for users logged in to Instagram/Facebook, association of the data with their profile including interests and segment assignments (by Meta).
• Interaction data: clicks, swipes, audio control, pause/play on reels within the embed.
• Conversion events: only relevant where the website operator additionally deploys Meta tracking components – not typically relevant for a pure embed.

In addition, Meta may set or read cookies on the visitor's device, where a valid consent under § 25(1) TDDDG (German implementation of the ePrivacy Directive) is in place.

F. Purposes pursued by the website operator with Instagram Embed

The website operator typically uses Instagram Embed to enrich editorial or marketing content with current Instagram posts, to present social proof or to make reels and posts available within its own site without media breaks. From the website operator's perspective, the focus is on providing the embed function; further use of the data is carried out by Meta on its own responsibility.

These purposes can be classified into the following standardised categories:

• Provision of functionality: displaying the embedded Instagram post, reel or profile including controls such as play/pause, profile linking and multi-image navigation.
• Security and abuse prevention: detection and prevention of automated requests and abuse of the embed endpoint (by Meta).
• General product improvement: analysis of which posts attract particular attention to optimise the embedding page editorially (where the website operator measures this independently).
• General marketing and – for logged-in users, by Meta – user-profile creation, user-individual product improvement and user-individual marketing within the Meta ecosystem.

G. Legal bases for Instagram Embed

According to the structure of the privacy-policy template, Instagram Embed falls into the tool category third-party content (social-media embed). The decisive factor is that loading the embed already triggers a direct third-party request to Meta and that cookies or cookie-like identifiers may be processed.

Typically, the following legal bases come into consideration:

• Consent under Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG for the setting and reading of cookies and the subsequent processing ("third-party content consent" or "function consent", typically obtained via the consent banner). This is regularly the clean route, since loading the embed in its standard configuration triggers a third-party request with potential tracking.
• Legitimate interests under Art. 6(1)(f) GDPR in provision of functionality and efficiency may come into consideration only in narrow scenarios, e.g. for a privacy-friendly variant (click-to-load / "two-click solution", locally cached static previews).

Since Meta processes the data obtained via the embed as an independent controller for its own purposes (in particular advertising and profile building for logged-in users), this subsequent processing is not legally attributable to the website operator, but it must be transparently mentioned in the privacy policy.

Note: The applicable legal basis depends on the specific case and must be assessed by the website operator on a case-by-case basis, in particular in conjunction with the consent management in place.

H. Particularities and notes on Instagram Embed

• Third-party request on page load: Unlike locally hosted content, the classic embed already establishes a connection to Meta when the page is loaded. A delayed-loading approach (click-to-load, static preview) significantly reduces the risk.
• Logged-in users: Where the visitor is simultaneously logged in to Instagram or Facebook, Meta can associate the data with the relevant account and use it for its own purposes (profile, advertising, cross-device tracking). The privacy policy should disclose this.
• Joint-controller constellation: The CJEU established joint controllership under Art. 26 GDPR for Facebook Pages (judgment of 5 June 2018, C-210/16) and for Like buttons (Fashion ID, judgment of 29 July 2019, C-40/17). For pure content embeds (post, reel, profile) without active social-plugin character, the classification is less clear in practice. To the extent that the website operator materially co-determines Meta's data collection and receives parameters (e.g. reach data), joint controllership may be considered for the collection phase; the subsequent use by Meta is in any event carried out under Meta's own responsibility. There is no separate joint-controller addendum specifically for Instagram content embeds comparable to the Page Controller Addendum for Facebook Pages. The classification has to be assessed on a case-by-case basis.
• Third-country transfer / DPF status: According to publicly available information on the DPF list, Meta Platforms, Inc. is DPF-certified. Transfers to the USA can rely on this; in addition, Meta uses SCCs. Critical supervisory authorities point out that the robustness of the DPF is the subject of ongoing proceedings – website operators should monitor developments.
• DPA: For the provision of the embed, Meta does not act as a processor but as an independent controller (and possibly as a joint controller for the collection phase). A classical processor agreement under Art. 28 GDPR is therefore not the relevant instrument here; the relevant document is the Meta Data Processing Terms and, where applicable, the Page Controller Addendum mentioned above (for Pages, not for embeds).
• Opt-out / settings for visitors: Logged-in users can adjust their activities and ad settings in the Instagram and Facebook account settings (Instagram activity, Meta ad settings). Effective control beyond that is provided by not loading the embed at all via the consent banner.
• Settings for the website operator: use of a click-to-load / two-click solution; serving a static preview without the embed script; separation of embed and tracking pixel; loading the embed only after consent has been obtained via the consent management.

I. FAQ on Instagram Embed and data protection

J. Conclusion on Instagram Embed and call to action

Instagram Embed offers a lean way to integrate Instagram content into a website, but it already triggers a data transfer to Meta in the USA and in further third countries when the page is loaded. The key mandatory information in the privacy policy concerns in particular the provider (Meta Platforms Ireland Limited), the data categories collected, the purposes, the legal basis (regularly consent), the third-country transfer (DPF / SCC) and the notes on linkage with Meta accounts for logged-in users.

For the website operator, it is usually of little use to include a separate, lengthy boilerplate text for every single tool – including Instagram Embed – in the privacy policy. Such collections of boilerplates inflate the text, repeat themselves and miss the transparency principle of Art. 12(1) GDPR, which requires precise, easily accessible and intelligible information.

Recommended is a structured, topic-oriented approach that describes processing across topic blocks (server operation, newsletter, tracking, sales, third-party content, …) and refers to the actual service providers used – such as Meta Platforms Ireland Limited – only in the Annex of Recipients. This is precisely the methodology of the matterius generator.

K. Curator of this page on Instagram Embed