ShareThis and Data Protection – What Belongs in the Privacy Policy

When a website operator uses ShareThis, the loading of the embedded sharing buttons leads to the processing of web server log data, device data, coarse location data and click paths for the purpose of providing social sharing functions and – according to the provider's own statements – also for the creation of user profiles for advertising purposes (the so-called "Sharing Intelligence Network"). Because of this tracking and profiling component, the legal basis is regularly consent within the meaning of Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG. This page summarises what website operators should know about the use of ShareThis and what information has to be included in their privacy policy.

A. Purpose and How ShareThis Works

ShareThis is a social sharing platform offered by US provider ShareThis, Inc. that supplies website operators with ready-made widgets allowing visitors to share content via social networks, messengers or e-mail. Typical integration functions include inline sharing buttons (next to or below an article), a sticky/floating bar at the side or bottom of the page, reaction buttons (emoji reactions to content) and follow buttons for the website operator's own social media profiles.

This tool overview focuses on the ShareThis integration function typically used by website operators, namely the embedding of sharing widgets via a JavaScript snippet served by the provider (typically from platform.sharethis.com). It does not cover deviating business models such as the data and audience business that ShareThis, according to its own statements, runs vis-à-vis advertisers, agencies and data resellers; this data and audience monetisation is, however, an essential background business of ShareThis and shapes the data protection assessment.

According to publicly available statements by the provider, ShareThis is described as part of an overarching "Sharing Intelligence Network" that aggregates data from sharing activities and website usage on a pseudonymous basis and uses it for advertising, targeting and analytics purposes.

B. Mandatory Information in the Privacy Policy When Using ShareThis

Beyond general information about the website operator, the rights of data subjects and the supervisory authority, the GDPR requires – in relation to the use of tools such as ShareThis – the following specific mandatory information in the privacy policy:

• the purposes of processing (Art. 13(1)(c) GDPR),
• the legal bases of processing (Art. 13(1)(c) GDPR),
• where processing is based on a balancing of interests (Art. 6(1)(f) GDPR), the specific legitimate interests pursued (Art. 13(1)(d) GDPR),
• the recipients or categories of recipients (Art. 13(1)(e) GDPR),
• whether data are transferred to an insecure third country outside the EU/EEA and on what basis (Art. 13(1)(f) GDPR),
• the storage period or the criteria used to determine it (Art. 13(2)(a) GDPR),
• and – where data are not collected directly from the data subject – the categories of personal data processed (Art. 14(1)(d) GDPR).

These mandatory items are broken down for ShareThis below.

It is not legally required to list ShareThis in the privacy policy with its own, named text block – even though this practice has become widespread. This "text block per tool" approach has established itself as bad practice: it produces long, hard-to-maintain privacy policies with constantly recurring boilerplate passages and thus runs counter to the transparency requirement of Art. 12(1) GDPR. A more appropriate approach is a topic-oriented one that describes processing operations across the board (server operation, tracking, third-party content, social plugins) and only lists the specific service providers actually used – including ShareThis – in an annex of recipients.

C. Provider of ShareThis

According to the provider's own statements, the contracting party for German website operators is

ShareThis, Inc. 3000 El Camino Real, Building 4, Suite 200 Palo Alto, CA 94306 USA

ShareThis, Inc. describes itself as a division of Predactiv, Inc. ShareThis also names a UK entity (ShareThis UK Limited, 10 John Street, London WC1N 2EB) and an EU representative (VeraSafe). The final identification of the contracting party in a specific case follows from the relevant contractual documents and is to be verified by the website operator.

Since the company is based in the USA, a transfer to a third country within the meaning of the GDPR regularly takes place. ShareThis states that, as part of Predactiv, it is certified under the EU-US Data Privacy Framework (DPF) and additionally relies on EU Standard Contractual Clauses (SCC) for third-country transfers. Website operators should verify the DPF status at the time of integration via https://www.dataprivacyframework.gov/s/participant-search.

The provider's privacy notice for this service is available at https://sharethis.com/privacy/.

D. Data Processing with ShareThis – Step by Step

E. Data Collected by ShareThis

When ShareThis is used, according to the provider's own statements the following data in particular are processed: IP address, user agent string, device IDs, URLs viewed, content shared (shares), click and reaction events, geographic information at country, city, region or postal code level, browser and device information, cookie identifiers (e.g. _stid, _stidv) and, where applicable, hashed e-mail addresses.

These data points can be classified into the following standardised data categories:

• Web server log data: data that the provider's web server receives with each request from the end device, in particular IP address, date and time, URL of the requested content, referrer and technical metadata.
• Click paths: information about which pages of the website were viewed and which sharing, reaction or follow buttons were clicked, each with date and time.
• Device data: information about the end device, such as device type, operating system, screen resolution, touch support.
• Browser information: browser name, browser version, where applicable installed extensions.
• Coarse location data: coarse location of the user determined from the IP address at country, city, postal code or region level.
• User profiles: interests, segment assignments, sharing and usage histories and derived metrics determined by the provider for a (pseudonymous) user.
• Conversion events: interactions defined as relevant by the website operator, e.g. clicks on a share button, reactions, follows or visits to specific content.
• Interaction data: information on how the user behaves on a single page, e.g. clicks on buttons and reaction behaviour with regard to individual posts.

In addition, according to the provider, cookies and similar identifiers (pixel tags, hash IDs, probabilistic IDs) are used.

F. Purposes of Use When Using ShareThis

The website operator typically uses ShareThis to give website visitors a convenient way to spread content across social networks, to increase the reach of its own posts and to make sharing activities measurable. According to its own statements, ShareThis additionally uses the data collected for its own purposes of profile creation and the marketing of audience segments to third parties.

The purposes that the website operator typically pursues when using ShareThis can be classified into the following standardised categories of purposes:

• Service provision: provision of the sharing, reaction and follow functions, display of the buttons and handover of content to the relevant target platform.
• General product improvement: analysis of sharing activities and especially shared content to design the online services in line with demand.
• General marketing: reach analysis, evaluation of communication channels (e.g. individual social networks) and general performance measurement of content.
• User profiling: creation of pseudonymous user profiles based on sharing and click data by ShareThis and its partners.
• User-individual marketing: delivery of interest-based advertising in advertising networks based on data collected via ShareThis (audience/remarketing component).

G. Legal Bases for ShareThis

Based on its functionality described above and in particular due to its data and audience monetisation, ShareThis primarily falls into the tool category third-party content / social plugins / tracking (marketing).

Because the loading of the sharing widgets entails active content being fetched from provider servers, cookies and similar identifiers being stored on the device and pseudonymous, advertising-related user profiles being created, the legal basis is regularly consent – specifically a marketing consent by the website visitor under Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG. In the absence of such consent, the widget should regularly not be served.

Reliance on legitimate interests under Art. 6(1)(f) GDPR alone – e.g. on efficiency, advertising or business management – is controversial in view of the tracking and profiling component and is generally not accepted by supervisory authorities for social sharing widgets with an advertising element.

The applicable legal basis is to be assessed by the website operator on a case-by-case basis and depends, among other things, on the specific configuration of the widget, any waiver of tracking components and whether ShareThis acts as a sole or joint controller.

H. Particularities and Notes on ShareThis

• Opt-out options: According to its own statements, ShareThis offers a direct opt-out on its privacy page (https://sharethis.com/privacy/). The provider also refers to the industry platforms Digital Advertising Alliance (DAA, https://optout.aboutads.info/) and European Interactive Digital Advertising Alliance (EDAA, https://www.youronlinechoices.eu/).
• Third-country transfers / DPF: ShareThis states that, as part of Predactiv, it is certified under the EU-US Data Privacy Framework and supplements transfers with EU Standard Contractual Clauses. The DPF status should be verified via https://www.dataprivacyframework.gov/.
• Sub-processors: ShareThis names, among others, Amazon Web Services (cloud hosting), Google Analytics (web analytics), e-mail service providers, CRM and security service providers as engaged service providers.
• Role of the provider: The statements made by ShareThis indicate that the provider also processes data for its own purposes (audience/profile creation, monetisation). A blanket classification as a processor is therefore generally not appropriate; depending on the constellation, an independent or joint controllership under Art. 26 GDPR may come into consideration. The role is to be assessed on a case-by-case basis.
• DPA: According to provider statements, ShareThis offers a Data Processing Addendum or a corresponding agreement. Where independent or joint controllership applies, an additional agreement under Art. 26 GDPR may be required.
• Settings for the website operator: Via the ShareThis dashboard, the selection of networks displayed, trigger events and – where available – tracking components can be configured. Website operators should couple the embedding and delivery of the widget to the consent management of their consent banner.
• Provider's privacy notice: https://sharethis.com/privacy/.

I. ShareThis – Frequently Asked Questions

J. Conclusion on ShareThis and Recommendation

ShareThis is a social sharing widget with a data and advertising component: while it does provide sharing, reaction and follow functions for the website, in the background – according to the provider's own statements – it creates pseudonymous user profiles that are used in a "Sharing Intelligence Network" for targeting and monetisation purposes. Against this background, an upstream consent mechanism, a marketing consent of visitors and transparent statements in the privacy policy on data categories, purposes, recipients and third-country transfers are regularly indispensable.

For website operators it is generally of little value to include a separate, named text block specifically for ShareThis – just as for any other individual tool – in the privacy policy. Doing so makes the privacy policy long, unwieldy and hard to maintain and runs counter to the transparency requirement of Art. 12(1) GDPR. A more appropriate approach is a structured, topic-oriented description that explains processing operations by topic (server operation, third-party content, tracking, sales, etc.) and only refers to specific tools such as ShareThis in the "recipients" annex. This is precisely the methodology of the matterius generator.

K. Curator

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com