ConsentMark
Free Scan
T
Social EmbedMedium complexity

Twitter/X Embed

by X (Twitter)

All product names, logos, and trademarks are the property of their respective owners. Their inclusion here is for identification purposes only and does not imply endorsement by Obscurity Ltd.

Sets cookies
No
Sends PII
No
Cross-site tracking
Yes
Consent required
Functional
Transfer mechanism
Standard Contractual Clauses

Overview

Twitter/X embed widgets loaded via JavaScript on third-party websites. The widgets.js script from platform.twitter.com (or platform.x.com) loads embedded tweets, timelines, and share buttons. On load, the embed transmits visitor data to X Corp's infrastructure including IP address, browser fingerprint, and referrer information.

Detection capabilities

Signature count
3
Detection methods
network
Property types
hostnamepathname

Performance impact

Performance Impact

Requests per page
2

Common mistakes

  • 1Treating embedded tweets as editorial content that does not require consent, when the embed loads JavaScript and transmits user data to X on page load
  • 2Not using a facade pattern (static screenshot of the tweet) to defer loading the embed until the user actively chooses to interact
  • 3Confusing Twitter/X embed tracking with the Twitter/X advertising pixel - they are separate data flows with different purposes
  • 4Failing to include Twitter/X embed in the cookie declaration because the embed is loaded via iframe

Compliance considerations

Twitter/X embeds load JavaScript from platform.twitter.com or platform.x.com that renders tweets, timelines, and social buttons in iframes.

Data transmission: On page load, the embed transmits visitor data to X Corp's servers. Even without interaction, the embed script can fingerprint visitors and link browsing behaviour to X accounts for logged-in users.

Consent: Consent required under ePrivacy Art 5(3) where the embed sets cookies or accesses device storage. Even without cookies, the IP transmission to a US platform may require consent under GDPR Art 6.

Facade pattern: Best practice is to display a static screenshot of the tweet that only loads the live embed after the user explicitly clicks and has granted consent.

International transfers: X Corp's EU-US Data Privacy Framework self-certification status is disputed. Rely on Standard Contractual Clauses as the transfer mechanism. Verify current DPF listing status.

CMP configuration: Categorise under functional or social media consent. Block platform.twitter.com and platform.x.com scripts until consent is granted, using a facade placeholder.

Related services

AddThis

Oracle (AddThis)

Social EmbedLow risk

1 detection signature

Co-Buying

co-buying

Social EmbedLow risk

1 detection signature

Ekoo

ekoo

Social EmbedLow risk

1 detection signature

Feedbackify

feedbackify

Social EmbedLow risk

2 detection signatures

Scan your site for X (Twitter)

Run a free Consentmark scan to see how X (Twitter) is loading on your site, whether it respects consent, and where governance gaps exist across your wider tag estate.

Start a free scan