GDPR considerations
This is Iframely guide to EU General Data Protection Regulation (GDPR). Information contained within this guide in no way constitutes a legal advice. Please obtain independent expert advice if required.
Third-party rich media embeds and GDPR
Iframely’s understanding of GDPR legislation concludes that no technical action, such as user consents is required. Here’s why.
GDPR regulates Data Controllers and Data Processors. Simple embedding of third-party rich media alone — doesn’t make your site become either controller or processor, as you don’t have any control over, or give any guidance with regard to, or have access to any data that might or might not be collected by a third-party provider.
Moreover, since GDPR is “opt-in” for data collection, and also its jurisdiction de facto extends worldwide (to any EU citizen regardless of their geographic location or technical features), one should assume and expect that all services, including any such embedded third-party media providers, comply with the legislation too.
Therefore, the onus is on publisher to provide tools and controls that guarantee end-users’ rights under GDPR. Consumer websites of the embedded content, while not Data Controller or Data Processor, cannot clearly and responsibly communicate to users the scope of any potential data collection. Moreover, it isn’t feasible technically for consumer websites to simultaneously ensure required “opt-in”, but not make it a prerequisite to access the content at the same time.
This said, we simply suggest to include the use of third-party media embeds into your privacy policy with the reference that each one of them falls under the same GDPR jurisdiction and embedding doesn’t give you an access to or a control of any of data that might be collected.
If need be, Iframely gives you an option to ignore any inappropriate rich media from an individual publisher via ignore-list. See your API settings.
Our QA and support teams work together to make sure the non-compliant providers, if any become known, are promptly removed from our network when they cannot be made compliant in a timely fashion.
We realize that you still might want or need user consents to be on a safe side, or simply for its own privacy value. Please see our User consents.
Embedding your own content
Things might get a bit different when you embed your own content such as, say, your own social media posts, videos or any hosted surveys that you created under your account on a third-party publisher’s website.
In that case, you might in fact have access to private data being collected. Perhaps, such data can even be collected upon your request and under your guidance. GDPR regulates this, and an end-user may need to give a consent and opt-in.
Because, per Iframely’s terms of use, we only act as technical intermediary (and don’t collect private end-user data on our own), the use of your own content hosted by third-party needs to be addressed between you and that provider. We assume that the provider falls under GDPR jurisdiction, is Data Processor and follows the legislation, and as such will give you the required controls.
Special case: PDF, Office files and links to your own site
Iframely takes any public URL as an input and will remove the data when URL becomes unavailable at the host (by the way, besides HTTP responses from origin, we also respect their robots directives).
We don’t share those URLs outside of your account, with one possible exception: when those are the links to raw PDF files, or Office documents. In those case, by default, we link to Google Viewer for PDFs and Microsoft Office Live viewer for other files. Those providers will fetch the content of the files and will render it to the end-user.
If you let your users upload document files to your servers, and then send such URLs to Iframely, we may potentially expose the content to Google and Microsoft.
To avoid that, you have two options: either 1) disable PDF and Office files in the media types that you accept, or 2) use “blocklist” to ignore links to your own site’s storage only — and we won’t attempt to parse those.
See your API settings to configure a bypass if you need one. Contact support if you need help or have a question. If you do need to process images through Iframely — contact us for Data Processing Agreement (DPA).