This is Iframely guide to EU General Data Protection Regulation (GDPR). Information contained within this guide in no way constitutes a legal advice. Please obtain independent expert advice if required.
Third-party rich media embeds and GDPR
Iframely’s understanding of GDPR legislation concludes that no technical action, such as user consents is required. Here’s why.
GDPR regulates Data Controllers and Data Processors. Simple embedding of third-party rich media alone — doesn’t make your site become either controller or processor, as you don’t have any control over, or give any guidance with regard to, or have access to any data that might or might not be collected by a third-party provider.
Moreover, since GDPR is “opt-in” for data collection, and also its jurisdiction de facto extends worldwide (to any EU citizen regardless of their geographic location or technical features), one should assume and expect that all services, including any such embedded third-party media providers, comply with the legislation too.
Therefore, the onus is on publisher to provide tools and controls that guarantee end-users' rights under GDPR. Consumer websites of the embedded content, while not Data Controller or Data Processor, cannot clearly and responsibly communicate to users the scope of any potential data collection. Moreover, it isn’t feasible technically for consumer websites to simultaneously ensure required “opt-in”, but not make it a prerequisite to access the content at the same time.
If need be, Iframely gives you an option to ignore any inappropriate rich media from an individual publisher via ignore-list. See your API settings.
Our QA and support teams work together to make sure the non-compliant providers, if any become known, are promptly removed from our network when they cannot be made compliant in a timely fashion.
We realize that you still might want or need user consents to be on a safe side, or simply for its own privacy value. Please see our User consents.
Embedding your own content
Things might get a bit different when you embed your own content such as, say, your own social media posts, videos or any hosted surveys that you created under your account on a third-party publisher’s website.
In that case, you might in fact have access to private data being collected. Perhaps, such data can even be collected upon your request and under your guidance. GDPR regulates this, and an end-user may need to give a consent and opt-in.
Special case: PDF, Office files and links to your own site
Iframely takes any public URL as an input and will remove the data when URL becomes unavailable at the host (by the way, besides HTTP responses from origin, we also respect their robots directives).
We don’t share those URLs outside of your account, with one possible exception: when those are the links to raw PDF files, or Office documents. In those case, by default, we link to Google Viewer for PDFs and Microsoft Office Live viewer for other files. Those providers will fetch the content of the files and will render it to the end-user.
If you let your users upload document files to your servers, and then send such URLs to Iframely, we may potentially expose the content to Google and Microsoft.
To avoid that, you have two options: either 1) disable PDF and Office files in the media types that you accept, or 2) use “blacklist” to ignore links to your own site’s storage only — and we won’t attempt to parse those.
See your API settings to configure a bypass if you need one. Contact support if you need help or have a question. If you do need to process images through Iframely — contact us for Data Processing Agreement (DPA).