Link Shorteners: Yet Another White Spot in Data Collectionby@rafaelshmaryahu

Link Shorteners: Yet Another White Spot in Data Collection

by Rafael ShmaryahuApril 17th, 2024
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Link shorteners collect and process personal data without explicit user consent, raising compliance challenges under GDPR and similar laws. Users often remain unaware of data processing practices, highlighting the need for transparent solutions and ethical data handling in digital platforms.
featured image - Link Shorteners: Yet Another White Spot in Data Collection
Rafael Shmaryahu HackerNoon profile picture

In the context of global digitalization, governments have implemented various legislations on data privacy. However, some companies make minimal changes to their operations to formally comply with requirements or even ignore them if there are no precedents of sanctions. Moreover, violations can happen involuntarily.

Using link shorteners is a common practice. You can create whatever link you want using services like Bitly, Rebrand, TinyURL, IPLogger, Cuttly, or many others, and instead of showing a user a long, clumsy link, give them one that looks good.

Privacy policies of link shorteners state compliance with all legislative requirements concerning the processing and storage of personal data. If you are the one creating a link on the website, you will be asked to express consent to your data being collected. But what happens if you just click a link created by someone else? Your data is gathered and processed, and in most cases, without your consent, as you do not have the opportunity to give it; you just follow a link.

While in some instances, the processing of personal data can be justified, for example, for purposes connected with the functioning of the service, sometimes such collection goes above and beyond the norm. One way link-shortening services monetize is by selling analytical data about clicks to different companies. The data may include details about the geography of clicks, sources of traffic, types of devices and browsers used, as well as language preferences - all of which are of significant interest for optimizing marketing campaigns, analyzing sales effectiveness, and so on.

  1. To provide such analytics, link-shortening services may need to collect, process, and store personal data on their servers. Some of this information, for example, the country and city, is usually based on the user's IP address. This pertains to the processing of personal information according to data privacy regulations such as GDPR classification. Often, users are not aware of such processing - even if mentioned somewhere, it may be buried in tons of legal documents located on an external website, which is rarely, if at all, being visited.

  2. Many link-shortening services use cookies, recording them in the browser of the user who clicked on the link. In the EU and many other countries, placing non-functional cookies in users' browsers requires active opt-in.

  3. Some of the services offer integration into the short links tracking pixels from third-party services, such as Facebook, which also uses cookie technology. Scripts executed to make it work collect data and send it back to the platform. Data policies of these platforms usually require explicit consent from end-users before loading such pixels into their browsers, but if a tracking pixel is activated during a click-through on a short link, there’s an issue with obtaining it.

  4. And the last one - this user data can be transferred beyond the territories of the EU or the US unless there are adequate safeguards in place. Thus, if the creators of a short link are located in one country, they automatically gain access to information about all the users who click it, regardless of their geographic location. While some platforms provide such adequate safeguards, some of them do not. For example, GA4 is valid for transfers from the EU to the US, while TikTok pixels do not have adequate certification under the Data Privacy Framework. Therefore, user consent for transfers might be required.

According to European legislation, the user's consent to the processing, and transferring, of personal data must be explicit, informed, and given freely. In the US context, similar initiatives for the protection of personal data also exist (the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act (VCDPA), and the Children’s Online Privacy Protection Act (COPPA)). These laws, although not as unified as the GDPR in Europe, reflect a growing trend in the United States toward more stringent data protection.

Still, there are hundreds of millions of users, who use short links and leave their data without realizing that it can be used for commercial purposes. According to, it processes 10 billion redirects through its short links per month. reports that their links are clicked 2 billion times a month.

It's crucial to note that some services may not fully grasp the extent to which they violate legislative requirements, so the initial step is to fully acknowledge the problem. Once done, efforts can be directed towards solutions, such as creating intermediary pages akin to those utilized by websites to obtain user consent. While this may lengthen the user's journey, it presents a method to adhere to regulations for both link-shortening services and the companies utilizing them. There could also be additional strategies to explore. Upon recognizing the issue, optimism can be fostered for the development of technologies that contribute to creating a safer and more ethical digital space.