Mastodon – And How to Use it in Compliance with Data Protection Laws

Microblogging is more than just a popular marketing tool. It’s also a modern arena for election campaigns. And nowadays, finding the perfect service is more complicated than ever before. For a long time, Twitter was considered the best way to guarantee reach, success, and controversy. But the platform’s image has changed following its takeover by Elon Musk. For better or for worse? That’s something people will need to decide for themselves. As a result, the focus is shifting to competitors like Mastodon, a decentralized microblogging service. Companies, politicians, and public agencies that switch to this platform will need to adapt their privacy policies. Many people ask, “Can’t we just use the Twitter building block from our existing privacy policy and replace Twitter with Mastodon?” That’s never a good idea, and especially not in this case. Let me briefly explain what you need to watch out for.

Social media in particular, and specifically microblogging  

Companies that are active on social media especially need to pay attention to a few data protection issues.

For processing, there are two main aspects to consider:

Processing on your own website:

You can provide a link to the accounts here (like a Facebook fan page) or make them accessible through a plugin. You can also use cookies to flag visitors to the website so they can be recognized within your social media channels and targeted for your marketing. What all these processing steps have in common is that the data is processed not just by the company, but also by the operator of the respective social medium.

Companies must first ensure that this data processing is legal. Since most of the data processing is cookie-based, as a rule it will only be legal if the data subjects provide their consent. This is often accomplished with a cookie consent banner.

In addition, as mentioned above, data is frequently also transmitted to the operator of the respective social medium. That often leads to a long chain of transmissions that end with the relevant parent company in the United States. Since the USA (at the time of this writing :-)) is not a member of the EU, the companies have to obtain security guarantees for the data and the data subjects (e.g. standard contractual clauses). Depending on the circumstances, that can present a complex challenge.

On top of that, the processes also need to be sufficiently transparent and secure. Well, if that’s all there is to it…

Processing within the account in social media:

When data subjects access a social medium on their own, additional processing steps may take place. For instance, visitor statistics may be analyzed or targeted marketing may continue (for example through ads).

For the most part, this brings up the same issues around legality, transparency, and security. But there is one more fact to consider: companies that are represented in social media and process data usually have very little influence on the actual data processing. Among other things, that means the companies share responsibility for data processing with the social media operators.

Interim conclusion:

As a rule, using a social medium, including a microblogging service, requires:

  • consent from the data subjects.
  • a guarantee that the data will be processed securely outside the EU.
  • transparency regarding the processing steps.
  • a customized security concept

How does that work with Mastodon?

With Mastodon, the situation is different. Mastodon and Twitter diverge in many ways. Unlike Twitter, Mastodon is a decentralized microblogging service. In other words, instead of a central provider, it consists of private individuals, associations, and other organizations that operate interlinked servers (known as instances), and the data is processed “only” by the accessed instance.

That means central data processing (publishing posts, retrieving posts, interacting with posts) is the responsibility of the instance operator. Companies with a Mastodon account thus process data only in the sense that they document responses to their posts.

However, this process doesn’t generally require consent. According to Article 6 (1) Sentence 1 lit. f GDPR, such processing steps may be permissible even without consent. The legitimate interest should follow from the basic rights regarding freedom of communication and freedom of opinion.

So how can Mastodon be used in compliance with data protection laws?

To use Mastodon in compliance with data protection laws, the following points must be considered:

  1. Choose an instance with a trustworthy operator. The operator should be located within the EU and should have its own informative privacy policy.
  2. Your own list of processing activities should include the use of Mastodon.
  3. Your own privacy policy should include the use of Mastodon.
  4. The Mastodon profile should provide links to your privacy policy and legal notice (Impressum).

As a rule, it will not be necessary to obtain consent.

Incidentally, Stanhope is also active on Mastodon, under

Stephan Gärtner