TL;DR — The Meta Pixel (formerly Facebook Pixel) is an advertising tracking script that places cookies (_fbp, _fbc) on visitor devices. Its use requires prior consent under GDPR. The ICO and several EU data protection authorities have issued warnings for non-compliance. To use it lawfully, you need a compliant CMP that blocks the Pixel before consent, and ideally the Conversions API for server-side conversion tracking.
The Meta Pixel is one of the most widely deployed marketing tools on the web, and one of the most scrutinised by European data protection authorities. Its cross-site tracking mechanism, data transfers to US servers and the advertising nature of its purposes make it a high-risk case. This guide explains how to use it in compliance with GDPR.
What is the Meta Pixel and what cookies does it place?
The Meta Pixel is a JavaScript code snippet that advertisers place on their site to measure advertising conversions and build Meta (Facebook, Instagram) audiences. When it loads, it places several cookies on the visitor's device.
Meta Pixel cookies
_fbp: first-party cookie placed by Meta, 90-day duration, used to identify the user's browser for advertising targeting. This is the Pixel's primary identifier.
_fbc: first-party cookie created when a user arrives from a Facebook ad (fbclid parameter in the URL), duration up to 2 years. Used to link a visit to a specific advertising campaign.
Both cookies are advertising cookies. They are not functional and benefit from no exemption: placing them requires prior, free, informed and specific consent from the user.
Why does the Meta Pixel create GDPR problems?
The Meta Pixel creates several distinct compliance risks that must be addressed independently.
Data transfers to the United States
Meta Platforms Ireland Ltd. transfers data collected by the Pixel to US servers, notably to Meta Platforms Inc. in the United States. Since the invalidation of the Privacy Shield (Schrems II ruling, July 2020), such transfers must rest on appropriate safeguards (standard contractual clauses plus supplementary measures). Several EU authorities (CNIL, Austrian DSB) found these transfers non-compliant in certain configurations. The adoption of the Data Privacy Framework in 2023 partially resolved this for certified companies, but the situation continues to evolve.
Advertising purpose and cross-site targeting
Data collected by the Pixel feeds Meta's targeting algorithms, including to target users on other sites and platforms. This cross-site targeting purpose requires explicit consent. Legitimate interest is insufficient.
Risk of loading before consent
The Pixel is often embedded directly in HTML or via Google Tag Manager without conditional blocking. In this case it loads as the page loads, before the user has even seen the cookie banner. This is the most frequent violation and the one most sanctioned by data protection authorities.
How to use the Meta Pixel lawfully
Four measures are required for compliant use.
1. Block the Pixel before consent
The Meta Pixel script must only load after the user has explicitly accepted advertising cookies. If loaded via Google Tag Manager, configure a conditional trigger based on consent state (advertising consent = true). If the Pixel is hard-coded in HTML, change the script type to text/plain until consent, or use a CMP that handles this blocking automatically. FlowConsent blocks third-party scripts by default and activates them automatically after consent.
2. Clearly disclose in the banner
The cookie banner must explicitly mention the Meta Pixel (or 'advertising and targeting') in the list of purposes requiring consent. The user must understand what they are consenting to.
3. Activate the Conversions API (CAPI) server-side
Meta's Conversions API is an alternative or complement to the client-side Pixel. It sends conversion events directly from your server to the Meta API, bypassing the user's browser. Advantage: it is not blocked by ad blockers or cookie refusals. However, data sent must come from users who have consented, or be anonymised. Never use CAPI to circumvent consent requirements.
4. Enable Consent Mode signals for Meta
Meta has its own advanced consent mechanism (Advanced Matching with consent signals). By signalling user consent status to Meta, you allow the algorithm to model missing conversions for refusing users, similar to Google Consent Mode v2. Refer to the Meta Business documentation for configuration.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Common mistakes
Loading the Pixel in the <head> without blocking. This is the highest-risk configuration. Every page visitor is tracked before they have had the opportunity to refuse.
Using CAPI to circumvent consent. Server-side CAPI does not remove the consent requirement if data allows individual identification. It must only be used for consenting users or with anonymised data.
Missing _fbc in the cookie audit. The _fbc cookie may be absent from a scan (it is only created when the URL contains fbclid). Audits must cover landing pages from Meta campaigns.
Not mentioning Meta in the cookie policy. The cookie policy must mention the Pixel, cookies placed, their duration and the cross-site advertising targeting purpose.
Treating Meta as sole data controller. The site publisher is joint controller with Meta for data collected by the Pixel on their site. This joint controllership implies specific obligations.
Meta Pixel GDPR checklist
- Verify the Pixel does not load in private browsing before any click on the banner.
- Configure the GTM trigger or CMP blocking to condition loading on advertising consent.
- List Meta Pixel and _fbp/_fbc cookies in the cookie policy with durations and purposes.
- Activate the Conversions API server-side to secure conversions for consenting users.
- Never use CAPI for non-consenting users with identifying data.
- Configure advanced consent signals in the Meta Business Manager.
- Scan the site at /en/scan to confirm _fbp and _fbc do not appear before consent.
- Document joint controllership with Meta in the GDPR register.
- Update legal notices and privacy policy with advertising targeting purposes.
The Meta Pixel is a powerful tool but creates significant legal exposure if misconfigured. Blocking before consent is non-negotiable. The server-side Conversions API improves conversion coverage without circumventing GDPR. Scan your site at /en/scan to verify whether the Pixel loads before user consent.
Frequently asked questions
Is the Meta Pixel legal under GDPR?
The Meta Pixel can be used legally under GDPR, but only with valid prior consent from the user. Without consent, activating the Meta Pixel — which sends data to Meta's servers — constitutes processing of personal data without a legal basis, which is prohibited. Several European data protection authorities, including the French CNIL, have sanctioned websites for using the pixel without proper consent management.
What data does the Meta Pixel collect?
The Meta Pixel can collect various types of data depending on its configuration: page views, events (product viewed, add to cart, purchase), the user's IP address, browser user agent, and cookie identifiers linked to the Facebook account. In advanced matching mode, it can also transmit hashed personal data such as email addresses or phone numbers. This data is used by Meta for ad targeting and conversion measurement.
How do I obtain valid consent for the Meta Pixel?
To obtain valid consent for the Meta Pixel, you must: display a clear consent banner that explicitly mentions Meta/Facebook advertising cookies before any pixel activation; offer an equally accessible refusal option; not activate the pixel until positive consent has been given; and store proof of consent with its date and scope. A compliant CMP (Consent Management Platform) handles this blocking and recording automatically.
What happens if a user refuses consent for the Meta Pixel?
If a user refuses consent, the Meta Pixel must not be activated at all — not even in a degraded or limited version. You can use the Conversions API (server-side) as a complement for users who consented, but no data should be sent to Meta for users who refused. From a business perspective, this impacts your ability to target and measure campaigns; this is precisely why optimizing the consent banner to improve your consent rate is important.
What are the alternatives to the Meta Pixel for compliant tracking?
Several alternatives reduce dependence on the browser-side Meta Pixel: the Meta Conversions API (CAPI) enables server-side event transmission, which is more reliable and avoids ad-blocker interference. It can be used alongside the browser pixel for users who consented, or alone for privacy-preserving measurement. Other approaches include aggregated event measurement, statistical modeling by Meta, and the use of UTM parameters for basic attribution without cookies.