TikTok Pixel and GDPR: cookies, consent and compliance

TL;DR

The TikTok Pixel sets marketing cookies on your site as soon as it loads, before the user has given any consent. Without specific configuration, this violates the GDPR and the ePrivacy Directive. To comply, the Pixel must be blocked by your CMP until the user has accepted marketing cookies. Consent must be prior, freely given and documented.

What is the TikTok Pixel and what cookies does it set?

The TikTok Pixel is a JavaScript snippet that advertisers integrate on their site to measure conversions and target audiences on TikTok Ads. It sets cookies as soon as it loads, regardless of the user's choice.

The two main cookies are _ttp (a first-party cookie with a 13-month lifespan, used to identify the user for TikTok targeting and conversion measurement) and _tt_enable_cookie (a session cookie indicating that TikTok tracking is active). Both belong to the marketing category: they feed TikTok's advertising targeting algorithms.

In Events API mode (server-side), TikTok can receive data without browser cookies. This does not remove the consent requirement: if the transmitted data can identify the user (hashed email, phone number, IP address), prior consent is still required.

Is the TikTok Pixel GDPR compliant by default?

No. In its standard configuration, the TikTok Pixel is not GDPR compliant for visitors from the European Economic Area.

First issue: marketing cookies set without prior consent. The Pixel loads on page load and sets cookies before any user interaction with a consent banner. This is a direct violation of the ePrivacy Directive and the GDPR.

Second issue: transfer of personal data to third countries. TikTok (ByteDance) processes personal data on servers some of which are located outside the EEA. This transfer requires an appropriate legal basis. Several European data protection authorities have issued decisions restricting the use of TikTok in professional contexts.

The situation is similar to that of the Meta Pixel: advertising tracking tools from major platforms are not GDPR compliant without explicit blocking before consent.

How to block the TikTok Pixel before consent

GDPR compliance requires that the TikTok Pixel does not load until the user has given consent for marketing cookies. There are two main methods.

Via your CMP (recommended method)

The most reliable approach is to use a consent management platform (CMP) that handles automatic blocking of non-consented scripts. FlowConsent detects the TikTok Pixel in your code and blocks it until explicit marketing consent is obtained. The script only loads if and when the user accepts the marketing category.

One essential condition: the Pixel code must not be injected directly into the page HTML outside of your CMP. Any TikTok code integrated outside the CMP bypasses blocking.

Via Google Tag Manager

If you deploy the TikTok Pixel via GTM, configure the tag with a conditional trigger based on the marketing consent signal from your CMP. The tag should only fire when the marketing consent variable is granted.

If your CMP supports Consent Mode v2, you can use the marketing_storage: denied signal as a blocking condition in GTM. See the GTM and Consent Mode v2 guide for implementation details.

TikTok Pixel and Consent Mode v2: what you need to know

Consent Mode v2 is a mechanism developed by Google that allows Google tags to adapt their behaviour based on user consent. TikTok does not have a native equivalent to this standard.

In practice, this means that without marketing consent, the TikTok Pixel must not load at all. There is no TikTok degraded mode equivalent to Google's advanced mode (anonymous pings without cookies). If consent is refused, the Pixel must be entirely blocked.

TikTok offers an Events API integration that sends conversion events from your server. This server-side approach does not exempt you from the consent requirement: if the data sent includes personal identifiers (hashed email, phone number, IP address), prior user consent is required before any transmission.

What data does the TikTok Pixel transmit and what are the GDPR risks?

Beyond cookies, the TikTok Pixel can transmit Advanced Matching data: email address, phone number, first name, last name, city, region, postal code, country. This data is hashed client-side before being sent, but it remains personal data under the GDPR.

The applicable legal basis is generally consent (Art. 6.1.a GDPR). This reinforces the obligation to block the Pixel before the user has accepted marketing cookies, even if you are not using Advanced Matching.

On transfers outside the EEA: TikTok has committed to storing European users' data on servers located in Europe as part of the PDPA project (Project Clover). This framework is being progressively rolled out. Check the TikTok Ads data processing terms in force at the time of your compliance review.

Common mistakes with the TikTok Pixel and GDPR

Embedding the Pixel directly in the HTML without a CMP. TikTok Pixel code added to the page head without a consent condition loads for all visitors, including those who have not yet seen the banner or have refused.

Assuming TikTok handles compliance on your behalf. TikTok does not collect consent from your visitors. That is your responsibility as data controller.

Using the Events API without collecting consent. Server-side transmission of identifying data without prior consent is a GDPR violation, even if no cookie is set in the browser.

Not documenting consent. Proof of consent is a GDPR obligation. Your CMP must record the date, time and choices made by each visitor.

Omitting the TikTok Pixel from the cookie policy. The cookies _ttp and _tt_enable_cookie must appear in your cookie policy with their purpose, lifespan and the mention of the transfer to TikTok.

GDPR-compliant TikTok Pixel checklist

1. The TikTok Pixel is blocked before consent (script does not load without marketing consent).
2. The cookie banner includes a distinct marketing category with a visible refusal option.
3. The Reject button is as visible as the Accept button.
4. The _ttp and _tt_enable_cookie cookies are listed in the cookie policy with their purpose and lifespan.
5. The retention period (_ttp: 13 months) is documented.
6. The transfer to TikTok (data potentially outside the EEA) is mentioned in the policy.
7. If you use Advanced Matching, consent covers the transmission of hashed personal data.
8. If you use the Events API, prior consent is collected before sending any identifying data.
9. Proof of consent is stored and can be retrieved in case of a regulatory audit.
10. The Pixel is deactivated if the user withdraws consent or refuses on a subsequent visit.

Conclusion

The TikTok Pixel, like any advertising tracking tool, must be blocked before consent and activated only if the user accepts marketing cookies. There is no compliant no-banner mode for the TikTok Pixel. Compliance requires a CMP that handles script blocking, a GDPR-compliant cookie banner with a clear refusal option, and documented consent.

Scan your site with the free FlowConsent scanner to check whether the TikTok Pixel is correctly blocked before consent and identify all trackers set on your site.