Does your website use third-party services? Get GDPR compliant in minutes.

Facebook Ads

What does Meta Pixel (Facebook Ads) do?

The Meta Pixel (formerly Facebook Pixel) is a JavaScript tag that tracks visitor actions on websites and sends conversion data to Meta for advertising optimisation, remarketing, and audience building. The Meta Conversions API (CAPI) provides a server-side alternative. Both require consent under GDPR. Meta has received the largest GDPR fines in history from the Irish DPC. The Meta Pixel must not load without advertising consent. The combination of cross-site tracking, US data transfers, and Meta's business model make this one of the highest-risk tools from a GDPR perspective.

What is the Meta Pixel?

The Meta Pixel (formerly Facebook Pixel) is a JavaScript tracking code that website owners install to measure conversions from Facebook and Instagram ads, build custom audiences for remarketing, and optimise ad campaigns. When a visitor arrives from a Meta ad or takes an action on the website (purchase, lead form, page view), the Pixel sends event data to Meta. Meta uses this data to attribute conversions to ads, improve ad delivery algorithms, and enable remarketing to website visitors. The Meta Conversions API (CAPI) provides a server-side alternative that sends conversion events directly from the server to Meta.

Why Meta Pixel is GDPR high-risk

The Meta Pixel is among the most GDPR-scrutinised tools in digital marketing. Meta has been fined over 1.2 billion EUR by EU data protection authorities for GDPR violations related to EU-US data transfers. The Pixel''s cross-site tracking mechanism, combined with Meta''s extensive user profiling, creates significant privacy risk. The Irish DPC and other European DPAs have issued enforcement decisions against Meta''s advertising data practices.

Consent requirements

The Meta Pixel must not load until advertising consent is obtained. Use your CMP to block the Pixel script until the user accepts advertising cookies. For the Conversions API, server-side event sending still processes personal data (hashed email, IP address, user agent) requiring disclosure and potentially consent depending on implementation.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Practical compliance steps

Implement a CMP and block the Meta Pixel until advertising consent. Sign the Meta Data Processing Terms. Configure Pixel events to only fire post-consent. For CAPI, hash all personal data before sending. Disclose the Meta Pixel in your privacy policy including US transfer and SCCs. Implement Meta''s Limited Data Use flag for US state privacy law compliance. Conduct a DPIA documenting the advertising data flows.

GDPR consent category

Marketing

Websites using Meta Pixel (Facebook Ads) must obtain user consent under GDPR regulations.

Legal basisConsent (Art. 6(1)(a) GDPR) required for Meta Pixel cookies and cross-site tracking under the ePrivacy Directive. The Meta Pixel must not load until advertising consent is obtained. For Conversions API (server-side), a Legitimate Interest Assessment may support some conversion event processing, but personal data hashing and US transfer still require careful legal assessment.

Risk levelhigh

Applicable regulationsGDPR, ePrivacy Directive, SCCs for US data transfers. Meta has been fined billions by EU DPAs. IAB TCF consent required for programmatic advertising features.

DPIA considerations

A DPIA is strongly recommended for Meta Pixel deployments. Cross-site tracking for advertising purposes, US data transfers to Meta, and linkage with Meta's global advertising profile constitute large-scale systematic monitoring requiring documented assessment.

Sample consent text

We use the Meta Pixel to measure the effectiveness of our advertising and to show you relevant ads on Facebook and Instagram. This involves transferring data to Meta in the US. You can decline advertising cookies below — this will not affect your ability to use this website.

Technical details

Tracking methodMeta Pixel JavaScript, Conversions API (server-side), first-party cookies, cross-site tracking, custom audiences, advanced matching

Server locationUnited States (Meta infrastructure)

Data transferred outside the EUMeta Pixel and the Meta Conversions API transfer all data to Meta's US infrastructure. The Max Schrems II ruling and subsequent DPA decisions have scrutinised Meta's EU-US data transfers. Meta has implemented SCCs and the EU-US Data Privacy Framework. However, Meta's data practices have been subject to significant regulatory action including GDPR fines from the Irish DPC.

Third-party domains contacted

facebook.comconnect.facebook.netgraph.facebook.com

Cookies placed

Name	Type	Duration	Purpose
_fbp	persistent	3 months	Meta Pixel browser identifier for cross-site tracking, audience building, and conversion attribution
_fbc	persistent	3 months	Meta Pixel click identifier storing Facebook ad click data for conversion attribution

Meta Pixel (Facebook Ads) places tracking cookies for advertising — comply with GDPR using FlowConsent.

Get started free Scan your site

Frequently asked questions

Does the Meta Pixel require GDPR consent?

Yes. The Meta Pixel sets advertising cookies for cross-site tracking and remarketing. These require explicit advertising consent under the ePrivacy Directive before the Pixel fires. The Pixel must not load without user consent.

What GDPR fines has Meta received?

Meta has received some of the largest GDPR fines in history: 1.2 billion EUR (May 2023, Irish DPC, for illegal US data transfers), 405 million EUR (September 2022, Instagram child data), 390 million EUR (January 2023, behavioural advertising legal basis), and 265 million EUR (November 2022, data scraping). Total GDPR fines against Meta exceed 2 billion EUR.

What is the Meta Conversions API and does it avoid GDPR issues?

The Conversions API (CAPI) is a server-to-server alternative to the Pixel. It sends conversion events (purchase, lead) directly from your server to Meta. CAPI does not use browser cookies so it avoids the ePrivacy consent requirement for cookies. However, it still processes personal data (hashed email, IP, user agent) and transfers it to Meta in the US — GDPR still applies.

What data does the Meta Pixel collect?

The Meta Pixel collects: visitor IP address, browser information, page URL, referrer, conversion events (PageView, ViewContent, AddToCart, Purchase), and optionally hashed email/phone via Advanced Matching. All data is sent to Meta's US infrastructure.

Do I need a DPA with Meta for the Pixel?

Yes. You must accept Meta's Data Processing Terms (available in Meta Business Manager, Settings, Business Settings, Data Sharing). These terms establish Meta as a data processor for Pixel data. Note that Meta also uses Pixel data as an independent controller for its own advertising purposes.

Can I use the Meta Pixel without consent using legitimate interest?

No. The ePrivacy Directive requires consent for placing cookies on user devices regardless of the underlying GDPR legal basis. Advertising cookies cannot rely on legitimate interest — consent is mandatory. Legitimate interest was explicitly rejected by the Irish DPC and EDPB for Meta's behavioural advertising.

How do I configure the Meta Pixel to fire only after consent?

Use your CMP tag blocking to prevent the Pixel script from loading until advertising consent is obtained. Configure your CMP to pass the "advertising" consent signal before the Pixel fires. Use Meta's consent mode integration if available.

Are there EU-compliant alternatives to the Meta Pixel?

There is no direct EU-hosted alternative to the Meta Pixel since Facebook and Instagram advertising is inherently Meta's US platform. To reduce risk: use Conversions API instead of browser Pixel where possible, implement strict consent requirements, hash all personal data sent to Meta, and consider reducing reliance on behavioural advertising.

Get compliant — Try FlowConsent free

Free plan · 10-min setup