Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsent
Meta Pixel (formerly Facebook Pixel) is Meta's JavaScript tracking tag for websites. It measures ad conversions, builds retargeting audiences, and optimises ad delivery across Facebook, Instagram, and the Meta Audience Network. Data is sent to Meta Platforms Inc. servers in the United States and requires prior user consent under the GDPR and the ePrivacy Directive. Meta has received multiple GDPR enforcement decisions across Europe.
Meta Pixel (formerly Facebook Pixel) is a piece of JavaScript code provided by Meta Platforms Inc. that website operators embed in their pages. Once installed, it tracks visitor actions, page views, product views, add-to-cart events, purchases, and custom events, and reports them back to Meta's advertising platform. This data is used to measure the effectiveness of ad campaigns, optimise ad delivery using Meta's machine learning models, and build retargeting audiences on Facebook, Instagram, and the Meta Audience Network.
When a visitor loads a page containing the Meta Pixel code, the browser sends an HTTP request to Meta's servers (connect.facebook.net), which sets tracking cookies (_fbp, _fbc) and collects browser signals, IP address, User-Agent, screen resolution, referrer, and URL. Standard events (e.g. Purchase, Lead) or custom events can be triggered on specific user interactions and sent to Meta in real time. With Advanced Matching enabled, hashed personal data such as email address, phone number, and name can also be transmitted.
Meta Pixel processes personal data and transfers it to Meta Platforms Inc. in the United States. Under the GDPR and the ePrivacy Directive, valid prior consent is required before the Pixel may fire. Crucially, Meta acts not merely as a data processor but as an independent data controller for its own advertising purposes, meaning operators have limited control over how Meta uses the data downstream. In May 2023, the Irish Data Protection Commission fined Meta EUR 1.2 billion for unlawful transfers of EU personal data to the US, making it the largest GDPR fine ever issued.
The Meta Conversions API (CAPI) allows operators to send conversion events directly from their server to Meta, bypassing browser-level cookie restrictions and ad blockers. While CAPI can improve signal quality and reduce dependence on browser cookies, it does not reduce the volume of personal data shared with Meta, in many cases it increases it, since server-side events can include richer customer data (email, phone, customer ID). Consent is still required, and CAPI does not resolve the underlying data transfer and joint-controller concerns.
Websites using Meta Pixel (Facebook Pixel) must obtain user consent under GDPR regulations.
DPIA considerations
Meta Pixel collects IP addresses, precise browser fingerprints, and behavioural event data (page views, add-to-cart, purchases) and transmits them to Meta Platforms Inc. in the United States. Key DPIA considerations: (1) cross-border data transfer risk, Meta has been fined EUR 1.2 billion by the Irish DPC (2023) for unlawful US data transfers; SCCs alone may not be sufficient without a robust TIA; (2) Meta acts as an independent data controller for its own advertising and product purposes, not merely a processor, operators cannot fully control downstream data use; (3) cross-site tracking via the _fbp cookie and the Meta pixel enables large-scale profiling even outside Facebook properties; (4) advanced matching and server-side CAPI transmit hashed personal data (email, phone, name) directly to Meta servers; (5) real-time bidding (RTB) ecosystem downstream of the pixel involves hundreds of third-party recipients. A DPIA is strongly recommended and likely mandatory at any scale.
Sample consent text
We use the Meta Pixel to measure the effectiveness of our advertising campaigns and to show you relevant ads on Facebook and Instagram. Meta Pixel places cookies on your device and may collect data about your browsing behaviour on this site, including pages visited and actions taken. This data is shared with Meta Platforms Inc. in the United States. You may withdraw your consent at any time via our cookie settings.
Third-party domains contacted
connect.facebook.netfacebook.comgraph.facebook.compixel.facebook.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _fbp | Analytics / Advertising | 90 days | Set by the Meta Pixel to identify and track browsers across visits. Used to attribute conversions to ad campaigns and build retargeting audiences. |
| _fbc | Analytics / Advertising | 90 days | Stores the Facebook click identifier (fbclid) from the landing page URL when a visitor arrives from a Meta ad. Used for conversion attribution. |
| fr | Advertising | 90 days | Meta first-party advertising cookie used for targeted ad delivery and frequency capping across Facebook and Instagram. |
| datr | Security | 2 years | Meta security and anti-spam cookie set when the user logs into Facebook. Used to detect and prevent fraudulent login activity. |
Meta Pixel (Facebook Pixel) places tracking cookies for advertising — comply with GDPR using FlowConsent.
Get started freeMeta Pixel (formerly Facebook Pixel) is a JavaScript tag that website operators place on their pages to track visitor actions, page views, product views, add-to-cart, purchases, and custom events. When the Pixel fires, it sends this data to Meta servers, which use it to measure ad campaign performance, optimise ad delivery using machine learning, and build retargeting audiences on Facebook, Instagram, and the Meta Audience Network.
Meta Pixel can be deployed in a GDPR-compliant manner, but significant challenges remain. You must obtain valid prior consent before the Pixel fires, sign a Data Processing Terms agreement with Meta, and account for the fact that Meta acts as an independent data controller, not just a processor, for its own advertising purposes. Additionally, the Irish DPC fined Meta EUR 1.2 billion in 2023 for unlawful EU-to-US data transfers, making standard Pixel deployments high-risk without robust supplementary safeguards.
Yes. Meta Pixel sets persistent tracking cookies (_fbp, _fbc) and reads existing Meta cookies (fr, datr) from the visitor browser. Under the GDPR and the ePrivacy Directive, these cookies require prior, freely given, specific, informed, and unambiguous consent. This consent must be collected through a compliant Consent Management Platform (CMP) before the Pixel code is allowed to load.
Meta Pixel interacts with four main cookies: _fbp (90-day lifetime), set by the Pixel to identify and track browsers across visits; _fbc (90-day lifetime), stores the Facebook click identifier (fbclid) when a visitor arrives from a Facebook ad; fr (90-day lifetime), a Meta first-party advertising cookie used for ad targeting and frequency capping; datr (2-year lifetime), a Meta security cookie set when you log into Facebook, used for fraud and spam prevention.
Yes. All data collected by Meta Pixel is transferred to and processed by Meta Platforms Inc. in the United States. This is a restricted transfer under GDPR Chapter V. Meta relies on Standard Contractual Clauses (SCCs), but the Irish Data Protection Commission found this insufficient in its 2023 decision and fined Meta EUR 1.2 billion. Organisations using Meta Pixel should conduct a Transfer Impact Assessment (TIA) and implement additional technical safeguards where possible.
The Meta Conversions API (CAPI) allows operators to send conversion events directly from their server to Meta, bypassing browser cookie restrictions and ad blockers. This improves signal reliability, especially as third-party cookies are phased out. However, CAPI does not eliminate privacy concerns, it often transmits more personal data than the browser Pixel (including hashed email, phone number, and customer ID), it does not resolve the US data transfer issue, and it does not reduce Meta's role as independent data controller. Consent is still required.
Yes, repeatedly. The Austrian DSB (January 2022), French CNIL (February 2022), Italian Garante, and several other European DPAs ruled that the use of Google Analytics and Meta Pixel without adequate safeguards for US data transfers is non-compliant with GDPR. In May 2023, the Irish DPC issued a EUR 1.2 billion fine against Meta specifically for unlawful data transfers. Operators should treat Meta Pixel as a high-risk service and implement appropriate consent mechanisms and supplementary measures.
A Data Protection Impact Assessment (DPIA) is very likely required under GDPR Article 35 for Meta Pixel deployments. The processing involves cross-border data transfers to the US, large-scale behavioural profiling, a joint-controller relationship with Meta, and downstream sharing with the real-time bidding (RTB) ecosystem. Several DPAs consider this type of processing to be inherently high-risk. A DPIA should document the risks, the legal basis, the transfer mechanism, and any supplementary technical or organisational measures in place.