Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Facebook SDK for JavaScript is loaded from connect.facebook.net and embeds Meta features such as Login with Facebook, Like and Share buttons, comments and the Meta Pixel. It drops first and third party cookies including _fbp, _fbc, fr, datr, c_user and xs, fires Pixel events and forwards browsing data to Meta Platforms Ireland and Meta Platforms Inc in the United States. Under GDPR and the ePrivacy Directive prior, freely given, specific, informed and unambiguous consent is required before the SDK is loaded.
Facebook SDK for JavaScript is a script library loaded from connect.facebook.net/{locale}/sdk.js that enables websites to embed Meta features. It powers Login with Facebook, Like and Share buttons, embedded posts, comments plugins, Share dialogs and the Meta Pixel. Once initialised through the FB.init() call, the SDK communicates with facebook.com and graph.facebook.com, reads existing Meta cookies and writes new ones in order to identify users, measure conversions and build custom audiences. It is a primary instrument for Meta advertising and is widely deployed alongside the Meta Pixel and the Conversions API.
The SDK writes a first party cookie _fbp containing the Meta Pixel browser identifier and a _fbc cookie capturing click attribution from fbclid query parameters. When the user is logged into Facebook the third party cookies fr, datr, c_user and xs are read or written on the facebook.com domain. The script also sends event payloads including the IP address, user agent, referring URL, page URL, viewport, language and hashed user data when advanced matching is configured. This rich dataset qualifies as personal data under Art 4 GDPR and is used by Meta for cross site tracking and behavioural advertising.
For users in the European Economic Area the controller is Meta Platforms Ireland Limited based in Dublin, but the data is mirrored to Meta Platforms Inc in the United States. Transfers rely on the EU US Data Privacy Framework adopted in July 2023 and on Standard Contractual Clauses with supplementary measures. The framework remains contested following the Schrems II ruling, and in 2023 the Irish Data Protection Commission, acting on the EDPB binding decision, fined Meta 1.2 billion euros for unlawful transfers tied to Facebook services. Operators embedding the SDK must therefore document a transfer impact assessment and monitor evolving case law.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The only valid legal basis to deploy Facebook SDK is the explicit consent of the user pursuant to Art 6(1)(a) GDPR and Art 5(3) of the ePrivacy Directive. The script must not load before consent is captured through a compliant Consent Management Platform. The CNIL fined entities a cumulative 60 million euros for cookies dropped via Facebook without consent, and similar enforcement has been delivered by the AEPD in Spain, the Garante in Italy and the BfDI in Germany. Refusal must be as easy as acceptance, and granular control must be offered for advertising purposes.
Facebook SDK creates a high risk profile because it combines profiling, large scale processing, systematic monitoring and third country transfers. A Data Protection Impact Assessment is mandatory under Art 35 GDPR. Controllers must document the categories of data processed, the safeguards in place such as Consent Mode v2 and server side hashing, the retention period of cookies and event data and the rights granted to data subjects including objection, erasure and portability.
Operators should integrate Facebook SDK only after consent is granted, document the data flows in their record of processing activities under Art 30 GDPR, update the privacy notice and cookie policy, configure Consent Mode v2 when the Pixel is deployed through Google Tag Manager, prefer server side integration via the Conversions API to limit browser side exposure and review IAB TCF v2.2 signals shared with Meta. Periodic audits of cookies, beacons and outbound requests to facebook.com and graph.facebook.com are recommended.
Websites using Facebook SDK must obtain user consent under GDPR regulations.
DPIA considerations
A Data Protection Impact Assessment is required under Art 35 GDPR because Facebook SDK enables systematic monitoring of website visitors, profiling for advertising purposes, large scale processing of behavioural data and transfers to the United States with Schrems II implications. The DPIA must document the necessity and proportionality of embedding Meta scripts, evaluate the risks created by cookies such as _fbp and _fbc combined with Meta server side enrichment via the Conversions API, assess the safeguards offered by the EU US Data Privacy Framework following the 2023 EDPB enforcement against Meta, and define mitigation measures including a compliant Consent Management Platform, Consent Mode v2, IP truncation, server side hashing of personal identifiers and a documented retention policy.
Sample consent text
We use the Facebook SDK provided by Meta Platforms Ireland Limited to display Login with Facebook, social plugins and the Meta Pixel. With your consent, cookies such as _fbp, _fbc, fr and datr are stored on your device and information about your visit, including your IP address and the pages you view, is shared with Meta in Ireland and in the United States under the EU US Data Privacy Framework. This data is used for advertising measurement, custom audiences and profiling. You can accept, refuse or withdraw your consent at any time through our cookie preferences.
Third-party domains contacted
connect.facebook.netfacebook.comwww.facebook.comgraph.facebook.comstaticxx.facebook.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _fbp | first_party | 90 days | Marketing. Facebook Pixel browser identifier used to track visits across sessions and attribute conversions. |
| _fbc | first_party | 90 days | Marketing. Stores the last click attribution identifier from the fbclid URL parameter for ad measurement. |
| fr | third_party | 90 days | Marketing. Used by Meta on facebook.com for ad targeting, frequency capping and personalisation. |
| datr | third_party | 2 years | Security and identification. Identifies the browser to prevent fraudulent activity on Meta services. |
| c_user | third_party | 90 days | Identity. Stores the Facebook user ID when the visitor is logged in. |
| xs | third_party | session | Identity. Stores the Facebook session identifier for authenticated users. |
Facebook SDK places tracking cookies for advertising — comply with GDPR using FlowConsent.
The Facebook SDK writes the first party cookie _fbp containing the Meta Pixel browser identifier with a 90 day lifetime and a _fbc cookie that captures click attribution from the fbclid URL parameter. When the visitor is logged into Facebook, the SDK reads or writes the third party cookies fr (90 days, advertising), datr (2 years, security and identification), c_user (90 days, identity) and xs (session, identity) on the facebook.com domain. All these cookies must be classified as non essential and require prior consent.
Yes, consent is strictly required. The SDK loads scripts that drop cookies and forward personal data to Meta for advertising purposes, which is non essential processing under Art 5(3) of the ePrivacy Directive and Art 6(1)(a) GDPR. The script must remain blocked until the user provides freely given, specific, informed and unambiguous consent through a compliant Consent Management Platform. Refusal must be as easy as acceptance and consent must be renewable and withdrawable at any time.
The only valid legal basis is the explicit consent of the user under Art 6(1)(a) GDPR. Legitimate interest cannot be invoked because the European Data Protection Board confirmed in 2023 that Meta cannot rely on legitimate interest or contract for personalised advertising. Operators must document the consent record, including timestamp, scope and policy version, and be able to demonstrate consent on request from the supervisory authority.
For EEA users the controller is Meta Platforms Ireland Limited in Dublin, however the data is mirrored to Meta Platforms Inc in the United States. Transfers rely on the EU US Data Privacy Framework adopted in July 2023 and Standard Contractual Clauses with supplementary measures. The framework is still challenged in light of the Schrems II ruling, and the Irish DPC fined Meta 1.2 billion euros in 2023 for unlawful transfers tied to Facebook services. A transfer impact assessment is required.
Yes, a Data Protection Impact Assessment is mandatory under Art 35 GDPR because the processing involves systematic monitoring, profiling, large scale processing and transfers to a third country. The DPIA must describe the data flows, identify the risks to data subjects, evaluate the necessity and proportionality of the processing and define mitigation measures such as a compliant CMP, server side integration via the Conversions API, IP truncation and a documented retention policy.
Deploy the SDK only after consent through a compliant Consent Management Platform that supports IAB TCF v2.2. If the Meta Pixel is deployed through Google Tag Manager, configure Consent Mode v2 with the ad_storage and ad_user_data signals. Prefer server side integration via the Conversions API to reduce browser side exposure, apply IP truncation and server side hashing of personal identifiers, and document everything in the record of processing activities under Art 30 GDPR.
Compliant alternatives include server side integration via the Conversions API without the browser SDK, first party tracking through a privacy oriented analytics platform, contextual advertising solutions that do not rely on personal data, native login through OpenID Connect providers based in the EU and embedded social content via static previews rather than iframes loading facebook.com. Each alternative reduces or eliminates the dependency on Meta cookies and cross border transfers.
List every cookie set by the SDK with its name, purpose, duration and category, identify Meta Platforms Ireland Limited and Meta Platforms Inc as joint controller and processor where applicable, mention the transfer mechanism (DPF and SCCs), describe data subject rights including objection and erasure, link to the Meta privacy policy and explain how to withdraw consent. Review the cookie policy at least annually or whenever Meta updates its SDK or data practices.