Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Meta Business Suite is the free management platform for Facebook, Instagram and WhatsApp Business accounts. It bundles Page management, Messenger and Instagram inbox, content scheduling, ads management and insights. When merchants embed Meta widgets (Customer Chat, Page plugins, Messenger button, Instagram chat) on their websites, those widgets set Meta cookies and share data with Meta Platforms Ireland and Meta Platforms Inc. in the United States, which requires consent and triggers cross border transfers.
Meta Business Suite is Meta''s free management platform for businesses operating Facebook Pages, Instagram accounts and WhatsApp Business profiles. It unifies content scheduling, inbox for Messenger and Instagram, ads management, insights and the configuration of integrations such as Customer Chat, Page plugins, the Meta Pixel and the Conversions API. While the dashboard itself is used by business operators, several Meta Business Suite features place tracking and processing onto merchant websites.
When merchants embed Meta widgets, Meta sets third party cookies on facebook.com (datr, fr, sb, c_user, xs) and instagram.com. Conversations through Customer Chat are stored on Meta infrastructure and linked to the visitor''s Facebook account when they are logged in. Meta also receives the URL, referrer, IP and browser of the visitor. WhatsApp Business API messages flow through Meta servers. Meta Pixel and the Conversions API stream events from the merchant site to Meta.
The Court of Justice ruled in Wirtschaftsakademie (C-210/16) and Fashion ID (C-40/17) that operators of Facebook Pages and embedded Like buttons are joint controllers with Meta for the data sent to Facebook. The same logic applies to Meta Business Suite widgets embedded on a merchant site. Cookies set by these widgets are non essential and require consent under Art. 5(3) ePrivacy. The Irish DPC has issued multiple GDPR decisions against Meta on legal basis and transfers; merchants must keep up with these developments.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Explicit consent is required before loading any Meta widget. Consent should distinguish Customer Chat (joint controller messaging), Page plugins (joint controller social engagement) and Pixel/Conversions API (consent for ads measurement and retargeting). Use IAB TCF v2.2 if you are in publishing, or Google Consent Mode v2 plus Meta Conversions API consent signalling for direct merchants.
Meta Platforms Ireland is the EU controller. EU personal data is transferred to Meta Platforms Inc. in the United States and other affiliates. Meta is certified under the EU US Data Privacy Framework and uses Standard Contractual Clauses. Meta has invested in EU data centres (Ireland, Sweden, Denmark) but the company structure continues to involve onward transfers. Merchants should follow ongoing DPC and EDPB decisions.
Sign Meta''s Page Insights Controller Addendum and the Custom Audiences Addendum where applicable, load Meta widgets only after consent for ads or social features, document joint controllership for Page plugins and Customer Chat in your privacy notice, use Conversions API with proper consent signalling, complete a Transfer Impact Assessment that accounts for the EU US Data Privacy Framework, and offer users a clear way to withdraw consent for Meta tracking.
Websites using Meta Business Suite must obtain user consent under GDPR regulations.
DPIA considerations
Meta Business Suite itself is a dashboard for business users, but the widgets it lets merchants deploy raise major GDPR considerations. Key DPIA considerations: (1) Customer Chat and Messenger widgets set third party cookies on facebook.com and require consent; (2) Meta acts as a joint controller with merchants for some processings (Wirtschaftsakademie ruling, Fashion ID), particularly Page Insights and embedded plugins; (3) data is transferred to the United States, subject to the EU US Data Privacy Framework and the still ongoing Schrems litigation; (4) the Irish DPC has fined Meta heavily over transfers; (5) Conversions API and Pixel events shared from the site to Meta require explicit consent and Consent Mode v2 like signaling; (6) WhatsApp Business API messages are processed by Meta and stored on Meta infrastructure with their own retention and transparency rules.
Sample consent text
With your consent, we use Meta Business Suite tools (Messenger chat, Instagram messaging, Customer Chat) to talk with you and to share certain conversion events with Meta. Meta Platforms Ireland Limited acts as our joint controller for these features. Data is transferred to Meta Platforms Inc. in the United States under Standard Contractual Clauses and the EU US Data Privacy Framework.
Third-party domains contacted
facebook.combusiness.facebook.comconnect.facebook.netinstagram.comgraph.facebook.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| datr | Marketing | 2 years | Meta cookie set on facebook.com when Customer Chat or any Meta plugin loads. Identifies the browser used to access Facebook, regardless of logged in status. |
| fr | Marketing | 90 days | Meta cookie containing the Facebook browser ID and used for advertising and frequency capping across Meta properties. |
| sb | Marketing | 2 years | Meta cookie used to improve login suggestions and account recovery; set when Meta widgets are loaded. |
| c_user | Functional | Session/persistent | Identifies the logged in Facebook user when the visitor is authenticated and interacts with embedded Meta widgets such as Customer Chat. |
| xs | Functional | Session/persistent | Stores the Facebook session for logged in users when Meta widgets are present on the page. |
| wd | Marketing | 7 days | Stores window dimensions used by Meta to optimise rendering of widgets and ads. |
Meta Business Suite places tracking cookies for advertising — comply with GDPR using FlowConsent.
When Customer Chat, Page plugins or social embeds are loaded, Meta sets third party cookies on facebook.com (datr 2 years, fr 90 days, sb 2 years, c_user, xs for logged in users) and equivalent cookies on instagram.com. These are non essential and consent based.
Yes. The widgets that Meta Business Suite lets you deploy on your site (Customer Chat, Messenger button, Page plugins, Instagram chat) load Meta scripts and place cookies, so consent under Art. 5(3) ePrivacy and Art. 6(1)(a) GDPR is required before loading.
Consent (Art. 6(1)(a) GDPR) for all visitor facing widgets that involve Meta cookies or Conversions API. Joint controllership under Art. 26 GDPR applies for Page Insights and embedded plugins, with an addendum from Meta. Legitimate interest is not a safe basis for the visitor side processing.
Meta Platforms Ireland is the EU controller. Data is transferred to Meta Platforms Inc. in the US under SCCs and the EU US Data Privacy Framework. Meta runs EU data centres in Ireland, Sweden and Denmark, but onward transfers within the group remain part of the model.
Yes. Anything Meta deploys on your site (cookies, plugins, Conversions API) triggers Art. 35 GDPR criteria due to large scale processing, profiling and cross border transfers. The DPIA should cover the joint controllership, transfers, retention and the recent DPC enforcement context.
Sign Meta's Page Insights Controller Addendum and Custom Audiences Addendum, load widgets only after explicit consent, use the Conversions API with consent signalling, document Meta as a joint controller for the relevant features, run a TIA referencing the EU US Data Privacy Framework, and provide an easy way to opt out.
Alternatives include EU operated messaging widgets such as Userlike (Germany), LiveChat (Poland), Crisp (France), self hosted Chatwoot or Rocket.Chat, and contextual social sharing buttons that do not load Meta scripts (e.g. Shariff library). For ads measurement, prefer server side tagging tied to first party data and aggregated reporting.
Declare Meta Platforms Ireland as a joint controller for the relevant widgets, name the cookies set on facebook.com and instagram.com with their duration, describe the data shared via Customer Chat, Pixel and Conversions API, mention US transfers under SCCs and the EU US Data Privacy Framework, link Meta's privacy notice and the Page Insights and Custom Audiences addenda.