Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Facebook Login (also called Login with Facebook) is the social authentication and social graph SDK from Meta. It lets visitors sign in to a third party website with their Facebook account and exposes profile data, friend lists, ages and other graph fields with the user permission. Embedding the Login with Facebook button or the Meta JavaScript SDK on a European website triggers cookies on the Facebook domain, transfers identifiers to Meta, and creates a joint controller relationship under the GDPR.
Facebook Login is the OAuth 2.0 and OpenID Connect compliant authentication service from Meta. A website embeds the Login with Facebook button by including the Meta JavaScript SDK (sdk.js from connect.facebook.net) or by using the Facebook Login dialog directly. After the user authorises the requested permissions (email, public profile, friends list, age range, marketing preferences), Meta returns an access token that the website can use to retrieve graph data through the Graph API.
In practice, the website operator decides which Facebook permissions to request, whether to store the Facebook user ID in the local database, and how to combine Facebook data with the rest of the profile. Each of these decisions has direct GDPR consequences.
Facebook Login sets multiple cookies on the .facebook.com third party domain: c_user (the logged in user ID), xs (session), datr (browser identifier, 2 years), sb (browser security), fr (advertising identifier, 90 days) and others. On the operator domain, Meta may store a Facebook Login token in localStorage as fblo_<APP_ID> and a short-lived state parameter for the OAuth handshake. The Graph API call transmits the IP address, the User-Agent, the requested permissions and the application ID to Meta servers.
Loading the Meta JavaScript SDK before the user clicks the Login with Facebook button is treated by several EU regulators (CNIL France, Datenschutzbehoerde Austria, AEPD Spain) as a social plugin requiring prior consent under Article 5(3) ePrivacy. The Bundeskartellamt Meta decision, confirmed by the CJEU in case C-252/21 (4 July 2023), held that combining Facebook data with off-platform data requires consent, not legitimate interest. The website operator and Meta act as joint controllers for the data sharing initiated by the login button.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Meta Platforms Inc. (US) is certified under the EU-US Data Privacy Framework. The Meta DPA includes Standard Contractual Clauses for jurisdictions outside the framework. Following the Irish Data Protection Commission decision against Meta of 22 May 2023, Meta has accelerated its EU Data Center build out (Ireland, Denmark, Sweden, Spain) but the identity verification still passes through US infrastructure. A transfer impact assessment is recommended.
Consent (Article 6(1)(a) GDPR) is required for the initial Meta SDK load and for the broader data exchange with Meta. Contractual necessity (Article 6(1)(b)) can cover the strictly authentication related processing once the user has clicked Login with Facebook. Any optional permission (friends list, marketing audiences, custom audiences) needs separate granular consent.
Load the Meta SDK only after explicit consent, configure the Facebook app to request the minimum permissions, store only the Facebook user ID and the data strictly necessary for the account, document the joint controller arrangement using the Meta Joint Controller Addendum, list Meta as a recipient in the privacy notice, provide an alternative login method (email and password or another SSO provider), and offer an easy way to disconnect and delete the Facebook ID from the customer profile.
Websites using Facebook Login (Login with Facebook) must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is strongly recommended when Facebook Login is used to authenticate customers, store profile information in your CRM or personalise content based on Facebook graph data. The DPIA must cover the data exchanged with Meta, the joint controller agreement, the lawful basis for each Facebook permission requested, the retention of Facebook user IDs in your database, the international transfer mechanism and the procedures for user requests.
Sample consent text
You can sign in to this website with your Facebook account. When you click the Login with Facebook button, your browser opens a Meta popup, transmits identifiers and your IP address to Meta Platforms Ireland Limited and Meta Platforms Inc. in the United States, and sets cookies on facebook.com. We process the profile information you authorise to create or update your account. This processing relies on your consent and the EU-US Data Privacy Framework. You can revoke access at any time in your Facebook settings.
Third-party domains contacted
facebook.comconnect.facebook.netgraph.facebook.comfbcdn.netmeta.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| c_user | HTTP cookie | 1 year | Logged in Facebook user ID set on .facebook.com after login. |
| xs | HTTP cookie | 1 year | Facebook session secret combined with c_user to authenticate the request. |
| datr | HTTP cookie | 2 years | Browser identifier set on first visit to facebook.com, used for security and abuse detection. |
| sb | HTTP cookie | 2 years | Facebook browser security cookie that helps detect impersonation. |
| fr | HTTP cookie | 90 days | Meta advertising identifier used for ad delivery on the Meta network. |
Facebook Login (Login with Facebook) places tracking cookies for advertising — comply with GDPR using FlowConsent.
Facebook Login sets c_user (1 year, logged in user ID), xs (session secret), datr (browser ID, 2 years), sb (security, 2 years) and fr (advertising identifier, 90 days) on .facebook.com. The operator domain may carry a transient OAuth state parameter and an fblo_<APP_ID> entry in localStorage.
Yes. The Meta JavaScript SDK is treated as a social plugin under ePrivacy and requires prior opt-in before it loads. Each Facebook permission requested beyond basic authentication needs its own granular consent.
Consent (Article 6(1)(a) GDPR) for the Meta SDK load and the wider data exchange. Contractual necessity (Article 6(1)(b)) covers the strictly authentication related processing once the user clicks Login with Facebook.
Yes. Meta Platforms Inc. is US controlled and certified under the EU-US Data Privacy Framework. The Meta DPA includes Standard Contractual Clauses. Identity verification still passes through US infrastructure even after the EU Data Center build out.
Yes when Facebook Login authenticates customers, stores Facebook IDs in your database or feeds Facebook data into marketing personalisation. The DPIA must address the joint controller relationship and the EU-US transfer.
Load the Meta SDK only after consent, request minimum permissions, document the joint controller arrangement, store the smallest set of profile data, provide an alternative login method and a clear way to disconnect.
For social login: Sign in with Apple, Google Identity Services, GitHub OAuth, Microsoft Entra External ID, LinkedIn. For email and password with passwordless, consider WebAuthn, magic links and TOTP. Open standards like OpenID Connect against a self-hosted Keycloak provide full sovereignty.
Add a dedicated section identifying Meta Platforms Ireland Limited and Meta Platforms Inc. as joint controllers, list the cookies, the purposes (authentication and advertising), the EU-US Data Privacy Framework certification and a link to the Meta privacy policy.