Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Facebook Social Plugins are embeddable widgets from Meta (Like and Share buttons, comment box, Page plugin, embedded posts) that load iframes from connect.facebook.net and link the visitor with their Meta identity.
Facebook Social Plugins are embeddable widgets distributed by Meta Platforms Ireland Ltd that allow third party websites to surface Like, Share, Comment, Page and Embedded Post features. They load through the JavaScript SDK served from connect.facebook.net and render an iframe on facebook.com, which means the browser establishes a direct connection with Meta as soon as the plugin appears.
Like buttons increment a counter and post to the visitor timeline, Share buttons open a dialog to compose a Facebook post, the Page plugin embeds a preview of a public Facebook Page, the Comments box stores reactions inside Meta and the Embedded Post widget displays a public post. All of them rely on the same SDK and forward referer, IP and cookies to Meta.
Meta sets the third party cookies datr, sb, fr, c_user (when the visitor is logged in to Facebook) and _fbp on the facebook.com domain when the plugin loads. It also collects the page URL, referer, user agent, IP address, viewport size and mouse movements. The data is combined with the Meta profile if the visitor has an account, even when they are logged out, through the datr cookie.
The Court of Justice of the European Union confirmed in Fashion ID v Verbraucherzentrale NRW (C-40/17) that the website operator is joint controller with Meta for the data collection and transmission performed by social plugins. Prior, granular consent is therefore mandatory under Article 6(1)(a) GDPR and Article 5(3) ePrivacy. Several supervisory authorities (CNIL, BfDI, AP) have explicitly sanctioned websites that loaded the plugins by default.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Meta Platforms Ireland Ltd is the EEA controller, but the data is forwarded to Meta Platforms Inc. in the United States. The transfer relies on the EU US Data Privacy Framework decision of 10 July 2023 (Meta is certified) and, as a fallback, on Standard Contractual Clauses combined with supplementary measures. A Transfer Impact Assessment is recommended in regulated sectors.
Sign the Meta Controller Addendum (joint controller agreement) in the Meta Business Manager, gate connect.facebook.net behind your CMP so the SDK only loads after consent, prefer a two click solution (static image that becomes active after a click) or a server side proxy, document the joint controllership in your privacy notice with a link to the Meta information for joint controller, and add Meta to the cookie register with the categories and recipients.
Websites using Facebook Social Plugins must obtain user consent under GDPR regulations.
DPIA considerations
Because the CJEU Fashion ID ruling (C-40/17) qualifies the website operator as joint controller with Meta for the data collected by social plugins, a DPIA is recommended whenever plugins are loaded on the home page, on pages with sensitive content (health, politics, religion) or on pages accessed by minors. The DPIA must document the joint controller agreement that Meta provides (Controller Addendum), the categories of data sent (IP, cookies, browser, referrer, mouse movements), the US transfer leg under the EU US Data Privacy Framework and the alternatives considered (static images, two click solutions).
Sample consent text
This page contains Facebook plugins (Like, Share, Page widget, Comments) provided by Meta Platforms Ireland Ltd. If you accept, Meta receives information about your visit, your IP address, your Meta cookies and the page you are viewing, and may combine it with your account profile, including outside the European Union. By clicking Accept, you consent to this transfer; you can refuse and the plugins will not load.
Third-party domains contacted
connect.facebook.netwww.facebook.comfacebook.comstaticxx.facebook.comstatic.xx.fbcdn.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| datr | http_cookie | 2 years | Third party cookie set by Meta on facebook.com to identify the browser, used for security purposes and to link interactions with social plugins to the user Meta profile. |
| sb | http_cookie | 2 years | Third party cookie set by Meta to identify the browser for security purposes and to facilitate account recovery when accessed from a known device. |
| fr | http_cookie | 90 days | Marketing cookie set by Meta to deliver and measure advertising, including content shown on websites that embed Facebook social plugins. |
| c_user | http_cookie | Session or 30 days | Authentication cookie set by Meta on facebook.com when the visitor is logged in, used to identify the Facebook user to whom social interactions are attributed. |
| _fbp | http_cookie | 90 days | First party cookie injected by the Meta Pixel companion of the SDK to identify the browser for ad measurement and conversion tracking. |
| xs | http_cookie | Session or 30 days | Authentication session cookie set by Meta to maintain the secure login state of a Facebook user across pages embedding social plugins. |
Facebook Social Plugins places tracking cookies for advertising — comply with GDPR using FlowConsent.
When the SDK from connect.facebook.net loads, Meta sets several third party cookies on facebook.com, including datr (browser identifier, 2 years), sb (security browser, 2 years), fr (advertising preferences, 90 days), c_user (logged in user id) and _fbp (browser identifier for ad measurement, 90 days). These cookies are linked to the visitor Meta account when one exists.
Yes. The CJEU ruling Fashion ID (C-40/17) and the EDPB Guidelines 8/2020 require prior, explicit and granular consent before loading any Facebook social plugin, because the plugin sets non essential cookies, transmits personal data to Meta and makes the website operator joint controller with Meta for that collection.
Consent under Article 6(1)(a) GDPR combined with Article 5(3) ePrivacy is the only viable basis. Legitimate interest is not appropriate because social plugins combine cross site identifiers and forward personal data to a US advertising platform, which the EDPB Guidelines 8/2020 explicitly exclude from the legitimate interest pathway.
Yes. Meta Platforms Ireland Ltd is the EEA controller, but the data is forwarded to Meta Platforms Inc. in the United States. The transfer relies on the EU US Data Privacy Framework decision of 10 July 2023 (Meta is certified) and on Standard Contractual Clauses with supplementary measures.
A DPIA is strongly recommended when the plugins appear on the home page, on pages dealing with sensitive content (health, politics, religion) or on pages accessed by minors. The DPIA must analyse the joint controllership under the Meta Controller Addendum, the categories of data sent (IP, cookies, browser, referer, mouse movements) and the alternatives considered (static image, two click solution).
Sign the Meta Controller Addendum from the Business Manager, gate connect.facebook.net behind your CMP so the SDK only loads after marketing consent, prefer a two click solution where the plugin is replaced by a static image until clicked, integrate Google Consent Mode v2 with ad_storage and ad_user_data denied by default, and document Meta in the cookie policy and the privacy notice with its joint controller status.
Privacy preserving alternatives include static share links that open facebook.com in a new tab without loading the SDK, the Shariff library from Heise (which avoids any contact with Meta until the user clicks), the use of native open share intents on mobile, or migrating the social proof to first party testimonials and reviews hosted on your own domain.
Re scan the affected pages with your CMP whenever Meta updates the SDK because new cookies (or renamed cookies) can be introduced silently. Subscribe to the Meta developer change log and the EDPB news to capture regulatory changes. Update the cookie register and the privacy notice when a new plugin (such as Page or Group plugin) is added to the site.