All you need to know to balance privacy and marketing with Meta
GDPR-safe Meta Ads Implementation Guide
Meta Ads platform enables targeted advertising across Facebook, Instagram, and other Meta properties. This document outlines compliant implementation approaches under GDPR.
An important note regarding “GDPR complaint” We use the term GDPR compliant in this article. The main reason for this is that people often use this term when searching for solutions to their GDPR/privacy related challenges. And we believe this article is highly relevant for that. However, it’s not possible to guarantee a GDPR compliant Meta ads advertising setup, because the devil is in the details and it all depends on our concrete setup. While we’re not enthusiastic about the term “GDPR compliant”, and how it’s used, we recognize that this is used by many in our target audience so this is primarily why we are using it. A better term is reduced GDPR legal risk. What we can promise is that you will reduce your legal risk by following and considering the recommendations in this article.
Relevant Contracts & Agreements
- Meta Business Terms
- Meta Business Tools Terms
- Data Processing Agreement
- Meta Platform Terms
- Meta Advertising Policies
Ways to send data to Meta
Meta Pixel: This JavaScript code tracks user interactions like page views and button clicks, collecting HTTP headers (including IP addresses), browser info, and optional form data. It’s useful for real-time tracking but may raise privacy concerns due to cookie-based tracking.
Meta Conversion API: This server-side method sends event data (e.g., purchases, sign-ups) directly to Meta, offering more control over what data is shared. It’s less reliant on cookies, making it more privacy-friendly and potentially more accurate for tracking.
Both methods can optimize campaigns by creating custom audiences for retargeting and improving ad targeting, but the Conversion API is recommended due to privacy control.
Meta Pixel
The Meta Pixel is a JavaScript code you add to your website. It tracks user behavior and sends data back to Meta. Under the GDPR you are obligated to know what personal data you share with third parties, so using Meta Pixel is risky if you don't have control on how you use it. Swedish Data Protection Authority (IMY) has given several organizations GDPR fines due to improper implementation of the Meta Pixel. Unfortunately Meta does not provide a detailed documentation for all the data parameters it the script collects and sends back to Meta, they only give a more general description. We have tested inspected requests by the Meta pixel in order to uncover its behavior and what data it sends, and here is our conclusion (the Meta pixel is ever changing, so we try to update this overview as often as we can)
Data Transmitted: Data sent to Meta on all requests by the pixel:
- IP address.
- All HTTP headers. What data is sent here depends on the user's browser. But typically User Agent string and language preferences are sent. Cookies belonging to the facebook.com domain are sent if the users browser sends cookies in third party context (Chrome does this)
For each request/event the following data might be sent (this is not an exhaustive list, but we will keep updating this list):
| Parameter | Description |
|---|---|
| id | The Facebook Pixel ID that identifies your specific Meta/Facebook advertising account |
| ev | Event type being tracked (for example PageView indicates a user viewed the page) |
| dl | Document location - the full URL (with query parameters etc) of the page where the event occurred |
| rl | Referrer location - the URL of the page the user came from |
| if | In iframe - indicates whether the page is loaded within an iframe |
| ts | Timestamp - when the event occurred (in milliseconds since Unix epoch) |
| sw | Screen width - the viewport width in pixels |
| sh | Screen height - the viewport height in pixels |
| v | Version - the version of the Meta Pixel code being used |
| r | Release type - indicates the pixel is using the stable release version |
| ec | Event count - number of events sent in this session |
| o | Possibly an internal tracking parameter |
| fbp | A unique identifier for the user/session (first-party cookie). |
| ler | Last error - records any errors from previous requests (empty indicates no errors) |
| cdl | Client data library - status of client data library (API unavailable in this case) |
| it | Init time - when the pixel was initialized (timestamp in milliseconds) |
| coo | Cookies enabled - whether third-party cookies are enabled in the browser |
| exp | Experiment - indicates which experiment/variation the user is part of (k0) |
| rqm | Request method - how the pixel sends data to Facebook (FGET = Firefox GET method) |
| cd[anyname] | The cd[] notation in the Meta Pixel parameters represents "custom data" fields. This is specifically used in Meta Pixel's automatic event collection |
| es | Event source - indicates if the event was automatically captured or not. If you have Automatic Events enabled, events from that feature will have the value “automatic” |
| tm | Timing measurement - likely related to event processing time |
Beware of “Automatic” - do not enable
Meta offers two “Automatic” features: Automatic Advanced Matching (AAM) and Automatic Events. Both these features are the antithesis of one of the guiding principles of GDPR: The principle of “data minimisation”. These features are in our mind ghosts from a past where marketers shared everything with everyone “just to be sure”. If you enable them you basically have no control on what data is shared with Meta and you must assume everything is shared.
Several enforcements by several data protection agencies are related to organisations enabling Automatic Events or Automatic Advanced Matching, read all about it here
Core setup - yes, enable this
In 2024 Meta implemented a new feature called "Core setup". This feature of the Meta Pixel allows you to limit the collection of data sent to Meta. At its core (pun intended) it's actually an implementation of the data minimisation principle of GDPR. I.e only process the data necessary for the purpose. With core setup enabled the pixel won’t send the full URL to Meta and you are not allowed to send custom events that are not verified by you. So, with Core setup enabled you need to be specific about the data you need to send to Meta in order to achieve your goal (for example optimize your campaigns og create remarketing lists).We recommend enabling Core setup and specifically implementing the events and data you need.
But if you enable Core setup with data restrictions, you need to verify all custom events that you are sending through the pixel or CAPI. It’s easy to be tricked by this when setting it up, because if you test a setup with custom events it will go through in the first session.You can send the same event multiple times and everything looks normal. However this custom event will be put on a validation list in Events Manager. After that, all future responses of the meta pixel javascript will include the custom event in a list called “unverifiedEventNames”, and the result of this is that the event is blocked in the javascript itself and never sent to the Meta servers. And the following text is written in the browser console: “[Meta Pixel] - You are attempting to send an unverified event. The event was suppressed. Go to Events Manager to learn more.” After the event is verified in Events Manager, the event is removed from the list “unverifiedEventNames” and the pixel will stop blocking it.
Meta Conversion API (CAPI)
The Meta Conversion API (CAPI) is a server-to-server alternative to Meta Pixer, for data-sharing with Meta. You can send web, app, and offline event data directly to Meta. Unlike the Meta Pixel, which relies on browser-based tracking, CAPI enables more reliable and privacy-conscious data transmission by bypassing browser restrictions, ad blockers, and cookie limitations. The data sharing is also more specific by nature, where you share only the data you mean to share.
There are several ways to implement the Meta Conversion API (CAPI), depending on your technical expertise, business setup, and data infrastructure. Here are the main options:
1. Server-to-Server (Custom Implementation)
A fully customized integration using your own backend server to send events directly to Meta’s API.
Best for: Large businesses, enterprises, or developers who need full control over event tracking.
Setup effort: High
- Requires backend development and server management
- Needs an API key and proper authentication
- Allows complete control over data handling, consent management, and privacy
Meta API Documentation: Conversions API Docs
2. Google Tag Manager (GTM) Server-Side
If you already use Google Tag Manager (GTM), you can set up a server-side container to handle CAPI requests.
Best for: Businesses already using GTM and looking for a balance between ease of use and control.
Setup effort: Medium
- Requires a server-side GTM container
- Good middle ground between fully custom and plug-and-play integrations
3. Meta’s Conversions API Gateway
Meta provides a managed cloud solution that simplifies the setup by handling server-side tracking without needing to manage your own infrastructure.
Best for: Businesses that want an easier, cloud-based setup with Meta handling most of the backend.
Setup effort: Medium
- Hosted on AWS or GCP
- Requires basic setup in Meta Events Manager
- Easier than a full custom implementation but less flexible than a self-managed server
Meta API Documentation: Conversions API Gateway Docs
4. Partner Integrations (No-Code / Low-Code)
For businesses using platforms that have built-in CAPI support, this is the easiest way to implement CAPI with minimal technical effort. But you should be very careful and investigate what data is sent to the Meta API. We don't have experience with these tools/integrations, but we suspect the default settings are sharing more than necessary.
Best for: E-commerce businesses, marketers, and non-technical users.
Setup effort: Easy
- Shopify (via Facebook & Instagram App)
- WooCommerce (via Facebook for WooCommerce plugin)
- BigCommerce
- Magento (Adobe Commerce)
- Google Tag Manager (Server-Side)
- Other third-party integrations (like Segment, Zapier, Tealium, etc.)
Platform Required Terms
Cookie Pop-up Requirements
According to the Meta Business Tools Terms you must ensure, in a verifiable manner, that an end user provides all necessary consents before you use Meta Business Tools to enable the storage of and access to Meta cookies or other information on the end user’s device. Meta has also written a Cookie Consent Resource but this is a bit vague and not very concrete. So here is a concrete suggestion for an informative consent text you can use on your website: "We use Meta Pixel to analyze and optimize our advertising. For this purpose, information about your use of our website is transmitted to Meta. You can find more information in our privacy policy. [Accept] [Reject]"