How do I use the Facebook Pixel legally?

First, the user must give their consent to data collection by the pixel. In addition, a clear privacy policy with the required information, such as the name of the service, purpose, provider, and risks of data transfer to the USA, is necessary. Furthermore, an option to reject is to be established.

What elements are absolutely required in a Facebook Pixel privacy policy?

The privacy policy must state the name of the service (Facebook Pixel), the purpose of data collection, the provider (Meta) with a full address, the named cookies, and the risks of data transfer to the USA. Furthermore, the option to opt-out must be clearly highlighted.

How do I set up an exclusion option for the Facebook Pixel?

Since the Facebook Pixel does not offer a built-in opt-out option, a corresponding JavaScript solution must be implemented. This involves inserting code that allows the pixel to reject data collection and is customized for the specific Facebook ID.

How should the Facebook Pixel be used according to the article?

The Facebook Pixel may only be used if the user has explicitly consented beforehand. Furthermore, the user must always be given the opportunity to disable the pixel.

What measures are required if a user revokes their consent?

If a user revokes their consent, for example, through an opt-out mechanism, the loading of the Facebook code should be prevented. This ensures that data collection is suppressed.

How to obtain user consent for the Facebook Pixel?

User consent can be obtained, for example, through a cookie popup, in which consent for the use of cookies is requested. It is important that users have the option to prevent data collection.

Using Facebook Pixel Legally: A Guide

The Facebook Pixel is probably the most popular remarketing instrument and at the same time highly sensitive from a data protection law perspective. The contribution shows how one can use the Facebook Pixel relatively lawfully.

Facebook Pixel and Data Protection

It is well known that the company Facebook (USA) collects a lot of data from its users. The platform itself is free, the user pays with his data. What was already somewhat problematic in the past, to put it politely, has been highly explosive since May 25, 2018 with the General Data Protection Regulation.

The core of the solution proposal is a self-developed opt-out possibility for the Facebook Pixel, which in combination with other measures helps to be as compliant as possible with the General Data Protection Regulation. However, nobody knows exactly what data Facebook or Meta processes for what purpose. At least there is a judgment on the Facebook plugin (ECJ ruling of 29.07.2019 – C-40/17 – "Fashion ID"), according to which joint responsibility exists. In case of problems, therefore, both the website operator who integrates the FB Pixel and Meta are in the same boat. However, one should assume that Meta does not participate actively.

Requirements

For analysis tools on websites to have a chance at legal security, several requirements must be met, including: 1:

Consent request: The pixel may only be loaded after the user (=visitor to the website) has consented. This results, among other things, from Section 25 TTDSG, Art. 49 GDPR, the Schrems II ruling of the ECJ (ruling of 16.07.2020 – C-311/18) and Art. 5 para. 1 lit. c GDPR (“data minimization”)
Ordinary text for data protection statement: Mention of component, its purpose, providing company (address), link to data protection statement from providing company to component, personal data collected, other hints (such as linking with Facebook account if user is currently logged in there)
Option to opt out of data collection by the analysis tool
IP address anonymization (see Google Analytics, for example)
Minimizing the data to be collected to a justifiable extent (I wouldn't know why one needs to know the exact age of their website visitors, no one has that right on demand)
Contract for commissioned data processing with the provider of the analysis tool
Guarantee that the provider of the analysis tool complies with applicable data protection regulations here

Those who believe this is possible with the Facebook Pixel can continue. Some points do not necessarily concern this pixel because it should not be seen as an analysis tool by necessity.

Obtain consent

Step 1: Do not load pixels

Under no circumstances play out the code for the FB Pixel actively and hope that a consent tool suppresses this code effectively until the user has given their consent. See my investigation into cookie tools.

Instead, use one of the following two options:

Load code for the FB pixel after user has agreed.
Play code inactive and only activate after user has agreed.

One possibility can, for example, be realized with my free consent tool.

Possibility two uses the already quite widespread Directive data-src (instead of src) in script instructions. The code for the FB pixel looks like this then:

<script data-src="/script/to/pixel-code"></script>

The prerequisite is that the code for loading the Facebook Pixel must be in a script file. Those looking for technical tips on this can find them in my post about the linked consent tool. Maybe the following code example will also be helpful.

Step 2: Data protection notices on consent request

In my checklist for consent requests, you will find the specifications that are often referred to as "Cookie Popup" when making a consent popup. These include in particular:

Service name, here: Facebook Pixel (or equivalent, depending on the type of loaded FB service)
Brief purpose description
Providers are named: Meta with country specification (the full address also or at least in the data protection declaration)
Point out that risks exist according to Art. 44 GDPR due to data transfer to the US
All cookies are named. Per cookie
- Name
- Purpose description
- Service life

Make sure that the option to agree is not visually emphasized over the option to decline on the "Cookie Popup". Decline must be at least as easy to do as agreeing.

Opt-out possibility

The Facebook Pixel does not have a built-in opt-out option. I suggest the following solution:

Step 1: Insert JavaScript code

Add the following code on every page of your website, adjust the Facebook ID in the code, it can be inserted in the BODY area, perhaps right at the beginning:

<!-- Facebook Pixel privacy protection (C) dr-dsgvo.de -->
<script>
var fpProperty = 'mde-service';
var fpdisableStr = 'fp-disable-' + fpProperty;
// Opt-out function
function fpOptout() {
document.cookie = fpdisableStr + '=true; expires=Thu, 31 Dec 2099 23:59:59 UTC; path=/';
window\[fpdisableStr\] = true;
alert("The Facebook Pixel is deactivated and will no longer be loaded. Please refresh the page");
}
function activatePixelMDE() {
document.cookie = fpdisableStr+'=true; Max-Age=-99999999;path=/';
window\[fpdisableStr\] = false;
alert("Facebook Pixel will be activated at next page load");
window.location=window.location;//Reload of page
}
if (document.cookie.indexOf(fpdisableStr + '=true') > -1) {
// FB-Pixel is deactivated by user, do nothing
console.log(atob("RmFjZWJvb2sgUGl4ZWwgaXN0IGRlYWt0aXZpZXJ0LiBEYXRlbnNjaHV0ei1NZWNoYW5pc211cyB2b24gaHR0cDovL3d3dy5tZWluZS1kYXRlbnNjaHV0emVya2xhZXJ1bmcuZGU="));
}else {
!function(f,b,e,v,n,t,s)
{if(f.fbq)return;n=f.fbq=function(){n.callMethod?
n.callMethod.apply(n,arguments):n.queue.push(arguments)};
if(!f.\_fbq)f.\_fbq=n;n.push=n;n.loaded=!0;n.version='2.0';
n.queue=\[\];t=b.createElement(e);t.async=!0;
t.src=v;s=b.getElementsByTagName(e)\[0\];
s.parentNode.insertBefore(t,s)}(window, document,'script',
'https://connect.facebook.net/en\_US/fbevents.js');
fbq('init', '2051522461760028');//Put your ID in here
fbq('track', 'PageView');
console.log(atob("RGF0ZW5zY2h1dHotTWVjaGFuaXNtdXMgdm9uIGh0dHA6Ly93d3cubWVpbmUtZGF0ZW5zY2h1dHplcmtsYWVydW5nLmRl"));
}
</script>

Verify that reloading the page after cancellation works.

Step 2: Complete your privacy policy

Your users must receive an opt-out option for the Facebook pixel. This can be implemented using JavaScript code. Copy the following code into your privacy policy where you want the user to have an opt-out option for the Facebook pixel.

<script>
if (document.cookie.indexOf(fpdisableStr + '=true') > -1) {
document.write('<div class="text-center" style="margin-top:24px"><a onclick="activatePixelMDE()">Activate FB Pixel</a></div>');
}else {
document.write('<div class="text-center" style="margin-top:24px;margin-bottom:96px"><a onclick="fpOptout()">Deactivate the pixel</a></div>');
}
</script>

Copy this code at the end of the Facebook Pixel privacy statement is best.

Extended comparison

Facebook offers the possibility of an extended data synchronization. This option should be urgently deactivated in order not to get any problems with data protection law. If you still want to use the extended sync, you should definitely obtain consent from your users before using the pixel. How to do this is up to you – as far as I know, suitable solutions are not available.

Legal Notes

This article does not constitute legal advice. If you want to be absolutely sure, it is recommended to proceed in the following way, which is however not very practical:

Ask your user for consent for the Facebook Pixel and associated data collection
Only after approval, load the Facebook Pixel code
If the user revokes their consent – for example, through an opt-out mechanism as described above – prevent loading of the Facebook code again

Requesting consent under point 1 can be combined with a cookie popup asking for consent to use cookies. Sounds complicated and user-unfriendly, which it is. The General Data Protection Regulation deals with data protection, not user-friendliness or practicality. Have fun!

Data Protection Check for Websites

A comprehensive data protection text for Facebook Pixel as well as support for many analysis tools, scripts, and components is offered by the Data Protection Check. What no human can achieve, my software does: An automated data protection analysis of a website with solution proposals for found problems.

Check website