Is the Facebook Pixel GDPR-compliant?

A website owner was fined 15 million for using the Facebook Pixel (today Meta Pixel). If you are using the Facebook Pixel on your site, this is what you need to know.
Table of Contents

The Swedish Data Protection Agency (IMY) has reached a decision for the first of 5 Facebook Pixel cases currently on their table. On June 25, 2024, they published their decision, which issued a fine of 15 million Swedish kronor—approx 1.34 million euro.

The ruling from the Swedish DPA is detailed, and while it specifically applies to this case, the reasoning is relevant to all website owners who do business in an EU or EEA country.
IMY declares that the company in question is eligible for the highest fine level due to the seriousness of the case—which in this case was 20 million euros—but decided that 1,34 million euros would suffice.

The website owner decided to “drop it like it’s hot” while being investigated. But should you remove the Facebook Pixel from your website as well?

Let’s break down how they used the Facebook Pixel, why they breached the GDPR by doing so, if there were any mitigating circumstances, and what you should do to ensure that your website stays GDPR-compliant and out of any enforcement authorities’ radar.

How did the website owner use the Facebook Pixel?

In this case, the website owner decided to use the Facebook Pixel (today, Meta Pixel) on their website in 2019. They did so to optimize their digital marketing, as one does.
In 2019, Facebook (now Meta) developed a feature for the Facebook Pixel called Automatic Advanced Matching (AAM). The website owner states that they activated the AAM feature by mistake, which is the main reason their website unlawfully transferred that “huge” amount of personal data to Facebook/Meta, including social security numbers, bank account numbers, and other highly sensitive information.

The website owner also activated a Facebook Pixel feature called Automatic Events. Also this was done “by mistake”.

While the company had approved its marketing department’s use of the Facebook Pixel, which was implemented after an internal security and compliance process, it had not approved the AAM or AE features.

The marketing department later asked the legal department for approval to use the specific AAM feature for the Facebook Pixel, which the latter denied. Despite this, someone had turned on the AAM feature.

What does Facebook's AAM feature do?

The AAM (Advanced Automatic Matching) feature enables a website that uses the Facebook Pixel to automatically collect visitors’ data and match them with users on their platforms—Facebook and/or Instagram.

If you use a form on your website, AAM collects form-data like email addresses and phone numbers and sends this to Facebook/Instagram. The data is hashed for security reasons before it is transferred.

The purpose is to track and profile visitors so that your ads can be more accurate and effective. Facebook may also use this information to improve its own services and ad-targeting capabilities, benefiting other advertisers that use its Pixel and ad platform.

What does Facebook’s AE feature do?

The AE (Automatic Events) feature enables a website that uses the Facebook Pixel to automatically track user interactions, such as button clicks, searches, and menu selections.

When a visitor navigates your website or app, AH collects data about these interactions and sends it to Facebook/Instagram. This data is often sent in clear text.

The purpose is to analyze user behaviour to make your ads more relevant and effective. As for the AAM feature, Facebook may also use this information to improve its services and ad-targeting capabilities.

What happened when the website owner activated the Facebook Pixel?

When the website owner, in this case unknowingly, activated the AAM and AE features, they ended up sharing personal information with Facebook en masse.

Approximately personal data from 500 001 – 1 million individuals between 2019 to 2021. Through the AAM feature, personal information of the following sort was transferred to Facebook.

  • Social security number
  • Employer,
  • Type of employment,
  • Bank account number
  • Bank loan (amount)
  • Contact information such as;
    – Phone number,
    – Email,
    – Postal code

Through the AE feature, personal information of the following sort was transferred to Facebook:

  • What bonds you have and their value
  • Bank loan amount
  • Account number and credit limit
  • Fees, taxes and interest rates
  • Current orders
  • Company owner and bank from which pension was moved
  • Email
  • Social security number

Did every website visitor risk getting their personal information transferred to Meta?

No, “only” those who had consented to marketing cookies on the site and had logged into the site got their movement tracked by the Facebook Pixel and their personal data shipped to Meta.

With one exception.

Some buttons for certain forms on the website were bare for all visitors, targeting visitors who were not customers of the company. Visitors who filled in those fields and pushed those buttons would also get their data transferred to Meta, specifically due to the AE feature of the Facebook Pixel being activated.

Why was the website owner fined for using the Facebook Pixel?

They were not.
The Swedish DPA does not audit if you have breached the ePrivacy-directive, sometimes dubbed “the cookie law”. The enforcement authority for that is the Swedish Postal and Telecom Authority.

So what was this case about, then?

In this specific case, the DPA explicitly states that they only looked at how personal data was collected and then shared with a third party and whether this was in breach of the GDPR.

The DPA did consider whether there were legal grounds, such as consent, for collecting the data. They do, for example, write that only (mostly) visitors who had consented (on a cookie banner, one must presume) to marketing cookies (and then logged into the website as a customer) had gotten their data collected and shared with Facebook/Meta without scrutiny. But the decision from the DPA focused only on how personal data was collected and shared.

What did the website owner get fined for?

Simply put, the website owner transferred sensitive personal data to Meta/Faceboook without proper security measures. They also failed to prevent it and find out about it because they did not have security measures in place that actually worked. Marketing had decided to activate the Pixel, even though they were not allowed, speaks to this, for example.

Were there any mitigating circumstances?

No, the Swedish DPA states that there were no mitigating circumstances. Even though the website owner:
  1. removed the Pixel swiftly when they found out about it,
  2. ensured that Meta deleted the data,
  3. and established a better process to ensure that no one can install scripts on the site or use tools that put their clients and visitors at risk.

However, the Swedish DPA did lower the fine to approximately 1.34 million euros from 20 million euros, which the DPA states is what it could have chosen to impose. The reasoning behind this is unclear.

Do you have the Facebook Pixel on your website?

If you transfer data to services like Facebook by allowing those services on your site or app, you must ensure you have legal grounds for both collecting and processing that data. These are two different but overlapping requirements.

Ask yourself:
If you plan to use services from Meta, Google, HubSpot, etc., on your site, you need to understand their terms and conditions and read their privacy policies.

If you are unsure about the state of your website and need help determining if the Facebook Pixel is present, here’s what to do:

If you decide to keep the CMP, you will have a solution that:
A CMP solution is a beneficial compliance tool that saves time and enables you to comply with the ePrivacy directive and important parts of the GDPR. 

However, you should always talk to your Data Protection Officer (DPO) or consult a tech lawyer if you—for example—have concerns and are unsure of how a service like Facebook handles your visitors’ data and if your business is taking an unacceptable risk by allowing it to.

So is the Facebook Pixel GDPR-compliant, then?

The Swedish DPA does not say anything about that. In this case, Meta is the so-called data processor, and the website owner who got issued a fine is the data controller.

The DPA has only investigated what the data controller is responsible for, as DPAs typically prioritize the actions of data controllers. Investigating the data processor, Meta, would require a separate case. Preferably by the DPA on Ireland, where Meta has its European head quarter.