How Meta Pixel and Snap tracking pixels compromised user privacy
Picture this: you’re a teenager desperately seeking help after experiencing abuse, visiting what you believe is an anonymous helpline website. Unknown to you, Meta and Snapchat are tracking every click, collecting data that could be used for profiling. This isn’t fiction – it’s exactly what the Norwegian Data Protection Authority (Datatilsynet) uncovered in their groundbreaking enforcement actions against six websites.
The targeted websites – ranging from children’s crisis helplines to health information portals – were found to be sharing visitor data with tech giants without any legal basis. The consequences? One public service received a €25,000 fine (250,000 NOK), while others got formal reprimands. Importantly, the DPA explicitly warned that they were going easy this time. Future violations will face much harsher penalties.
It’s important to note that these organizations were providing valuable services to their communities. The violations appear to stem from technical oversights rather than deliberate attempts to exploit user data.
These cases reveal an important lesson: even well-intentioned organizations can inadvertently share visitor data with third parties due to gaps in understanding how tracking technologies work. Let’s dive into what went wrong and, more importantly, how to ensure your organization doesn’t become the next headline.
Stay compliant with Norway’s online tracking rules
Ensure your website meets legal requirements for cookies and tracking technologies like Meta and Snap Pixel – with tools that protect your users and your organization.
The pixel enforcement actions: understanding the scope
When the Norwegian DPA launched their investigations in March 2024, they weren’t randomly browsing websites. They strategically selected six platforms that handle particularly sensitive information, the kind of data that reveals our deepest vulnerabilities and most private struggles.
Think about it: when someone searches for information about depression, visits a support service for domestic violence victims, or researches STD symptoms, they’re revealing incredibly intimate details about their life. The DPA recognized that these digital footprints deserve the highest level of protection, especially when the visitors include vulnerable children and people in crisis.
The inspected websites painted a diverse picture of Norway’s digital landscape:
- A helpline service for children experiencing violence, abuse, or other traumatic situations (operated by a municipality)
- An online pharmacy where people purchase medications and health products
- A religious organization’s platform for Bible distribution and accepting donations
- A medical services website for booking doctor appointments
- A support service specifically designed for children with incarcerated parents
- A comprehensive health information portal covering various diseases and medical conditions
What united these seemingly different platforms? They all used tracking pixels from Meta (Facebook/Instagram) and/or Snap (Snapchat) that silently transmitted visitor information to these tech giants.
Even more troubling, the website operators were often unaware about what was actually happening behind the scenes. This isn’t surprising given the technical complexity of modern tracking technologies and the rapid evolution of privacy regulations.
Key tracking pixel violations uncovered by Datatilsynet (June 2025)
1. Unauthorized data sharing without legal basis
The most alarming fact is that every single website failed the most basic GDPR requirement: having a lawful basis for processing personal data. The tracking pixels weren’t just counting anonymous visits. They were transmitting a cocktail of personal identifiers that, when mixed with Big Tech’s existing data pools, created detailed profiles of real people. This included:
- Unique user identifiers that persist across browsing sessions (stored in cookies like _fbp and _scid)
- IP addresses that can pinpoint your location and identify your household
- Detailed page URLs revealing exactly what health conditions, problems, or interests you’re researching
- Device fingerprints including your browser type, screen resolution, and operating system
- Timestamp data showing patterns of when and how often you visit
If you happened to be logged into Facebook or Snapchat in the same browser, these platforms could directly link your sensitive website visits to your real-world identity. Imagine Facebook knowing about your child’s mental health struggles or Snapchat tracking your visits to addiction support pages.
2. Processing special categories of personal data
The GDPR treats certain types of data as especially sensitive – health data, information about children, religious beliefs, and sexual orientation all fall into this “special category” bucket, requiring extra-strict protection.
The Norwegian DPA left no room for interpretation: when someone repeatedly visits pages about epilepsy, searches for depression symptoms, or accesses LGBTQ+ health resources, you’re processing health data. It doesn’t matter if they never fill out a form or create an account. The pattern of visits alone reveals sensitive health information.
One health information website argued that visitors might just be curious or doing research for others. The DPA rejected this argument. They pointed to recent EU court decisions confirming that even indirect health information – the kind you can deduce from browsing patterns – deserves full protection under Article 9 of the GDPR.
The children’s services cases were particularly serious. Kids reaching out for help about abuse, violence, or family trauma had their vulnerable moments tracked and packaged for tech companies. The DPA emphasized that children deserve enhanced protection, especially when they’re seeking help for traumatic experiences.
3. Misleading or absent privacy information
The DPA’s review of privacy documentation across all six websites revealed systematic failures in transparency and accuracy – not just minor oversights, but fundamental breakdowns in communicating data practices to users.
The most serious violation came from the children’s helpline, which prominently promised anonymity throughout their website while simultaneously feeding visitor data to Meta and Snapchat. Other common failures included:
- Privacy policies claiming “we don’t process sensitive data” while health information flowed freely to third parties
- Cookie notices using complex technical terminology inappropriate for the intended audience, particularly problematic on sites serving children or people in distress”
- No mentions of Meta Pixel or Snap Pixel in privacy documentation
- No explanation about data processing and data retention – what these companies would do with the data or how long they’d keep it
- Generic statements about “improving user experience” without explaining the real purpose: targeted advertising
One website’s privacy policy hadn’t been updated since 2018 – years before they had even installed the tracking pixels.
4. Invalid consent mechanisms
The DPA also found textbook examples of “dark patterns” – design tricks that nudge you toward the least privacy-friendly option.
Picture this: you land on a health website desperately seeking information. A cookie banner blocks your access with three options:
- “Accept all cookies” (in bright, eye-catching blue)
- “Customize” (in barely visible gray)
- “Necessary only” (also in gray, blending into the background)
Guess which option most stressed visitors clicked? The DPA called this out as psychological manipulation, especially problematic when targeting vulnerable populations. Other consent sins included:
- Pre-ticked boxes for marketing cookies (a big GDPR no-no)
- Bundling different purposes together, forcing an all-or-nothing choice
- Making privacy-friendly options require multiple clicks while “Accept all” was one tap away
- Using fear-inducing language suggesting the site wouldn’t work properly without tracking
The DPA made it crystal clear: true consent means real choice, presented fairly, without tricks or pressure.
The €25,000 fine: Norway's message to public sector websites
While five websites received reprimands, the children’s helpline was penalized with a €25,000 fine (250,000 NOK). Why did this case warrant monetary punishment when others didn’t?
The DPA laid out several aggravating factors that pushed this case over the edge:
Four factors that escalated this tracking pixel violation to a fine
Violation of governmental duty
As a government service funded by taxpayers, the helpline had an elevated duty of care.
Citizens should be able to trust public services with their most vulnerable moments. When a municipality promises anonymous help for abused children but inadvertently enabled commercial tracking, it shatters public trust in government services.
Impact on vulnerable minors
The service specifically targeted children aged 7-18 experiencing violence, abuse, or neglect. These aren't just any website visitors – they're kids in crisis, often with nowhere else to turn. The DPA noted that many of these children likely couldn't confide in parents or other adults, making the service their lifeline.
Misrepresentation of data practices
The website prominently advertised anonymity in multiple places, including pop-up buttons for the chat service. This wasn't just a privacy policy buried in small print – it was a core promise splashed across the site. This disconnect between stated privacy practices and actual data handling created a significant compliance gap that particularly concerned the DPA given the vulnerable user base.
Extensive scope of breach
With approximately 73,800 visits in 2023 alone, including 11,000 visits to pages specifically for "Children 7-12 years" and "Teenagers 13-18 years," the breach affected thousands of vulnerable young people across Norway.
Interestingly, the DPA originally planned to fine them €30,000 (300,000 NOK) but reduced it to €25,000 (250,000 NOK) in recognition of the municipality’s cooperative response and immediate remediation efforts. The message? Quick action and genuine contrition can reduce the sanction, but they won’t eliminate consequences entirely.
Industry-specific implications from the six cases
Let’s dig deeper into what each case reveals about sector-specific privacy risks and why certain industries need to be extra cautious with tracking technologies.
1. Healthcare and pharmaceutical websites: the online pharmacy and health portal cases
The online pharmacy and health information portal cases establish critical precedents that should make every healthcare website operator nervous.
The health portal case was particularly revealing. The DPA’s digital inspection on March 19, 2024, uncovered significant violations from Norway’s largest health information provider, serving hundreds of thousands of weekly visitors. They offered a symptom checker and disease database covering 2,187 conditions. The site even asked visitors upfront whether they were healthcare professionals to “personalize” content.
Here’s what made their Meta Pixel use especially problematic:
- The organization appears to have misunderstood that even anonymous browsing patterns could constitute health data processing.
- Visitors researching specific conditions unknowingly shared their health interests with Meta
- The tracking occurred despite their privacy policy claiming they “generally don’t process sensitive personal data”
- Their elaborate consent banner with 81 partners couldn’t save them – the consent wasn’t valid for health data
The DPA’s message to healthcare sites? Your entire website is essentially a special category data processor. Every page view potentially reveals health information. If someone repeatedly visits pages about diabetes, depression, or STDs, you must assume they have a personal health interest.
The online pharmacy case reinforced this stance. When people browse medication categories or health products, they’re revealing health information – whether they complete a purchase or not. The DPA made clear that the sensitive nature of health data means marketing interests will almost never outweigh privacy rights in any legitimate interest assessment.
Norwegian DPA's decision on health information portal's Meta Pixel use (in Norwegian)
2. Religious and belief-based organizations: the Bible distribution case
The religious organization’s website handled Bible text publication, book sales, and donation collection. While seemingly less sensitive than health sites, the DPA highlighted unique privacy risks:
- Regular visits to religious content can reveal spiritual beliefs or religious affiliation
- Donation patterns might indicate level of religious commitment
- Children accessing religious content deserve special protection from commercial tracking
The organization’s use of Meta and Snapchat pixels meant that these platforms could potentially identify individuals exploring Christianity, perhaps during vulnerable moments of spiritual searching or crisis. Like many organizations, they were unaware that religious content engagement patterns could reveal protected belief data.
The DPA emphasized that freedom of religion includes the right to explore beliefs privately, without commercial surveillance.
This case sends a clear message to all faith-based organizations: your digital spaces should be sanctuaries from commercial tracking, just like your physical places of worship.
3. Support services and vulnerable populations: the children's helpline cases
Two cases involved services specifically for children in crisis – the municipal helpline for abuse victims (inspected on March 14, 2024) and the support service for children with incarcerated parents. These cases revealed the serious privacy implications when support services get tracking wrong.
The imprisoned parents’ support service case highlighted how seemingly narrow use cases can affect vulnerable populations. Children dealing with parental incarceration face stigma, emotional trauma, and social isolation. When they seek support online, they shouldn’t worry about tech companies building profiles based on their family trauma.
Both services made similar mistakes:
- A common misconception that led to these violations was believing that anonymity promises for direct contact extended to all website interactions.
- Assuming that promising confidentiality for direct contact (phone/chat) was enough
- Failing to understand that tracking pixels capture the entire journey, not just form submissions
- Underestimating how visit patterns could reveal a child’s situation to data brokers
The DPA’s verdict was uncompromising: if you serve vulnerable populations, especially children in crisis, third-party tracking is almost certainly inappropriate. The trust relationship these services depend on is incompatible with commercial surveillance.
Norwegian DPA's decision on imprisoned parents support service tracking (in Norwegian)
4. Medical services: the appointment booking platform case
The doctor appointment booking website represented another flavor of health data exposure. The platform appears to have misunderstood that appointment booking data requires the same protection as direct health information. Unlike passive information sites, this platform facilitated actual medical service bookings, creating additional privacy complications:
- Visitors weren’t just researching – they were taking concrete steps toward medical treatment
- The types of specialists viewed or booked could reveal specific health conditions
- Appointment patterns over time could indicate chronic conditions or ongoing treatments
The case reinforced that any website touching healthcare – whether providing information, selling products, or booking services – must treat all visitor data as potentially revealing health information.
Updated compliance recommendations from the Norwegian DPA (June 2025 compliance guide)
Notably, all organizations demonstrated good faith by immediately addressing the issues once they understood the implications. Following these regulatory actions, the Norwegian DPA didn’t just walk away. They published new detailed guidance about the use of tracking tools on websites and in apps.
Here’s what they want every website operator to understand and implement:
1. Conduct thorough tracking audits (and actually understand what you find)
The DPA found that many organizations lacked awareness what tracking technologies lived on their websites. They recommend:
- Map every single tracking technology: Use automated scanning tools, but don’t stop there. Manually review your site’s code, tag managers, and third-party integrations. The DPA found pixels that website owners didn’t even know existed.
- Understand the data flow: For each tracker, document exactly what data it collects, where it sends that data, and what happens to it afterward. If you can’t explain this clearly, you shouldn’t be using the tracker.
- Pay special attention to invisible tracking: Pixels don’t appear in cookie scanners but can be even more invasive. Check your source code for scripts from facebook.com, snapchat.com, google-analytics.com, and similar domains.
- Review regularly: The children’s helpline added trackers for a 2020 campaign and forgot about them. Set quarterly reviews to catch outdated trackers that outlive their purpose.
2. Assess your audience and content sensitivity
The DPA wants organizations to take a hard look in the mirror and honestly assess their privacy risks. This means:
- Consider your most vulnerable visitors: A health site might serve elderly people researching dementia, teenagers exploring sexuality, or parents researching childhood disorders. Design privacy protections for your most vulnerable users, not your average visitor.
- Think about cumulative patterns: One visit to a depression article might mean nothing. But weekly visits over three months? That’s a mental health journey being tracked. The DPA emphasized that patterns over time reveal more than individual page views.
- Examine indirect inferences: The religious site argued they just provided Bible texts. But the DPA noted that regular engagement with religious content, especially combined with donation data, reveals protected beliefs. Ask yourself: what could a data analyst deduce from visitor patterns?
- Remember intersectionality: A visitor to the incarcerated parents’ support site might also be dealing with poverty, racial discrimination, or mental health challenges. Multiple vulnerabilities compound privacy risks.
3. Implement privacy-first design (not privacy as an afterthought)
The DPA’s strongest recommendation? If you handle sensitive data or serve vulnerable populations, just say no to third-party tracking. But if you absolutely must track, they outline strict requirements:
- Default to privacy: Make “reject all” as prominent and easy as “accept all” – same color, same size, same number of clicks. The health portal’s blue “accept” button versus gray “reject” option was specifically called out as manipulation.
- Embrace true anonymity: If you promise anonymity, deliver it. The DPA suggested privacy-preserving analytics that process data on your servers without sharing raw visitor information with third parties.
- Layer your privacy controls: Implement privacy at multiple levels – anonymous by default, optional accounts with clear data handling, and granular controls for any enhanced features.
- Test with real users: The DPA noted that privacy policies written by lawyers often confuse regular people. Test your privacy communications with actual users, especially from vulnerable groups you serve.
4. Fix consent mechanisms (eliminate dark patterns and respect users’ choices)
Valid consent isn’t just a legal checkbox – it’s about respecting visitor autonomy. The DPA’s requirements include:
- Visual equality: Every consent option must be equally visible and accessible. No color tricks, no size differences, no hiding privacy-friendly options behind extra clicks.
- Granular control: Visitors must be able to consent separately for different purposes. Bundling analytics, personalization, and marketing into one “accept” choice violates GDPR. The DPA specifically praised solutions allowing purpose-by-purpose decisions.
- Age-appropriate communication: The children’s helpline used technical jargon to describe tracking to kids as young as seven. The DPA demands plain language adapted to your actual audience. If kids use your site, a child should understand your privacy notice.
- Consequences transparency: Visitors must understand what happens when they consent. “Improving your experience” doesn’t cut it. Explain that Meta will combine visit data with social media profiles for ad targeting across the internet.
- Genuine choice: The medical booking site made tracking consent seem necessary for appointments. The DPA clarified: core services must work without tracking consent. No coercion, no feature blocking, no emotional manipulation.
Cookie compliance in Norway: before and after January 2025
Norway’s data privacy enforcement has undergone a dramatic transformation that every website operator needs to understand.
The old world (before the 2025 update to the E-Com Act)
Cookie compliance enforcement fell under the telecom authority (Nkom) while the DPA handled data processing – a split system that created enforcement gaps.
Unlike many EU countries that aligned cookie consent with GDPR requirements, Norway’s rules remained vague and permissive. Penalties were rare, investigations reactive, and many organizations operated in blissful ignorance – a stark contrast to the strict enforcement already happening across Europe.
The new reality – updated cookie guidelines in Norway (January 2025 onwards)
The game changed completely with the new E-Com Act, in force from January 2025. With Norway’s updated privacy law, DPA now controls both cookie placement AND data processing, with:
- Unified enforcement authority (no more jurisdictional gaps)
Mandatory GDPR-compliant consent for all cookies - Proactive sector sweeps instead of reactive complaints
- Technical expertise to catch violations at scale
- Explicit warnings that future penalties will be severe
The €25,000 fine sends a clear signal: the era of “we didn’t know” is over. As these cases show, the DPA gave educational warnings this time – but explicitly stated future violations face much harsher consequences. The bottom line: Norway has joined Europe’s privacy enforcement elite, and claiming confusion won’t save you.
Technical considerations for digital marketing teams
If you’re in marketing, this section will help you understand the technical complexities that led to these violations. Those tracking pixels you copy-pasted from Meta’s Business Manager? They might be doing way more than counting conversions. Here’s what you need to know about pixel functionality.
Understanding tracking pixels: from marketing tool to privacy risk
Here’s the critical point the Norwegian cases revealed: many organizations had tracking pixels installed but didn’t understand when they fired or what data they sent. Let’s clear this up:
The myth: “Our pixels only track when people consent, and the data is anonymous anyway.”
The reality in these Norwegian tracking pixel cases:
- Pixels were firing before valid consent was obtained (or with manipulated consent)
- When they fired, they sent far more than “anonymous” data:
- Unique identifiers that persist across websites (_fbp cookie)
- IP addresses enabling household-level identification
- Exact URLs revealing what health conditions or problems people were researching
- Browser fingerprints that can uniquely identify devices
- Direct profile matching when users were logged into Facebook
The compliance gap: Yes, properly configured consent management can prevent pixels from firing without consent. But the Norwegian pixel violation cases showed organizations had either:
- No consent mechanism implemented at all
- Invalid consent flows with dark patterns
- Pixels loading regardless of the website visitors’ consent choices
- No visibility into their pixel behavior
What this means for marketers:
If you haven’t personally verified that your pixels respect consent choices, you’re at risk. The children’s helpline thought they were just measuring campaign reach. Instead, they were sharing children’s data with Meta. Their mistake? Assuming the pixel was “privacy-safe” without actually checking.
The lesson isn’t that all pixel use is illegal – it’s that you must understand and control when pixels fire and what data they share. Without proper consent management, that innocent conversion tracking becomes a privacy violation.
Ready to take control of your tracking setup?
Cookie Information’s WCAG-accessible consent banner templates eliminate dark patterns by design, while Piwik PRO’s anonymous tracking delivers the analytics insights you need. Get the measurement you want and the privacy compliance you need.
Alternative approaches: privacy-preserving analytics for modern marketers
The Norwegian DPA isn’t saying “don’t measure anything.” They’re saying “keep visitor data within your control.” Here are practical alternatives that respect users’ privacy while delivering marketing insights:
Server-side analytics replace client-side tracking:
- Instead of pixels phoning home to Meta, process data on your own servers
- You still learn about traffic sources, popular content, and conversion paths
- But raw visitor data never leaves your control
- Tools like Piwik PRO offer these capabilities
Statistical sampling instead of universal tracking:
- Do you really need to track every single visitor to understand trends?
- Privacy-preserving systems can extrapolate insights from anonymized samples
- Like political polling – you don’t need to survey everyone to understand population trends
Aggregated conversion APIs for campaign measurement:
- Instead of pixel-based tracking, use privacy-preserving conversion APIs
- These report campaign effectiveness without exposing individual journeys
- Apple’s SKAdNetwork and Google’s Privacy Sandbox (despite flaws) point toward this future
First-party data strategies that build trust:
- Offer genuine value in exchange for voluntary data sharing
- Email newsletters, account benefits, and loyalty programs create consensual data relationships
- When people explicitly choose to share, you avoid the privacy violations plaguing pixel-based tracking
Implementation steps for compliant analytics setup:
- Audit your current tracking (what data leaves your site?)
- Define essential metrics (what do you actually need to know?)
- Choose privacy-preserving alternatives (assess ready-made tools like Piwik PRO Analytics vs. custom builds)
- Update team skills for consent-based marketing strategies
- Tell your story as a privacy-respecting brand and make it a visible selling point
The key insight? Privacy-respecting analytics might provide less granular data, but they build trust – and trust converts better than any retargeting campaign.
“81% of consumers consider trust a deciding factor when making purchase decisions.”
How Cookie Information and Piwik PRO can help
The Norwegian cases highlight a painful truth: most organizations are flying blind when it comes to tracking technologies. You need more than good intentions – you need robust tools and expertise. Here’s how the combined power of Cookie Information and Piwik PRO addresses each challenge revealed in these enforcement actions:
Discover what's really happening on your website:
Our automated scanning technology finds cookies, pixels, and online tracking technologies across your website – including those invisible pixels the Norwegian websites missed. You’ll get a complete inventory with clear explanations of what each technology does and which third parties receive data.
Implement consent that actually respects choice:
Our consent management platform eliminates dark patterns by design with compliant banner templates. Equal prominence for all options, granular purpose-level controls, and automatic preference synchronization across devices. We’ve analyzed thousands of consent flows to optimize for both compliance and user experience – because confused visitors can’t give valid consent.
Keep analytics without compromising user privacy:
Piwik PRO’s analytics platform processes data under your control, not Big Tech’s. Track conversions, measure campaigns, and understand user journeys – all without sharing raw data with third parties. Our privacy-by-design architecture means you can promise visitors their data stays with you and actually keep that promise.
Prove compliance with comprehensive documentation:
When regulators come knocking (and they will), you need evidence. Our platform automatically generates audit-ready privacy compliance records showing what technologies you use, what consent you obtained, and how you honor user choices.
Stay ahead of evolving data privacy regulations:
Privacy law changes constantly. Our team monitors enforcement actions like these Norwegian cases, updating our platforms to address new requirements before they become your problem. We turn regulatory intelligence into product features, keeping you compliant automatically.
The merger of Cookie Information and Piwik PRO creates something unique: a complete privacy-first marketing technology stack. You’re not just avoiding fines – you’re building sustainable, trust-based customer relationships.
Ready to make your website tracking-compliant in Norway?
Avoid illegal data sharing and build trust with a fully compliant consent banner. Cookie Information and Piwik PRO help you control cookies, pixels, and trackers – without compromising insights.
- GDPR- and E-Com Act–compliant
- Blocks Meta and Snap Pixels before consent
- Tracks anonymously with privacy-first analytics
Frequently asked questions
What exactly are Meta Pixel and Snap Pixel?
Meta Pixel (formerly Facebook Pixel) and Snap Pixel are small pieces of code that website owners add to their sites to track visitor behavior. They collect data about page visits, actions taken, and user characteristics, then send this information to Meta (Facebook/Instagram) and Snapchat respectively. This data is used for ad targeting, conversion tracking, and audience building. The Norwegian cases showed these pixels were collecting far more data than website owners realized.
How can I check if my website has tracking pixels installed?
You can use browser developer tools (press F12) and check the Network tab for requests to facebook.com, snapchat.com, or other third-party domains. Look for scripts containing “fbevents.js” or similar tracking codes. However, for a comprehensive audit, use professional scanning tools like Cookie Information’s compliance checker or consent management platforms that can detect hidden pixels, server-side tracking, and other invisible technologies.
What's the difference between a reprimand and a fine in these Norwegian pixel violation cases?
A reprimand (irettesettelse) is a formal warning that marks a violation but doesn’t require payment. It serves as official documentation of non-compliance and can influence future penalties. A fine (overtredelsesgebyr) requires monetary payment and is reserved for more serious violations. In these cases, only the children’s helpline received a fine due to aggravating factors like serving vulnerable children and falsely promising anonymity.
Do these Norwegian rules apply to my website if I'm not based in Norway?
If your website targets Norwegian users or processes data from Norwegian visitors, Norwegian privacy laws apply regardless of where you’re based. This is similar to how GDPR works across Europe. The enforcement actions show that Norwegian authorities are actively monitoring websites that serve Norwegian citizens, especially those handling sensitive data.
Can I still use tracking pixels if I get proper consent?
Yes, but the consent must be truly valid: freely given, specific, informed, and unambiguous. This means no pre-ticked boxes, no dark patterns, equal visibility for all options, and clear explanations of what data is collected and shared. For sensitive data (health, children, religion), you need explicit consent with even stricter requirements.
What are "dark patterns" in consent banners?
Dark patterns are design tricks that manipulate users into making choices against their interests. Examples from the Norwegian cases include: making “Accept all” buttons bright blue while “Reject” is gray, requiring multiple clicks to refuse tracking, using confusing language, or suggesting the site won’t work without cookies. These practices violate GDPR’s requirement for genuine consent.
Read more: Compliant cookie banner design in 2025: A how-to for marketers
What alternatives exist to Meta and Snap pixels for measuring campaigns?
Privacy-preserving alternatives include: server-side analytics (like Piwik PRO) that process data on your servers, cookieless tracking that doesn’t identify individuals, aggregated conversion APIs that report campaign success without exposing user journeys, and first-party analytics that keep all data under your control. These tools can still measure campaign effectiveness without sharing visitor data with tech giants.
