Meta Conversion API and Data Protection – What Belongs in Your Privacy Policy

If a website operator uses the Meta Conversion API, it transmits server-to-server conversion events and – where available – associated user data (in hashed form) to Meta in order to improve advertising performance measurement and ad targeting on Meta advertising networks (Facebook, Instagram). This page shows website operators in Germany what data the Meta Conversion API processes according to the publicly available information from the provider, which purposes and legal bases are typically applicable and which mandatory disclosures belong in the privacy policy.

A. Purpose and Functionality of the Meta Conversion API

The Meta Conversion API (CAPI) – formerly "Facebook Conversions API" – is a server-to-server interface that allows website operators to transmit conversion events directly from their own server to Meta. Unlike the browser-side Meta Pixel (which runs in the user's browser), the transmission takes place server-side and is therefore less affected by browser tracking blockers, cookie lifetime restrictions and ad blockers. Events such as PageView, AddToCart, Purchase, Lead or CompleteRegistration are typically sent to Meta.

This page focuses on the integration function server-to-server transmission of conversion events via the Meta Conversion API. Other Meta integrations (Meta Pixel as a JavaScript snippet, Meta Business Tools, Login with Facebook, social plugins) are not the primary subject of this article. The CAPI is often used in parallel with the Meta Pixel ("Pixel + CAPI").

B. Mandatory Disclosures in the Privacy Policy when Using the Meta Conversion API

The GDPR requires the privacy policy to set out tool-specific minimum content in addition to general information about the website operator, data subject rights and the supervisory authority. For the use of the Meta Conversion API this includes in particular:

• the purposes of the processing (Art. 13 para. 1 lit. c GDPR),
• the legal bases (Art. 13 para. 1 lit. c GDPR),
• where based on legitimate interests, the specific interests pursued (Art. 13 para. 1 lit. d GDPR),
• the recipients or categories of recipients (Art. 13 para. 1 lit. e GDPR),
• whether data is transferred to an insecure third country (Art. 13 para. 1 lit. f GDPR),
• the storage duration or the criteria used to determine it (Art. 13 para. 2 lit. a GDPR),
• where data is not collected directly, additionally the categories of personal data (Art. 14 para. 1 lit. d GDPR).

It is not necessary to list the Meta Conversion API with its own boilerplate text in the privacy policy, even though that practice is widespread. The "one boilerplate per tool" approach has become poor practice: it leads to long, redundant texts, makes the privacy policy hard to maintain and tends to run counter to the transparency requirement of Art. 12 para. 1 GDPR. A topic-oriented approach is more appropriate – describing processing across topics (tracking, marketing integrations, etc.) and naming Meta only in an annex of recipients. This is exactly the methodology that the matterius generator follows.

C. Provider of the Meta Conversion API

According to the publicly available information from the provider, the contracting party for German website operators is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. The corporate parent company is Meta Platforms, Inc., 1 Meta Way, Menlo Park, CA 94025, USA.

According to the publicly available information, Meta Platforms, Inc. is certified under the EU-US Data Privacy Framework (DPF); the status can be verified at https://www.dataprivacyframework.gov/s/participant-search. EU Standard Contractual Clauses are used as additional safeguards.

Meta's privacy notice is available at https://www.facebook.com/privacy/policy. The terms for Meta Business Tools – including the CAPI – are available at https://www.facebook.com/legal/terms/businesstools; the supplementary controller addendum at https://www.facebook.com/legal/controller_addendum. Under these terms, Meta acts as a joint controller with the website operator for certain processing activities (advertising performance measurement) and as an independent controller for others.

D. Data Processing via the Meta Conversion API – Step by Step

E. Data Collected when Using the Meta Conversion API

In connection with the Meta Conversion API, the data processed according to the provider's publicly available information typically includes hashed email address, hashed telephone number, hashed name and possibly further hashed identifiers, IP address, user-agent, click IDs (fbc, fbp), conversion values (amount, currency, product IDs), timestamps and event names.

The data can be classified into the following standardised data categories:

• Web server log data: IP address, timestamp, user-agent.
• Click paths: pages visited, conversion events triggered.
• Device data: device type and operating system, where derivable from the user-agent.
• Browser information: browser name and version, where derivable from the user-agent.
• Coarse location data: location derived from the IP address at city or municipality level.
• User profiles: according to the provider, assignment to Custom Audiences and Lookalike Audiences (on Meta's side).
• Conversion events: events defined by the website operator (e.g. PageView, Purchase, Lead).

Note: even though identifying fields are transmitted in hashed form, this is generally still considered personal data within the meaning of the GDPR, since Meta can match the hashes against its own data and assign them to users.

F. Purposes when Using the Meta Conversion API

Website operators typically use the Meta Conversion API to improve performance measurement of advertising campaigns on Meta advertising networks, to ensure stable transmission of conversion events (even with browser tracking restrictions), to optimise ads and to build Custom Audiences and Lookalike Audiences.

These purposes can be classified into the following standardised purpose categories:

• General marketing: campaign performance measurement, reach analysis.
• User profile creation: assignment to Custom Audiences and Lookalike Audiences (on Meta's side).
• User-individual marketing: targeting of advertising in Meta advertising networks based on the user's interests and behaviour.
• General product improvement: evaluation of aggregated conversion data to optimise the website.

G. Legal Bases when Using the Meta Conversion API

In a first step, the Meta Conversion API must be assigned to a tool category: it is mainly a tool from the Tracking (Marketing) or Remarketing category.

In a second step, the following legal bases typically come into consideration:

• For the transmission of conversion data to Meta: typically marketing consent under Art. 6 para. 1 lit. a GDPR in conjunction with § 25 para. 1 TDDDG, where cookies or comparable storage accesses (e.g. fbp, fbc) are set or read on the client side.
• Where conversion data is transmitted exclusively server-side without access to end-device storage, the applicability of § 25 TDDDG is debated; however, transmission to Meta for advertising purposes remains subject to the GDPR. Consent is generally also recommended here because the transmission serves advertising performance measurement.
• For the joint processing between the website operator and Meta (advertising performance measurement): in accordance with Meta's Business Tools terms.

Which legal basis is specifically applicable depends on the configuration (Pixel + CAPI, CAPI only, hashed identifiers, click IDs) and the integration in the consent banner and must be examined by the website operator on a case-by-case basis.

H. Particularities and Notes on the Meta Conversion API

• Joint controller agreement: Under Meta's Business Tools terms (in particular section 5.a), Meta and the website operator act as joint controllers for certain processing activities (advertising performance measurement). The essential content of the joint-controller arrangement is available at https://www.facebook.com/legal/controller_addendum and should be referenced in the privacy policy.
• Hashing: According to the publicly available information, identifying data is transmitted in hashed form (typically SHA-256). This does not anonymise the data; it remains personal data.
• Pixel + CAPI: When the CAPI is run in parallel with the Meta Pixel, deduplication via event IDs should be configured to avoid double-counting conversions.
• Third-country transfer / DPF: According to the publicly available information, Meta Platforms, Inc. is certified under the EU-US Data Privacy Framework; EU Standard Contractual Clauses are used as additional safeguards.
• User opt-out options: Ad settings on Meta are available at https://www.facebook.com/help/109378269482053/.
• Source note: The information is based on the provider's publicly available publications and does not replace a case-by-case assessment.

I. Frequently Asked Questions on the Meta Conversion API and Data Protection

J. Conclusion on the Meta Conversion API

When using the Meta Conversion API, personal data of website visitors is transmitted server-side to Meta. The contracting party is Meta Platforms Ireland Limited; the US parent company Meta Platforms, Inc. is certified under the EU-US Data Privacy Framework according to the publicly available information. Key obligations are integrating the CAPI into consent management, taking Meta's joint controller arrangement into account and deliberately configuring the identifiers transmitted.

It is generally not advisable for the website operator to include a dedicated boilerplate text for the Meta Conversion API in the privacy policy. A structured, topic-oriented approach is recommended that explains tools across topical blocks (tracking, remarketing, etc.) and only names the provider Meta in an annex of recipients – including a reference to joint controllership. This is exactly the methodology that the matterius generator follows.

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com