Meta Pixel (Facebook Ads) and Data Protection – What Website Operators Need to Know

If a website operator uses the Meta Pixel (formerly Facebook Pixel) for conversion measurement and remarketing audience creation, it processes – together with Meta Platforms Ireland Limited as joint controllers – personal data such as visitor data, conversion events and profile information on the basis of consent under Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG. The role of the Meta Pixel in the GDPR system differs fundamentally from pure analytics tools: the website operator and Meta are joint controllers, not in a processor relationship. This has significant data protection consequences. This guide explains this joint controller structure and the requirements for the privacy policy. As of: 2026-04-22.

A. Purpose and Function of Meta Pixel

The Meta Pixel is a tracking code snippet that website operators embed in their website. It records user interactions and sends them as conversion events to the Meta infrastructure (Facebook, Instagram, Messenger). The pixel has two main functions:

1. Conversion tracking: The pixel registers when users perform certain target actions (e.g. product purchase, contact form completion, download, video view). These conversion data enable the website operator to measure the effectiveness of Facebook advertising campaigns.

2. Custom Audiences and remarketing: The pixel sends a list of website visitors to Meta (along with their browsing behavior and interactions). Meta creates digital target groups (audiences) from this, which the website operator can use in future Ads campaigns to re-engage former visitors.

Extended Matching: With extended matching activated, the pixel also sends customer data from the website operator's CRM to Meta (e.g. email addresses, phone numbers, names). Meta uses these for matching with existing Meta profiles.

The particularity: Joint Controller Unlike pure tracking tools (Google Analytics), the Meta Pixel is not just a processor instrument. Meta and the website operator are joint controllers (Art. 26 GDPR) for the collection and transfer of data. This results from the Meta Business Tools Joint Controller Terms.

B. Mandatory Disclosures in the Privacy Policy regarding Meta Pixel

According to GDPR Art. 13(1) and Art. 14, website operators must provide the following information when using Meta Pixel:

• Identity and contact details of the controllers (Art. 13(1)(a)) – here: website operator AND Meta Platforms Ireland Limited (as joint controllers)
• Purposes of the processing (Art. 13(1)(c))
• Legal basis/bases (Art. 13(1)(d))
• Categories of recipients (Art. 13(1)(e))
• Retention period or criteria for determining it (Art. 13(2)(a))
• Rights and obligations of the joint controllers (Art. 26 GDPR)

A central point: the isolated tool paragraphs typically found in privacy policies (e.g. "Meta Pixel: We use the Meta Pixel...") are not sufficient. Instead, Art. 26(3) GDPR requires the distribution of responsibilities between the joint controllers to be made transparent for users. An isolated paragraph does not do this justice.

Better approach: A centrally explained chapter on data recipients (with mention of Meta), a clear breakdown of the joint controller relationship, and a recipient table showing Meta as a joint controller.

C. Provider of Meta Pixel: Meta Platforms Ireland Limited

Legal basis (operator, not parent group):

• Full name: Meta Platforms Ireland Limited
• Address: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, D02 AX86, Ireland
• Country of registered office: Ireland (European Economic Area)
• Parent company: Meta Platforms Inc. (USA) – but for data protection issues, Meta Ireland is responsible
• Role: Joint controller together with the website operator, not processor

Data Privacy Framework (DPF): Meta Platforms Inc. (USA) and its subsidiaries are DPF-certified. This enables data transfers from the EU to the USA on the basis of an adequacy decision (Art. 45 GDPR). The certification was reinstated after the Schrems II decision of the CJEU (July 2023).

Joint Controller Terms (important): https://www.facebook.com/legal/terms/businesstools These terms must be observed and should be linked in the privacy policy. They govern the distribution of responsibilities and data protection obligations between Meta and the website operator.

Privacy policy: https://www.facebook.com/privacy/policy

DPA: With Meta Pixel there is no classic Data Processing Agreement within the meaning of Art. 28 GDPR, since Meta does not act as a processor. Instead, the Joint Controller Terms and Meta's privacy policy apply.

D. Data Processing by Meta Pixel – Process

E. Data Collected when Using Meta Pixel

The Meta Pixel collects extensive data. In standard mode it is:

This data can be classified into the following standardized data type categories:

• Web server log data: IP address, HTTP headers, request timestamp, user agent (browser, operating system, device type), geolocation (based on IP)
• Click paths: Visited pages of the website, referrer URL, clicked elements (buttons, links), scroll behavior, dwell times on individual pages
• End-device data: Device type (desktop, tablet, mobile), screen resolution, operating system version, network type (Wi-Fi, mobile)
• Browser information: Browser name, browser version, cookies (first-party and third-party), local storage, pixel ID (Meta cookie)
• Conversion events: Add-to-cart, checkout completion, purchase completion, registration, contact form completion, download, video view, lead generation with associated content (product name, price, category, quantity)
• User profile data: (With extended matching) email addresses (hashed), phone numbers (hashed), names, date of birth, address, gender – insofar as sent by the website operator to Meta
• Tracking identifiers: Meta Pixel ID, user IDs, hashed email addresses, advertising-specific IDs (e.g. GAID for Android)

F. Purposes of Use when Using Meta Pixel

Meta states that pixel data is processed for the following purposes:

• Conversion tracking: Measurement of whether and when website visitors perform an action as a result of a Meta ad (purchase, registration, etc.)
• Audience creation: Segmentation of website visitors into Custom Audiences for targeted remarketing
• Profile improvement: Enrichment of Meta user profiles with data from the website (purchase history, interests, customer segment)
• User profile creation and interest segmentation: Development of predictions about user interests based on website behavior
• Ad optimization: Training of Meta's algorithms to improve ad targeting accuracy
• Fraud detection and security systems: Detection of suspicious activities on the website or in Meta's ad network
• Possibly Meta's internal business purposes: Meta's documentation acknowledges that data is also used for product improvement systems

G. Legal Bases for Meta Pixel

Core legal basis: Consent The Meta Pixel is primarily based on consent under Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG. Consent is required for the setting of cookies and tracking.

Particularity: Joint Controller According to Art. 26 GDPR, the website operator and Meta are joint controllers. This means:

• Both are obliged to report transparently on the joint processing
• Both must provide information about the distribution of responsibilities
• Both may be liable if data subjects exercise their rights

The Meta Business Tools Joint Controller Terms govern the distribution:

• The website operator is the controller for the decision to use the pixel and to define conversion events
• Meta is the controller for the further processing of the data in Meta's infrastructure and for Meta's own purposes

Legal basis for the joint controller relationship: Art. 26 GDPR allows two parties to be joint controllers if this corresponds to the reality of the data processing. With Meta Pixel this is the case: both parties jointly make decisions about the means and purposes of collection and transfer.

H. Special Features and Notes regarding Meta Pixel

1. Joint controller status is not optional In the Fashion ID decision (C-40/17), the CJEU determined that joint controllership exists when there is joint co-responsibility for data processing. This is not negotiable – regardless of whether the parties regulate it contractually or not.

2. Meta Business Tools Joint Controller Terms Link: https://www.facebook.com/legal/terms/businesstools These terms should be read and linked. They contain essential distributions of responsibilities and data protection obligations.

3. DPF certification and data transfers to the USA Meta Platforms Inc. is DPF-certified. This enables data transfers to the USA on the basis of Art. 45 GDPR. An additional DPIA (data protection impact assessment) is nevertheless recommended by data protection experts, especially for sensitive data.

4. Opt-out links for users

• Facebook: https://www.facebook.com/help/109378269482053/ (settings for advertising)
• Instagram: Users can deactivate remarketing ads in the account settings
• Broader control: Ad Preferences in the Facebook/Meta account

5. Extended Matching and customer data If extended matching is activated, CRM data (email, phone, name) can be sent to Meta. This increases the consent requirements: the privacy policy must explicitly indicate that CRM data is also sent to Meta.

6. Custom Audiences and third-party data Meta warns against uploading customer-identifying data (PIIs) that were not collected by the website operator itself. Responsibility for data protection compliance remains with the website operator.

I. FAQ regarding Meta Pixel

J. Conclusion and Recommendation regarding Meta Pixel

Meta Pixel is one of the most widespread tracking tools in e-commerce and digital marketing. Its particularity lies in the joint controller structure: the website operator and Meta are not in a classic processor relationship but are joint controllers. This is legally complex and requires a precise presentation in the privacy policy.

Isolated tool paragraphs are insufficient and contradict Art. 26(3) GDPR. Instead, joint controller relationships should be communicated transparently: with clarification of roles, linking of the Meta Business Tools Terms, and explicit naming of Meta as controller alongside the website operator itself.

A topic-oriented structure with a central explanation of data recipients and their roles is more practical and more legally compliant than traditional text blocks.