Does Meta require a privacy policy to run Facebook Ads?

Yes. Meta's advertising terms require that any website or app using Meta Pixel, Conversions API, or Custom Audiences must have a publicly available privacy policy. The policy must disclose that you use third-party tracking technologies, that data is shared with Meta for advertising purposes, and that users can opt out of targeted advertising.

What data does the Meta Pixel actually collect?

The Meta Pixel collects the visitor's IP address, browser and device information, the page URL, referral URL, and any standard or custom events you configure (page views, add to cart, purchases, lead form submissions). It also sets cookies that allow Meta to identify the visitor across websites for ad targeting and conversion attribution.

Do I need cookie consent to use the Meta Pixel in Europe?

Yes. Under the GDPR and ePrivacy Directive, you must obtain explicit opt-in consent before loading the Meta Pixel on your website for European visitors. The pixel cannot fire until the user clicks accept on your cookie consent banner. Meta provides a consent mode feature that delays pixel loading until consent is granted.

Is using Custom Audiences a 'sale' of data under CCPA?

Potentially yes. When you upload customer email lists or phone numbers to create Custom Audiences, you are sharing personal information with Meta for a business purpose. Under the CCPA's broad definition of 'sale,' this may qualify, which means you must offer California residents an opt-out. Many businesses now include Custom Audiences in their CCPA disclosures to be safe.

Privacy Policy for Facebook Ads & Meta Pixel

If you run Facebook or Instagram ads and use the Meta Pixel on your website, Meta requires you to have a privacy policy that specifically discloses the use of tracking technologies and data sharing with their platform. The Meta Pixel is a JavaScript snippet that fires on every page load, sending visitor data — including IP addresses, browser information, page URLs, and conversion events — directly to Meta's servers. This data powers ad targeting, retargeting, conversion measurement, and Custom Audiences. Beyond Meta's own requirements, privacy laws impose strict rules on this type of cross-site tracking. The GDPR requires explicit opt-in consent before the pixel can fire for European visitors. The CCPA may classify pixel data sharing as a sale of personal information, requiring a do-not-sell opt-out. Your privacy policy must clearly explain that you use Meta's advertising tools, what data is collected, how it is shared, and how visitors can opt out of tracking.

What Meta Requires in Your Privacy Policy

Meta's Business Tools Terms (which you agree to when installing the pixel) require that your website have a privacy policy that complies with applicable laws and clearly discloses your use of Meta's tracking technologies. Specifically, Meta requires you to disclose that you collect data using cookies and similar technologies, that this data is shared with third parties (including Meta) for advertising purposes, and that users can manage their ad preferences.

Meta also requires that you obtain all necessary consents from your users before their data is transmitted through the pixel. This is not just a legal technicality — Meta's own audit processes check whether advertisers comply with these terms, and violations can result in your ad account being restricted or shut down. Your privacy policy should include a specific section about third-party advertising that names Meta/Facebook and describes the data-sharing relationship.

If you use Meta's Advanced Matching feature — which automatically sends hashed customer data like email addresses, phone numbers, and names to Meta for better conversion tracking — this additional data collection must also be disclosed. Advanced Matching sends personal data from your site's forms to Meta even when the visitor is not logged into Facebook, which significantly expands the scope of data sharing.

How the Meta Pixel Tracks Visitors

Understanding what the Meta Pixel collects helps you write an accurate privacy policy. When a visitor loads a page with the pixel installed, the following data is sent to Meta: the page URL, referrer URL, the visitor's IP address, browser user agent string, and a Facebook cookie identifier (_fbp) that allows Meta to recognize the visitor across your site and across other sites that also use the pixel.

Beyond this baseline tracking, you likely have standard events configured that send additional data. Common ecommerce events include ViewContent (product page views with product IDs and prices), AddToCart (items added to cart), InitiateCheckout, and Purchase (with order value and currency). Lead generation events send data when visitors submit forms. Each of these events transmits the event name, associated parameters, and a timestamp to Meta's servers.

The pixel also enables retargeting — showing ads to people who visited specific pages on your site. When a visitor views a product page but does not purchase, Meta can show them an ad for that product on Facebook and Instagram. Your privacy policy should explain this retargeting behavior in plain language so visitors understand why they see ads related to your site after leaving it.

Conversions API (CAPI) and Server-Side Tracking

Many advertisers now supplement the Meta Pixel with the Conversions API (CAPI), which sends event data from your server directly to Meta rather than relying solely on the browser-based pixel. CAPI was developed partly in response to browser privacy changes (like Safari's Intelligent Tracking Prevention and iOS App Tracking Transparency) that reduce the effectiveness of client-side pixels.

From a privacy perspective, CAPI does not reduce your disclosure obligations — in fact, it may increase them. With CAPI, you are actively sending customer data (email addresses, phone numbers, IP addresses, purchase data) from your server to Meta, even if the visitor has blocked cookies or opted out of browser-based tracking. Your privacy policy must disclose server-side data transmission to Meta, and you must ensure that any consent mechanisms you have in place (cookie consent banners, opt-out links) also govern CAPI data flows.

If you use a platform like Shopify, WooCommerce, or a Customer Data Platform to send CAPI events, the data typically flows through that intermediary before reaching Meta. This adds another third-party processor to your data flow diagram that should be reflected in your privacy policy.

Custom Audiences and Lookalike Audiences

Custom Audiences allow you to upload customer lists (email addresses, phone numbers, names) to Meta so you can target ads to those specific people on Facebook and Instagram. Meta hashes this data and matches it against its user database. While the hashing provides some technical protection, you are still sharing personal data with Meta, and this must be disclosed in your privacy policy.

Under CCPA, uploading customer lists to create Custom Audiences may constitute a sale of personal information because you are providing personal data to a third party (Meta) in exchange for a valuable service (targeted advertising). If this interpretation applies, you must provide California residents with the ability to opt out of this data sharing. Under GDPR, creating Custom Audiences from customer lists requires either explicit consent or a carefully justified legitimate interest assessment — and most data protection authorities lean toward requiring consent.

Lookalike Audiences, where Meta finds new people similar to your existing customers, rely on the same underlying data. Your policy should explain that you may share customer data with advertising platforms to find similar potential customers, and that visitors can opt out of being included in these audiences through Meta's ad preferences settings.

Cookie Consent and Compliance Implementation

For European visitors, the Meta Pixel is classified as a non-essential tracking cookie under the ePrivacy Directive, which means it cannot load until the visitor gives explicit consent. This requires a cookie consent management platform (CMP) like Cookiebot, OneTrust, or Termly that blocks the pixel from firing until consent is granted. Meta provides a Consent Mode integration that pauses pixel tracking until your CMP signals that the user has accepted advertising cookies.

For California visitors under CCPA, you must include a conspicuous link to opt out of the sale of personal information. If clicking that link should stop Meta Pixel tracking, your implementation must support this — typically through your CMP's opt-out functionality or by using Meta's Limited Data Use flag, which restricts how Meta processes data from California users who have opted out.

Your privacy policy should include a dedicated cookies section that lists Meta's cookies by name (_fbp and _fbc are the most common), explains their purpose (advertising tracking and conversion attribution), states their expiration (typically 90 days), and explains how visitors can manage or delete them through their browser settings and your cookie consent tool.

Ready to Create Your Privacy Policy?

Generate a professional, legally compliant privacy policy in minutes. No account required.

Generate Your Policy Now