GDPR Compliance for Facebook Ads (EU)

Pix-Vu Team||4 min read
GDPR Compliance for Facebook Ads (EU)

Quick Answer

To run Facebook ads compliantly under GDPR, you must obtain explicit, granular, opt-in consent before firing the Meta Pixel or Conversions API for any EU/EEA visitor, document a lawful basis for every processing activity, sign Meta's Controller Addendum (their version of a joint-controller arrangement), and give users a clear way to withdraw consent at any time. Implied consent, pre-ticked boxes and 'cookie walls' are not lawful.

What the rule actually says

The General Data Protection Regulation (Regulation (EU) 2016/679) governs the processing of personal data of anyone in the EU and EEA, regardless of where the advertiser is based. Article 6 lists the six lawful bases — for advertising trackers like the Meta Pixel, the only realistic basis is consent under Article 6(1)(a), reinforced by Article 5(3) of the ePrivacy Directive (the 'cookie law'), which requires consent before storing or accessing information on a user's device.

Following the 2023 Schrems II rulings against Meta and the 2024 EDPB guidance on 'consent or pay' models, regulators now expect:

  • Consent that is freely given, specific, informed and unambiguous
  • A reject-all option as prominent as the accept-all button
  • Separate toggles for analytics, advertising and personalisation
  • A record of consent (timestamp, version, IP, choices) kept for the duration of processing
  • The ability to withdraw consent as easily as it was given

The Meta Pixel sets cookies, fingerprints the browser, and transmits IP, user-agent, event data and hashed identifiers — every one of those is personal data under GDPR.

What is allowed and what is banned

Allowed: running Facebook campaigns to EU audiences, using the Pixel and Conversions API, building Custom Audiences and Lookalikes — provided you have valid consent and the underlying data was lawfully collected.

Banned: firing the Pixel before consent, uploading customer email lists without a lawful basis, retargeting users who have rejected cookies, transferring data outside the EEA without Standard Contractual Clauses or an adequacy decision, and using 'legitimate interest' as the basis for advertising cookies.

Step-by-step compliance setup

  1. Audit every page where the Pixel fires. Use a tag debugger and confirm nothing loads before consent.
  2. Install a certified Consent Management Platform (Cookiebot, OneTrust, Usercentrics, Iubenda) configured for IAB TCF v2.2, which Meta supports natively.
  3. Connect the CMP to Meta's Limited Data Use (LDU) signal so users who reject get processed under restricted mode.
  4. Sign Meta's Controller Addendum inside Business Manager (Settings - Data Sources - Data Protection).
  5. Implement the Conversions API server-side with the consent state passed in the event payload (data_processing_options).
  6. Update your privacy notice with the categories of data sent to Meta, the legal basis, retention periods and the recipient countries.
  7. Add a cookie policy page listing every cookie set by Meta with its purpose and duration.
  8. Set up a DSAR workflow so EU users can request access, deletion or objection within one month.
  9. Document a Data Protection Impact Assessment (DPIA) for any large-scale retargeting.
  10. Re-consent users every 12 months or whenever processing changes.

Frequently asked questions

Do I need consent if I only show ads, not track conversions?
Yes. Even running an Audience Network or showing ads to a Custom Audience built from your CRM requires a lawful basis for the upload and the matching.

Can I rely on legitimate interest for retargeting?
No. The CNIL, Garante and ICO have all confirmed that advertising cookies require consent, not legitimate interest.

What if my business is based outside the EU?
GDPR still applies under Article 3(2) if you target or monitor EU residents. A US-based shop that ships to Germany falls within scope.

Is the Conversions API exempt from consent?
No. Server-side tracking is just a different transport — the underlying processing of personal data still needs a lawful basis and consent for advertising purposes.

How long can I keep Custom Audience data?
Meta deletes uploaded lists after 180 days unless refreshed, but you must also have your own retention policy and delete data when the original purpose ends.

Real fine examples

  • Meta Ireland — EUR 1.2 billion (DPC, 2023) for unlawful EU-to-US data transfers.
  • Meta Ireland — EUR 390 million (DPC, 2023) for relying on contractual necessity rather than consent for personalised ads.
  • Criteo — EUR 40 million (CNIL, 2023) for failing to demonstrate consent for advertising cookies.
  • Clearview AI — EUR 20 million (Garante, 2022) for processing biometric data without a lawful basis.
  • A French e-commerce brand — EUR 600,000 (CNIL, 2024) for firing the Meta Pixel before consent.

How Pix-Vu helps

Pix-Vu is a privacy-first visual testing and ad-preview tool that lets you build, mock and screenshot Facebook ad creatives without ever loading the Meta Pixel or sending visitor data to third parties. Teams use it to ship GDPR-safe creative review workflows, share previews with clients in regulated industries, and keep testing environments off the production tracking layer. See how it works at https://pix-vu.com.

Ready to automate your Facebook ads?

Let AI handle your ad creative, targeting, and optimization. Launch profitable campaigns on autopilot.

Get Started Free
Back to all posts