VakteyeVakteye
VAKTEYE
SolutionsPlansAboutContactInsightsCareers
Sign In
Vakteye audit

Meta Pixel GDPR audit: before consent, after rejection

IMY's Meta Pixel enforcement cluster fined multiple Swedish companies for the same underlying pattern: no valid consent was obtained before the pixel's Advanced Matching feature transmitted identifiable parameters — email, phone number, name — together with health-related browsing data, directly to the advertising platform. Vakteye's scan reproduces the technical check: does the pixel fire before any consent choice, does it send personally identifiable Advanced Matching fields, and does it persist after rejection.

Who it's for

  • Any site running Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, or a similar advertising pixel
  • E-commerce and lead-gen sites where Advanced Matching or enhanced conversions may be enabled
  • Companies reviewing their marketing stack after IMY's published Meta Pixel decisions

What Vakteye tests

  • Whether the pixel fires on page load before any consent decision
  • Whether Advanced Matching parameters (email, phone, name) are present in the pixel's network payload
  • Whether the pixel continues sending events after a visitor explicitly rejects tracking
  • Whether the CMP's declared vendor list actually matches the pixel and related trackers observed on the network

Legal basis

GDPR Article 6(1)(a)

Sending identifiable data to an advertising platform requires valid consent as the legal basis — the exact question IMY's Meta Pixel decisions turned on.

GDPR Article 5

Advanced Matching's PII fields raise the data-minimization and purpose-limitation questions at the heart of the fairness principle.

ePrivacy Directive Article 5(3)

The pixel's cookie or device identifier is itself subject to the same prior-consent requirement as any other tracking technology.

Example finding

Advanced Matching sends hashed email before consent

What we observed

A scan of a checkout or lead form finds the pixel's network request includes a hashed email parameter, sent at page load — before the visitor has made any consent choice.

Why it matters

Hashing does not remove the consent requirement — this is the specific technical pattern underlying several IMY Meta Pixel fines. A policy statement that "we don't share personal data with advertisers" does not match this observed behavior.

FAQ

The same behavioral checks apply to any advertising pixel with an Advanced-Matching-style feature — TikTok, LinkedIn, Snap, and similar. The scan reports on whichever trackers it observes on your site.

Disabling Advanced Matching removes one specific risk, but the underlying question of whether the pixel fires before consent remains separate and is tested independently.

A scan can be re-run any time your tracking setup changes, giving you a fresh evidence snapshot within minutes rather than waiting for a scheduled audit cycle.

Ready to see what your website actually does?

Book a full behavioral audit — the same methodology described above, run against your entire site with a complete evidence package.

Book a full audit
VakteyeVakteye
VAKTEYE

Website compliance checks for consent, policy, tracking and security. Vakteye shows what happened, what needs fixing and the evidence behind it.

Book demo
VakteyeVakteye
Privacy MonitoredContinuously monitored by Vakteye

PRODUCT

  • Plans
  • Trust center
  • Scanner identity
  • Security policy

COMPANY

  • About us
  • Contact
  • Insights
  • FAQ

LEGAL

  • Privacy Policy
  • Terms of Service
  • Cookies Policy
  • Sub-processors
  • Data Rights (GDPR)
  • For visitors

Contact

  • info@vakteye.com
  • LinkedIn

© 2026 Vakteye. All rights reserved.