Meta Pixel GDPR audit: before consent, after rejection
IMY's Meta Pixel enforcement cluster fined multiple Swedish companies for the same underlying pattern: no valid consent was obtained before the pixel's Advanced Matching feature transmitted identifiable parameters — email, phone number, name — together with health-related browsing data, directly to the advertising platform. Vakteye's scan reproduces the technical check: does the pixel fire before any consent choice, does it send personally identifiable Advanced Matching fields, and does it persist after rejection.
Who it's for
- Any site running Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, or a similar advertising pixel
- E-commerce and lead-gen sites where Advanced Matching or enhanced conversions may be enabled
- Companies reviewing their marketing stack after IMY's published Meta Pixel decisions
What Vakteye tests
- Whether the pixel fires on page load before any consent decision
- Whether Advanced Matching parameters (email, phone, name) are present in the pixel's network payload
- Whether the pixel continues sending events after a visitor explicitly rejects tracking
- Whether the CMP's declared vendor list actually matches the pixel and related trackers observed on the network
Legal basis
GDPR Article 6(1)(a)
Sending identifiable data to an advertising platform requires valid consent as the legal basis — the exact question IMY's Meta Pixel decisions turned on.
GDPR Article 5
Advanced Matching's PII fields raise the data-minimization and purpose-limitation questions at the heart of the fairness principle.
ePrivacy Directive Article 5(3)
The pixel's cookie or device identifier is itself subject to the same prior-consent requirement as any other tracking technology.
Example finding
Advanced Matching sends hashed email before consent
What we observed
A scan of a checkout or lead form finds the pixel's network request includes a hashed email parameter, sent at page load — before the visitor has made any consent choice.
Why it matters
Hashing does not remove the consent requirement — this is the specific technical pattern underlying several IMY Meta Pixel fines. A policy statement that "we don't share personal data with advertisers" does not match this observed behavior.
FAQ
Ready to see what your website actually does?
Book a full behavioral audit — the same methodology described above, run against your entire site with a complete evidence package.
Book a full audit