Meta Pixel found to be in violation of GDPR


Photo of author

Donata Stroink-Skillrud

Co-founder and President of Termageddon

With the recent decision by the Austrian Data Protection Authority (DPA) finding that Google Analytics is not compliant with the General Data Protection Regulation (GDPR), it should come as no surprise that the DPA has started evaluating other services for GDPR compliance. In fact, the Austrian DPA has just found that the Meta Pixel directly violates GDPR as well. This decision affects millions of websites using the Meta Pixel and puts them at risk of GDPR non-compliance fines. In this article, we will discuss who this decision applies to and how you can protect your business.Ā 

Who needs to stop using the Meta Pixel? 

Since this decision concerns GDPR compliance, we will first discuss who GDPR applies to so that you can determine whether this decision affects you and your business. GDPR is a European Union privacy law that applies to anyone that: 

  • Has an establishment in the European Union; 
  • Offers goods or services to European Union residents, regardless of their location; 
  • Tracks the behavior of European Union residents online (through cookies, pixels or analytics services), regardless of their location. 

As you can see from the above, you do not need to be located in the European Union for this privacy law to apply to you and thus businesses all over the world can be affected by this decision. 

Meta Pixel is not compliant with GDPR 

This decision by the Austrian DPA was made due to a complaint filed by the privacy rights group NOYB (None of Your Business). The complaint alleges that on December 8, 2020, an individual visited a website hosted by an Austrian media company while logged into his personal Facebook account. At the time, the company used the Meta Pixel tool to track an individualā€™s activities on the website. According to the individual, the mere access to the website triggered the Meta Pixel tool, which subsequently transferred his personal data (e.g. IP address) to the United States. The DPA found that such transfer is illegal and thus the transfer was in violation of GDPR. The DPA stated that website operators subject to GDPR should avoid the use of the Meta Pixel. 

Why was the transfer of personal data to the United States illegal? 

The Meta Pixel was found to be in violation of GDPR due to the fact that it transferred the individualā€™s personal data to the United States. To better understand this decision, one must look at why such transfers are illegal. Due to the lack of a comprehensive privacy law that protects the privacy of individuals and the surveillance of United States intelligence agencies, the European Union has long held that the United States does not provide adequate privacy protections to individuals. 

Prior to 2020, companies could use a data transfer mechanism called the EU-US Privacy Shield Framework to legally transfer personal data from the European Union to the United States. However, in 2020, in response to a complaint filed by NOYB, this mechanism was struck down as it was found that it does not provide adequate protection to individuals as US intelligence agencies could still access this personal data. The decision found that companies who want to transfer personal data from the European Union to the United States could no longer rely on the EU-US Privacy Shield and must ensure that the transferred data receives equivalent protection to that provided in the European Union. This includes contractual requirements and technical safeguards to ensure that the data is protected in the recipient country. 

Unfortunately, since the elimination of the EU-US Privacy Shield, companies have been scrambling to implement such contractual and technical safeguards. In this particular decision, these safeguards were not in place at the time of the transfer, thus leading to a violation. 

How companies can protect themselves in light of this decision

In its decision, the Austrian DPA stated that companies that need to comply with GDPR should avoid the use of the Meta Pixel. While the European Union and the United States have been working on a EU-US Privacy Shield replacement, such replacement is currently in place and groups such as the NOYB stated that they would challenge any potential replacement as well. Thus, at this time, transfers of data from the European Union to the United States have a high potential of being challenged and found to be non-compliant with GDPR. As such, website owners should avoid products such as Google Analytics and the Meta Pixel that have been found to be in violation of GDPR.

Photo of author
About the Author
Donata Stroink-Skillrud

Donata is the Co-founder and President of Termageddon and a licensed attorney and Certified Information Privacy Professional. She serves as the Vice-Chair of the American Bar Association's ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy




How To's

Privacy Policy

Terms of Service

Subscribe for Updates