Polaris Audit

Case #009 · 25 Apr 2026 · 6 min read

Facebook Pixel Before Consent: The Exact Legal Risk

One network request. One cookie write. Two violations. Here’s how they stack.

TL;DR

  • Meta Pixel sends a PageView to connect.facebook.net on script load — before any consent banner interaction
  • The _fbp cookie is written simultaneously: a separate ePrivacy Directive violation from the network request
  • Facebook's Consent API exists but is not enabled by default — you have to wire it in GTM manually
  • Fix is a single trigger condition: fire the pixel only when ad_storage = granted

Verdict

Meta Pixel is the most common pre-consent offender found in scanner data across agency-managed sites. The exposure is dual: one count under GDPR Article 6(1)(a) for the network transmission, one under ePrivacy Directive Article 5(3) for the cookie write. Both happen in the same 200ms window on page load. The fix is straightforward — but must be done deliberately.

What the pixel does on load

When the Meta Pixel script is loaded — whether directly in the page HTML or via Google Tag Manager — it executes immediately. Within the first few hundred milliseconds, it does two things:

  • Sends a PageView event as a network request to connect.facebook.net, transmitting the page URL, referrer, browser fingerprint data, and — if the user is logged into Facebook — a matched identity.
  • Writes the _fbp cookie to the browser: a unique identifier that Meta uses to track this specific browser across sessions and sites.

Neither action requires the user to click anything. Both happen before the consent banner is rendered in most configurations. The user has no opportunity to object.

Two violations, one event

The legal exposure is double because two separate regulatory instruments apply simultaneously.

GDPR Article 6(1)(a) — the network transmission

Transmitting personal data (the page URL, user agent, and potentially a matched Facebook identity) to Meta’s servers requires a lawful basis. For advertising-linked data, that basis must be explicit consent. The PageViewevent fires before consent exists. No lawful basis. Article 6(1)(a) violation.

ePrivacy Directive Article 5(3) — the cookie write

Storing or accessing information on a user’s device — including cookies — requires prior informed consent under Article 5(3) of the ePrivacy Directive. The _fbp cookie is written before consent. This is an independent violation, separate from the network request, enforced by national telecoms regulators in addition to DPAs.

In practice, DPAs often prosecute both simultaneously. The Datatilsynet’s enforcement against Grindr (€6.5M) and the CNIL’s action against Google and Facebook (€150M and €60M respectively) both cited pre-consent data transmission and cookie placement together.

Your site is leaking data before consent.

Free headless-browser scan. Catches GA4, Meta Pixel, TikTok and more firing before the click. Results in 10 seconds.

Run a free scan

Why the banner doesn’t stop it

The consent banner is a UI component. The Meta Pixel fires via Google Tag Manager. Unless you have explicitly configured GTM to wait for a consent signal before loading the pixel, GTM fires it unconditionally — the banner’s presence is irrelevant to GTM’s execution logic.

Meta does provide a Consent API: fbq('consent', 'revoke') sets the pixel to limited data processing mode. But this API is not invoked by default. Your CMP must be configured to call it, or your GTM setup must block the pixel from loading until consent is granted. Most sites do neither.

The result: the banner looks correct, the Pixel fires before anyone sees it, and the _fbp cookie is in the browser before the first render completes. See the network-level proof of this behaviour for what it looks like in DevTools.

The GTM fix

The correct fix is to block the Meta Pixel tag from firing until an ad_storage = granted signal exists. In GTM:

  1. Open the Meta Pixel tag in GTM.
  2. Remove the All Pages trigger.
  3. Create a custom trigger that fires only when your CMP’s consent variable for ad_storage equals granted. Most CMPs push a consent_update dataLayer event after the user accepts — use this as the trigger.
  4. Enable “Consent Initialization - All Pages” as a secondary trigger for the Consent Mode signal to work on return visits where consent was previously granted.
  5. In the tag’s Advanced Settings, enable “Additional Consent Checks” and add ad_storage as a required consent type.

After publishing, verify in a private/incognito window: open DevTools Network before loading the page. No requests to connect.facebook.net should appear before you interact with the banner. After clicking Accept, the PageView should fire and _fbp should be set.

If you manage multiple client sites, the banner compliance testing protocol covers the full verification workflow.

Verify the fix is actually working

The GTM preview mode and Meta’s Pixel Helper extension both show tag status — but neither proves zero-load compliance. Both tools run in a context where consent state may already be set from a previous session.

The only reliable test: a fresh browser with no stored consent, network interception from the first byte. The free scan runs exactly this — headless browser, clean state, full network log from page load through consent interaction — and tells you whether connect.facebook.net appears before the first click.

Run a free scan
← All posts