What must companies do in 2025 to run Facebook ads in a GDPR-compliant way? This guide covers US data transfers, why the Meta Pixel requires active opt-in, CMP requirements, and what to watch for with Custom Audiences, Conversion API, privacy policies and DPAs—plus a practical compliance checklist.
Facebook advertising and the GDPR are a complex topic with real consequences. In recent years, supervisory authorities have hit Meta with fines in the billions. German and Austrian data protection authorities have ruled that certain Facebook tools are not GDPR-compliant without proper consent.
This article provides a structured overview of the legal requirements—without scare tactics, but with clear recommendations for action. Note: This is not legal advice.
Meta is a US company. As soon as you use the Meta Pixel, upload customer data as a Custom Audience, or send user data to Meta in any way, a data transfer to the US takes place.
Under the GDPR, this transfer is only lawful if appropriate safeguards are in place. Since the EU–US Data Privacy Framework (2023), the situation has improved—but it’s still not entirely free of issues.
The Meta Pixel sets cookies and transmits user data. This is only lawful with the user’s explicit, freely given, and informed consent (Art. 6(1)(a) GDPR).
In practice, this means: a cookie banner that enables the Pixel by default, or where “Reject” is harder to access than “Accept,” is not GDPR-compliant. The Pixel may only be activated after the user has actively consented.
A Consent Management Platform (CMP) is the technical system used to obtain, store, and manage consent. Well-known providers include Usercentrics, Cookiebot, OneTrust, and Borlabs Cookie (for WordPress).
Requirements for a GDPR-compliant CMP: granular consent per cookie category, equally easy access to accept and reject, an option to withdraw consent, and documentation of all consents.
Uploading customer data (email lists) as a Custom Audience is only lawful if you have a valid legal basis for sharing the data with Meta. Options: explicit consent (the safest), legitimate interest (controversial; requires case-by-case assessment).
Important: Meta processes the uploaded data only after hashing—but that does not change the requirement on your side to ensure lawfulness.
The Conversion API sends data server-side—without browser cookies. That means: no cookie consent is required for the technical transmission. But: the GDPR requirements remain the same—personal data (IP address, email hash) is still being transferred.
CAPI is technically more robust than the browser Pixel—but it’s not a GDPR free pass. The lawfulness of processing must be ensured regardless of the technical method of transmission.
Apple’s App Tracking Transparency (ATT) with iOS 14 has significantly reduced the data basis for Facebook targeting. Users who decline tracking (around 60–70%) are invisible to the Pixel. Effects: fewer retargeting data points, incomplete conversion measurement, less effective lookalike audiences.
Countermeasures: implement CAPI, configure Aggregated Event Measurement, strengthen first-party data.
Every privacy policy must transparently disclose the use of Meta tools: what data is collected, for what purpose, on what legal basis, how long it is stored, and that data is transferred to Meta (US).
- A working CMP implemented? - Pixel only starts after active consent? - Privacy policy up to date and complete? - Data processing agreement (DPA) concluded with Meta? - Custom Audience uploads checked for legal basis? - CAPI implemented as a supplement to the Pixel? - Regular reviews for new regulatory decisions?
Facebook advertising can be GDPR-compliant—but only with careful implementation. The key measures: a functioning CMP, correct consents, an up-to-date privacy policy, and CAPI as an additional tracking tool. If you implement these, you’ll be well positioned.