GDPR, CCPA & Retargeting Pixels: What Marketers Need to Know

Using retargeting pixels from Facebook, Google, or other ad networks? You need to understand your legal obligations under GDPR and CCPA. Getting this wrong can result in significant fines.

This guide explains what you need to know about using retargeting pixels compliantly.

Retargeting pixels are small pieces of code you place on your website (or in tracking links) that collect data about visitors. This data is sent to advertising networks like Meta (Facebook), Google, or TikTok, allowing you to show targeted ads to people who have visited your site.

The problem? These pixels collect personal data, which triggers privacy law obligations.

Yes. Under both the GDPR and the ePrivacy Directive (the "Cookie Law"), you must obtain consent before firing retargeting pixels.

Retargeting pixels are considered "non-essential" cookies/tracking. Unlike essential cookies (which are needed for your website to function), retargeting is for marketing purposes and requires explicit opt-in consent.

This means you need:

• A cookie consent banner that loads before any tracking pixels fire
• Genuine consent — pre-ticked boxes don't count
• The ability for users to withdraw consent easily
• Documentation of consent for compliance purposes

Yes. When you embed retargeting pixels on your website, you are typically considered a joint data controller alongside the advertising network.

This was clarified by the Court of Justice of the European Union (CJEU) in the Fashion ID case (2019). The court ruled that a website embedding Facebook's Like button (which works similarly to tracking pixels) shares responsibility with Facebook for the data collection.

As a joint controller, you are responsible for:

• Obtaining valid consent before the pixel fires
• Informing users about the data collection in your privacy policy
• Having a lawful basis for processing (typically consent for retargeting)

The ad network is also a controller — they use the data for their own purposes (improving ad targeting, building user profiles). They are not merely a "data processor" acting on your instructions.

• Requires opt-in consent before tracking
• Applies to anyone targeting EU/UK residents
• Fines up to €20 million or 4% of global revenue

• Requires opt-out mechanism ("Do Not Sell My Personal Information")
• Applies to businesses meeting certain thresholds
• Users can opt out of "sale" of personal information (which includes sharing data with ad networks for cross-context behavioral advertising)
• Fines up to $7,500 per intentional violation

Note: The CPRA (California Privacy Rights Act) strengthened CCPA requirements, including new rules around "sharing" data for advertising purposes.

Use a cookie consent tool that:

• Blocks tracking pixels until consent is given
• Records consent for compliance purposes
• Allows users to withdraw consent

Popular options include Cookiebot, OneTrust, and Termly.

Clearly explain:

• What tracking pixels you use
• What data is collected
• How the data is shared with ad networks
• Users' rights regarding their data

Both Google and Meta offer "Consent Mode" features that adjust tracking behavior based on user consent. Enable these to ensure pixels respect user choices.

Server-side tracking (like Meta's Conversions API) gives you more control over what data is shared, though consent requirements still apply.

When you add retargeting pixels to Linkly links, the same rules apply. If you're targeting users in the EU/UK or California, you should:

• Only use retargeting pixels on links where you have a lawful basis
• Ensure your main website has proper consent mechanisms
• Consider whether the context of your link sharing implies consent

For links shared in contexts where you cannot obtain consent (like social media posts to cold audiences), consider whether retargeting pixels are appropriate.

• Meta's Data Processing Terms
• Google Ads Data Processing Terms
• ICO Guidance on Cookies
• CNIL Cookie Guidelines

Using retargeting pixels requires you to:

1. Obtain consent before firing tracking pixels (GDPR/ePrivacy)
2. Provide opt-out mechanisms (CCPA)
3. Inform users in your privacy policy
4. Recognize your role as a joint data controller

Privacy compliance isn't optional — it's a legal requirement that protects both your users and your business.