Advertising integration
Meta Pixel (Facebook Pixel) on Shopify, made compliant
Meta's advertising tracker — used for Facebook/Instagram remarketing and conversion attribution.
Why consent applies to Meta Pixel (Facebook Pixel)
Meta Pixel sets identifiers used for cross-site advertising — the highest-scrutiny category under both GDPR and CCPA. EU consent must be specific opt-in for the marketing category. Under CPRA, sending data to Meta counts as 'sharing' (not just 'selling'), so Meta is explicitly NOT a service provider — the Do Not Sell or Share opt-out must stop pixel data from reaching Meta.
Cookies / scripts Meta Pixel (Facebook Pixel) sets
_fbp_fbcfr (set by facebook.com)
Step-by-step compliance setup
- 1
Default-deny ad_storage and ad_user_data in GCM v2
Meta Pixel doesn't read GCM v2 directly, but if you're running it alongside Google Ads (most stores are), GCM controls the ad-storage signal that gates conversion linking. Set both `ad_storage` and `ad_user_data` to denied initially.
- 2
Block the fbevents.js script load until consent
The pixel base code loads `https://connect.facebook.net/en_US/fbevents.js`. Block this script tag from inserting until the visitor accepts the marketing category. A `type="text/plain"` swap or a createElement override both work.
- 3
Use Conversions API (CAPI) only after consent
Server-side CAPI events bypass the browser, but they still require consent — sending order data to Meta after a visitor opted out is a CCPA share violation. Gate CAPI calls on the same consent flag.
- 4
Stop pixel firing for opted-out California visitors
When `globalPrivacyControl === true` or the visitor clicks Do Not Sell or Share, the pixel must not fire — neither client-side nor via CAPI.
How Consentico handles Meta Pixel (Facebook Pixel)
Consentico's three-layer script blocker (createElement override + MutationObserver + content-type swap) catches the Meta Pixel base code regardless of how a theme or app injects it. CCPA opt-out and GPC are honoured automatically — Meta receives no events for opted-out visitors.
- Default-deny before any tag fires
- Three-layer script blocking (createElement + MutationObserver + content-type)
- Audit-ready consent log
Related concepts
- Google Consent Mode v2Google's framework for sending consent signals to GA4 and Google Ads. Mandatory for EU/EEA traffic since March 2024.
- Do Not Sell or ShareRequired CCPA/CPRA opt-out link visible on every page of a California-targeting site. Renamed from 'Do Not Sell' in 2023.
- Global Privacy ControlBrowser-level signal that automatically opts users out of data sale or sharing. CPRA requires Californian-targeting sites to honour it.
- CCPACalifornia's privacy law, expanded in 2023 by the CPRA. Requires a 'Do Not Sell or Share' link and honouring of GPC for California residents.
Related integrations
- Google Analytics 4 (GA4)Google's behavioural-analytics product, mandatory since Universal Analytics was deprecated in July 2023.
- TikTok PixelTikTok's conversion-tracking pixel for TikTok Ads — increasingly common for Shopify stores targeting Gen Z.
- KlaviyoEmail + SMS marketing platform with a Shopify-native web tracker for behavioural segmentation.
Block Meta Pixel (Facebook Pixel) until consent — in five minutes.
Free for stores under 5,000 banner views per month. No code, no theme edits.