If you have a Meta Pixel on your website, you are a joint controller with Meta for the personal data it collects. That is not a theoretical interpretation. It is established law, confirmed by the Court of Justice of the European Union in the Fashion ID case (C-40/17) and applied by data protection authorities across Europe since.
Most UK small businesses running Meta ads have no idea this is the case. They installed the Pixel because Meta told them to, and they have not thought about it since. This post explains what the joint controller relationship means, what your legal obligations are, and what to do about it.
The Meta Pixel is a piece of JavaScript that runs on your website and sends data back to Meta. When someone visits your site, the Pixel collects their IP address, browser information, the pages they visit, and any actions they take (like adding something to a cart or submitting a form). It matches this data against Meta's user profiles to build audiences for your ads and measure conversions.
This is personal data processing. The IP address alone is personal data under UK GDPR. When combined with Meta's ability to match visitors to Facebook and Instagram accounts, it becomes detailed behavioural tracking.
In 2019, the CJEU ruled in Fashion ID (Case C-40/17) that a website operator who embeds a Facebook social plugin is a joint controller with Facebook for the collection and transmission of personal data. The same principle applies to the Meta Pixel, because the mechanism is identical: your website sends visitor data to Meta.
What does "joint controller" mean in practice? Under Article 26 of UK GDPR, joint controllers must have a transparent arrangement that sets out their respective responsibilities for complying with data protection law. You and Meta are both responsible for ensuring the processing is lawful. You cannot point at Meta and say "that is their problem."
Your responsibility as the website operator covers the collection and transmission of data. You decided to put the Pixel on your site. You determine the purposes (advertising, conversion tracking). You are responsible for having a legal basis for that collection and for informing your visitors about it.
For Meta Pixel tracking, consent (under Article 6(1)(a) of UK GDPR and Regulation 6 of PECR) is the only viable legal basis for UK businesses. Here is why the alternatives do not work:
Legitimate interests requires a balancing test. The ICO has been clear that where tracking involves sharing personal data with third parties for advertising purposes, the individual's rights and freedoms are likely to outweigh the business's interest. You would struggle to pass the balancing test for a Pixel that sends behavioural data to one of the world's largest advertising platforms.
Contract performance does not apply because tracking your visitors for ad targeting is not necessary to deliver whatever product or service they came to your site for.
That leaves consent. And consent under UK GDPR means:
In 2024, the Swedish Data Protection Authority (IMY) fined two pharmacy chains a combined 45 million Swedish kronor (approximately 3.4 million GBP) for transferring customer data to Meta through the Pixel. The online pharmacy Apohem was fined 8 million kronor.
The specific problem: Meta's "Advanced Automatic Matching" feature was collecting additional personal data, including information about which pharmaceutical products people were browsing. This is health-related data, which is special category data under GDPR. The pharmacies did not realise this was happening.
The lesson for UK businesses is twofold. First, the Pixel can collect more data than you think, especially if features like Advanced Matching or Automatic Events are enabled. Second, if your website relates to health, finance, legal services, or anything else sensitive, the data the Pixel transmits could be special category data by inference, even if you did not intend it.
The Austrian Data Protection Authority has separately ruled that the use of Meta tracking tools directly violates GDPR and the Schrems II decision, on the basis that personal data is transferred to the United States without adequate safeguards.
1. Audit whether the Pixel fires before consent. Open your website in an incognito browser window. Do not interact with the cookie banner. Open your browser's developer tools (Network tab) and look for requests to facebook.com or connect.facebook.net. If you see them before you have given consent, you have a problem.
2. Check what the Pixel is actually collecting. Log in to Meta Events Manager and review the events being tracked. Look for Custom Events, Advanced Matching, and Automatic Events. If Advanced Matching is on, the Pixel may be collecting email addresses, phone numbers, names, and other data beyond basic page views.
3. Review your cookie consent mechanism. If you use a cookie management platform (Cookiebot, Termly, OneTrust, etc.), verify that the Meta Pixel is correctly categorised as "Marketing" or "Advertising" and that it is blocked until the user gives consent for that category. Test this manually.
4. Update your privacy notice. Your privacy policy should explain that you use the Meta Pixel, what data it collects, that Meta is a joint controller, what the legal basis is (consent), and how users can withdraw consent.
5. Check Meta's Data Processing Terms. Meta offers a Data Processing Terms addendum for business tools. Review whether you have accepted it and whether it covers UK GDPR (not just EU GDPR). Meta's standard terms reference Standard Contractual Clauses for international transfers, but you should verify this is in place for your account.
6. Consider whether you actually need the Pixel. This is the question nobody wants to ask, but it is worth asking. If you are a small business spending a few hundred pounds a month on Meta ads, the compliance overhead of running the Pixel correctly (consent management, privacy notice updates, joint controller documentation, regular auditing) may not be worth it. Meta offers conversion tracking via their Conversions API (server-side), which gives you more control over what data is shared. It is not a compliance silver bullet, but it is more controllable than the client-side Pixel.
Meta is a US company. When the Pixel sends data to Meta, that data is transferred to the United States. Under UK GDPR, international transfers require an adequate level of protection.
The UK Extension to the EU-US Data Privacy Framework provides a transfer mechanism for US companies that are certified under the framework. Meta is certified. However, the adequacy of this framework remains contested. If you are relying on it, you should document your transfer impact assessment.
Meta also offers Standard Contractual Clauses (SCCs) with the UK International Data Transfer Addendum (IDTA) as an alternative transfer mechanism. Check which mechanism applies to your account.
If you are running Meta ads with the Pixel, this is not something to fix "later." The joint controller liability is real. The enforcement trend across Europe is clear. The ICO has not yet issued a major fine specifically for Meta Pixel use in the UK, but the legal analysis is settled. When they do act, businesses that have not addressed this will be exposed.
The minimum steps are: ensure the Pixel only fires after valid consent, update your privacy notice, verify what data the Pixel is collecting, and document your transfer mechanism.
Not sure which of your vendors create compliance risks?
Rowpa checks your website for trackers and matches every tool you use against a verified DPA library with transfer mechanism data and risk notes.
This post is for information only and does not constitute legal advice.