Blog Marketing and Privacy

Retargeting Pixels and Privacy Law: What Marketing Teams Need to Get Right

Peter JolesPeter Joles · Principle Solutions Architect
Retargeting Pixels and Privacy Law: What Marketing Teams Need to Get Right

Photo by Luis Caroca on Unsplash

Retargeting Pixels and Privacy Law: What Marketing Teams Need to Get Right

This is part one of a four-part series on marketing technology and privacy law. Part two covers Google Analytics and privacy compliance. Part three examines third-party audience data. Part four addresses building a consent-first marketing stack.

Retargeting is one of the most effective tools in digital marketing, and one of the most legally exposed. The pixel events that power retargeting campaigns transmit behavioral data about individual users to third-party advertising platforms. Under GDPR, CCPA/CPRA, and a growing set of state health data privacy laws, that transmission requires either valid consent or a legal basis that most retargeting configurations cannot sustain.

Marketing teams that assume their cookie banner handles retargeting compliance are, in most cases, wrong. This post explains why, what the exposure looks like, and what a compliant retargeting setup actually requires.

What retargeting pixels transmit

A retargeting pixel placed on a product page or checkout abandonment page fires a network request to an advertising platform. That request typically contains:

  • The page URL visited (often including product identifiers, category names, or price information)
  • A persistent user identifier: the Facebook Browser ID, Google Client ID, TikTok cookie, or platform-specific identifier for that visitor
  • Standard event data: whether a purchase was completed, what was added to a cart, how far a user progressed through a form
  • In some configurations: email hashes, phone number hashes, or other Conversions API data passed server-side

The combination of persistent identifier and behavioral event data is, by definition, personal data under GDPR and personal information under CCPA/CPRA. The transmission of that data to Meta, Google, TikTok, or The Trade Desk is a disclosure to a third party. That disclosure requires a legal basis.

Why "legitimate interests" does not work for retargeting

Under GDPR, data controllers can process personal data without consent when they have a legitimate interest that is not overridden by the data subject's interests or fundamental rights. Marketing teams and their DPA advisors have often relied on legitimate interests to justify retargeting without explicit consent. That position has become increasingly untenable.

The European Data Protection Board's guidance on legitimate interests[1] makes clear that retargeting advertising does not pass the balancing test. The data subject has no reasonable expectation that visiting a website will result in behavioral tracking by third-party advertising platforms. The privacy intrusion is significant: the tracking follows users across the internet, involves profiling, and enables inferences about interests and behaviors the user has not disclosed. The commercial interest of the website operator does not override those privacy interests.

Several EU supervisory authorities, including the French CNIL[2] and the Belgian APD,[3] have issued enforcement decisions confirming that retargeting requires explicit consent and cannot rely on legitimate interests. The Irish DPC's decisions against Meta's data processing model[4] have further undermined the legitimate interests argument for advertising-related processing.

Under CCPA/CPRA, retargeting that shares user data with advertising platforms for cross-context behavioral advertising is "sharing" under the statute's definition and requires an opt-out mechanism at minimum, and opt-in consent for sensitive data categories. California also requires that opt-out mechanisms function correctly, including for users signaling via Global Privacy Control.

For retargeting to operate lawfully under GDPR in EU-accessible websites, the required consent is:

  • Freely given: Not bundled into terms of service or required for access to the site. The user must be able to use the site without accepting retargeting.
  • Specific: The consent must identify the purpose (retargeting advertising) and the recipients (Meta, Google Ads, TikTok, etc. named specifically).
  • Informed: The user must understand what they are consenting to, not just see a "Targeted Advertising" category label.
  • Unambiguous: Pre-ticked boxes and implied consent from continued site use do not count. The user must take a positive action to consent.
  • Withdrawable: Consent must be as easy to withdraw as to give, and withdrawal must take effect immediately.

Most cookie banners in circulation do not meet all five of these criteria. The most common failure points are specificity (advertising platforms are not named) and the freely-given requirement (accepting cookies is required to access content, or rejection is made significantly harder than acceptance).

When a retargeting pixel fires before a user has given valid consent, or after a user has rejected advertising cookies, the website operator has transmitted personal data to a third party without a legal basis. The consequences depend on jurisdiction:

  • GDPR: Fines up to 4% of global annual turnover or €20 million, whichever is higher. Supervisory authority investigations triggered by individual complaints or DPA sweeps. The complainant only needs to show that the pixel fired; the controller bears the burden of demonstrating the legal basis.
  • CCPA/CPRA: California Privacy Protection Agency enforcement. Statutory damages of $100-$750 per consumer per incident in consumer-initiated suits for data breaches. The right to opt out of sharing that must be honored for GPC signals from any browser or device.
  • VPPA: Where retargeting pixels co-exist with video content, the VPPA[5] may provide a separate claim with $2,500 per violation statutory damages.
  • State health data laws: Washington's My Health My Data Act and similar legislation treat behavioral data from health-adjacent websites as regulated health data. Retargeting on healthcare, pharmaceutical, or wellness websites can trigger these statutes even if the website is not a HIPAA-covered entity.

Meta, Google, and other advertising platforms have promoted server-side data transmission as a privacy-forward alternative to browser-side pixels. The Meta Conversions API, Google Enhanced Conversions, and similar products send event data from a server-to-server connection rather than through a browser pixel. Marketing teams sometimes interpret this as avoiding the consent requirement because there is no browser cookie.

That interpretation is incorrect. The Conversions API transmits personal data about identifiable users to Meta or Google. The absence of a browser cookie does not affect the legal basis requirement. Server-side transmission of personal data to a third-party advertising platform still requires a GDPR legal basis, still constitutes sharing under CCPA/CPRA, and still triggers the same regulatory obligations. The consent requirement does not attach to the pixel; it attaches to the data processing activity.

Conversions API is architecturally useful for data quality and for reducing dependence on browser cookies that users can delete. It does not create a legal shortcut around consent obligations.

How to audit your current retargeting configuration

The starting point for any retargeting compliance review is a network-layer audit that answers three questions:

  1. Which retargeting pixels fire on my site, and on which pages? Pixel configuration in a tag manager is not a reliable inventory. Tag managers may have conflicting trigger conditions, and server-side integrations add another layer that the tag manager does not capture.
  2. Do retargeting pixels fire before consent is given? Test by loading your site in a fresh browser with no prior cookies and observing what fires before interacting with the consent banner. If retargeting pixels appear in that observation window, they are firing without consent.
  3. Do retargeting pixels fire when a user rejects advertising cookies? Test by rejecting all non-essential cookies and observing subsequent page loads. If retargeting pixels appear in that window, consent rejection is not being honored.

GPC testing is a fourth check that is increasingly important: load the site from a browser sending a GPC signal and confirm that no retargeting pixels fire, regardless of whether the user has interacted with your consent banner. Under CCPA/CPRA, a GPC signal must be treated as an opt-out of sharing for advertising purposes.

Where Lokker fits

Lokker's Consent Validator tests your site under each consent state: before consent, after rejection, after acceptance, and under GPC. The output is a network-level record of every outbound request under each condition, which directly answers whether your retargeting configuration fires when it should not.

Privacy Edge scans your full property portfolio and classifies every third-party request by type. Retargeting pixels are identified and scored by the risk they present under GDPR, CCPA/CPRA, and relevant state laws. For marketing teams, the report translates network-level findings into a prioritized remediation list: which pixels to gate immediately, which consent configurations to fix, and which server-side integrations need to be reviewed for legal basis.

If you are not certain which retargeting pixels fire on your site before consent is resolved, you do not have an accurate picture of your exposure. Contact Lokker to run a network-layer audit and find out what your retargeting setup actually transmits.

References

  1. European Data Protection Board. Guidelines 06/2014 on the Notion of Legitimate Interests of the Data Controller under Article 7(4) of Directive 95/46/EC, as updated under GDPR Article 6(1)(f). The EDPB's analysis establishes that cross-site behavioral tracking for advertising purposes generally fails the balancing test because the intrusion significantly exceeds the data subject's reasonable expectations.
  2. Commission Nationale de l'Informatique et des Libertés (CNIL). Decisions SAN-2022-019 (Facebook) and SAN-2022-021 (Google), January 2022. The CNIL found that these companies' consent collection mechanisms did not allow users to refuse cookies as easily as they could accept them, and imposed fines of €150 million and €90 million respectively.
  3. Belgian Data Protection Authority (APD/GBA). Decision on the IAB Europe Transparency and Consent Framework, Case No. DOS-2019-01377, February 2, 2022. The APD found that the TCF consent string constituted personal data and that the legal bases underpinning the framework did not satisfy GDPR requirements for behavioral advertising processing.
  4. Irish Data Protection Commission. Decision against Meta Platforms Ireland Limited, November 28, 2022 (€265 million fine related to data scraping, Case IN-20-8-6). Additional DPC decisions in 2023 found that Meta's reliance on contract necessity and legitimate interests for behavioral advertising did not constitute a valid GDPR legal basis.
  5. 18 U.S.C. § 2710 (Video Privacy Protection Act). Section 2710(c) provides a private right of action with statutory damages of not less than $2,500 per violation. See also the companion post on VPPA compliance on this site.
  6. California Civil Code § 1798.135(b) (CCPA/CPRA). Requires businesses to treat a valid Global Privacy Control signal as an opt-out of the sale and sharing of personal information for cross-context behavioral advertising purposes.
Marketing PrivacyRetargetingConsent ManagementGDPRCCPA