Can I use a tracking pixel without my visitors consent?

TLDR:

• Cookies allow websites to store information on their visitors' browsers. They can be used to recognize when a visitor returns to a website.
• Some cookies can be used without your visitors consent as long as they are anonymized and are not communicated to third parties.
• Using a retargeting cookie like the Facebook Ads pixel is not "essential", thus you need the consent of your visitors to activate it.

‍

On Twitter the other day, an indie maker asked me an interesting question that I’d like to address in this blogpost:

In the European Union, two texts coexist and rule the collection of pixels and cookies on websites: E-privacy and the GDPR (when collecting personal information). If your website is visited by European residents or if you’re based in the EU, you most likely need to comply to their rules.

👉 First of all, let’s define what are cookies and pixels:

🍪 A cookie is a small file stored by a server in the computer, tablet, mobile phone of a website visitor and associated with a web domain. There are multiple use cases for a cookie, it can serve to:

• memorize a customer ID, a shopping cart, the language of the visit, 
• track the visitor navigation to measure the audience of a website or for ads purposes.

Some are essentials to provide the website to visitors, some are requested by them. Every other cookie requires consent as they are not strictly necessary and can invade the privacy of visitors at times.

👾 While a pixel is an alternative tracking method to cookies, traditionally implemented as a 1x1 pixel image embedded in the website but invisible to the visitor. The loading of this image, whose name contains a user ID, informs the server on which it is hosted that the tracked visitor has visited a website page.

That being said 💬 what interests my Twitter friend is:

He’s been using Plausible Analytics, a cookie-free solution, to measure the audience of its website for a while now. He wanted to go further and implement a Facebook pixel to track conversions from Facebook ads and optimize his ads by retargeting visitors who have already taken some action on the website 🎯

The use of this cookie is not « essentiel » and is a lot more invading than a simple audience measurement.

Under EU laws, Plausible Analytics and other privacy-friendly analytics tools (like Matomo, Simple Analytics, Compass, Wizaly, etc.) when used correctly, don’t require consent, either because:

• they don’t collect personal information 🎫 or
• they’re only used to measure the audience of a website, never communicate data to third parties and provide purely anonymized statistics to the website holder (only available in France).

However, when the Facebook pixel or any other pixel enters the game, consent of the visitor is no more an option, it’s a necessity. So if my Twitter friend wasn’t required to collect its visitors’ consent until then, he now has to do it if he wants to stay compliant and respect its visitors’ privacy. And especially their freedom to choose if they want to be tracked or not.

But how to collect consent on his website?

Don’t even think of using pre-ticked boxes, they’ve been forbidden for a while now 🙈 is the first thing I would advise him.

Instead, 1️⃣ inform the visitor of the existence of the tracking and its purposes in your Cookie Policy and 2️⃣ use a consent solution (like Cookiebot) which will help your visitors understand what they agree to and also manage easily their consent throughout their journey on your website.

Don’t know how to write a Cookie Policy? We have the GDPR compliance generator you need at Privacyboard 😉