Beyond Google: Meta, LinkedIn and TikTok and the consent question
Consent Mode v2 dominates the conversation, but your obligations don't end at Google. Every marketing pixel you load — Meta, LinkedIn, TikTok — processes personal data and needs a legal basis. And beware: the problem isn't solved by blocking browser cookies alone, because much of the tracking has moved to the server.
Meta: the pixel and the Conversions API
Meta offers its own Consent Mode, which asks for consent before activating the Meta Pixel (client side) and the Conversions API / CAPI (server side). The critical nuance is the CAPI: sent from your server, it can transmit hashed data (email, phone) even after the user has rejected cookies in the browser.
That's why a compliant implementation must gate both: the browser pixel and
the server-side CAPI, and propagate consent changes mid-session if the user changes
their mind. Deduplication between pixel and CAPI (via event_id) is fine to avoid
double counting, but it does not replace consent control: both channels must
honor it separately.
The most common mistake: believing that rejecting cookies stops tracking, while the Conversions API keeps sending purchase events from the server without checking consent. That's exactly the kind of processing authorities have fined.
LinkedIn: the Insight Tag
LinkedIn's Insight Tag works as a tracking pixel for B2B retargeting and conversion measurement. In the EU/EEA you must block it until the user opts in through your CMP or tag manager, and only then let it run. Retargeting against your website visitors — even in a professional context — must be disclosed and consented to just like consumer advertising.
TikTok: pixel and Events API
TikTok mirrors Meta's pattern: in addition to the client-side pixel, its Events API shares conversions from the server. That server-side transfer must be disclosed explicitly and separately from client-side pixel consent, because it's a distinct processing activity with its own legal basis.
The third-party cookie problem
These pixels set or read third-party cookies: the ones most scrutinized by authorities and, on top of that, the ones browsers are phasing out (Safari and Firefox already block them; Chrome is moving along its own privacy roadmap). This means two simultaneous pressures:
- Legal: without a consent layer governing them, you're exposed to penalties. The Swedish authority fined pharmacy chains €15 million for using the Meta pixel without a legal basis.
- Technical: even with permission, third-party cookies lose reach, which is why platforms push their server APIs — which, again, must honor consent.
How to check that your tracking honors consent
A quick check anyone can do: open the browser's developer tools, reject consent
in the banner and watch the Network tab. You shouldn't see requests to
facebook.com, linkedin.com or tiktok.com loading pixels. The server side is
harder to see from the browser: there you need to confirm in your CAPI / Events
API that each event includes the user's consent state and that your server
drops the events of those who rejected. If your implementation doesn't do that
server-side check, you're sending data without a legal basis even if the banner
looks correct.
One source of truth for every pixel
| Platform | Client side | Server side | Required action |
|---|---|---|---|
| Meta | Pixel | Conversions API | Gate both until consent |
| Insight Tag | Conversions API | Block until opt-in | |
| TikTok | Pixel | Events API | Disclose and consent server-side |
| gtag / GTM | Server-side tagging | Consent Mode v2 (4 permissions) |
Managing each platform separately is fragile: all it takes is the marketing team adding a new pixel to open a compliance hole. The robust solution is to have one consent layer governing every tracker. Conma detects each pixel with its scanner — including the ones that appear unannounced — and blocks its execution, client and server, until the user decides, with a signed record of every choice. It's the difference between complying with Google and complying for real.