Blog

Is Your Website Using Meta Pixel? You Could Be at Legal Risk

By Travis Smith, April 9, 2025
A red triangle with an exclamation point in it

Meta Pixel is a powerful marketing tool—but it comes with serious legal pitfalls.

Recently, a Hop Studios client received a legal demand alleging violations of federal and state privacy laws due to the use of the Meta Pixel on their website, and asking for a not-insignificant monetary settlement.

Wait, what’s a Meta Pixel?

Meta is the company that owns Facebook. They have some JavaScript code that tracks user behaviour on your website—what pages people visit, what actions they take, what search terms they use,  perhaps even information like email addresses if your site visitors enter that into your forms. This JavaScript code – the Meta Pixel – sends all that data to Meta to help optimize Facebook and Instagram ads and to retarget visitors.

This is a good time to mention – we are not lawyers, we are helpful nerds.

Please do not take this blog post as legal advice. This is simply some information we’re sharing with you so that you can get better, more informed legal advice.

Now, I know what you’re probably thinking: Everybody uses the Meta Pixel! How can that be against the law?!?

Strictly speaking, the Meta Pixel itself isn’t illegal or even malicious. Many legitimate businesses rely on it to help guide and improve social media advertising and marketing campaigns and benefit from the data insights it provides.

However, if you use the Meta Pixel or any other tracking tool without informing your visitors and/or obtaining their consent, you may be violating several laws.

Depending on where you are and where your site visitors are, different laws apply to your site.

Health websites and apps must follow the Health Insurance Portability and Accountability Act (HIPAA), which covers how health professionals handle health-related information.

In California, the California Invasion of Privacy Act (CIPA) prohibits the use of any device to “wiretap” communication without consent; many U.S. states have similar laws. The federal Wiretap Act of the Electronic Communications Privacy Act (ECPA) does the same.

Then there’s the Computer Fraud and Abuse Act

(CFAA), the General Data Protection Regulation (GDPR) for users in the EU, the Video Privacy Protection Act (VPPA) … the list goes on.

So what’s a careful, reasonable website owner to do?
Here’s what we recommend:

  • Audit your website tracking tools. If you’re using Meta Pixel, Google Analytics, or any third-party trackers, understand what data is being collected and shared. Review how the tracking tool is set up and limit what it does and how that data is collected, shared stored and used.
  • Review your privacy policy. Make sure it explicitly discloses what data you collect and how it is shared. It should also include information about how you handle opt-out requests, credit card information, and employee records. Some counsel also suggest having employees review and sign off on the privacy policy once a year to ensure compliance.
  • Add consent tools to your website. In some jurisdictions, you must also obtain explicit, opt-in consent before tracking begins—so relying solely on ‘by using this site you agree’ language in your privacy policy may not be good enough. Add a cookie consent dialogue box to ensure that tracking doesn’t happen before consent is given.
  • Remove unneeded and unused tracking. Yes, you audited your tracking in the first recommendation. Now take a good hard look at your tracking and see if you can do without it entirely. The benefits of not having it are many: a faster site overall, a brand story of respect that you can share with your audience, a smaller tech stack, less legal exposure, and the good feeling that comes from helping to protect the privacy of your customers.
  • Get legal guidance. Have your privacy and cookie policy reviewed by a lawyer with expertise in this area and in the laws you are subject to. We recommend a service called Termly.io that helps you get the right privacy policy, the right cookie consent banner and functionality, and gives you someone to turn to for questions. (Disclosure: We have an affiliate partnership with them.)
  • Repeat all of the above at least annually. Websites and the underlying technology that runs them constantly change. These efforts won’t protect you if they are only done once and never revisited.

Is all this necessary if people are just coming to read your business’s address and hours? Yeah, actually, it is. It may seem like overkill for a small site, but it’s small sites that often don’t have the right legal protections set up, and that’s what some law firms are hoping for, looking for sites that aren’t up to date on all this and who might be startled or cajoled into paying to make a problem go away.

If you’re concerned about your own website and need help, please reach out. We’re not lawyers, but we can help you understand what you’re tracking and how to get consent to do so!

(Prepared with assistance from ChatGPT)

  • Recent Blog Posts

    1. Migrating a Non-Profit Site to Improve Security and Scalability
      April 20, 2026
    2. Dynamically Enhance Your Content with Hop Inject
      April 6, 2026
    3. Launching a New Travel Site for Good Soul Sailing
      March 23, 2026
    4. Why Keeping ExpressionEngine Updated Matters: 7 Problems Avoided, 7 Benefits Gained
      March 2, 2026
    5. ExpressionEngine Security Update Details: What’s the Risk? Should I Update to EE 7.5.20?
      February 26, 2026

  • Blog Categories

    1. What Would Hop Do
    2. Client Showcase
    3. Featured

  • Archive

Have a Project for Us?

Request a Proposal