Load the Meta (Facebook) Pixel only after consent
The Meta Pixel tracks visitors for advertising and builds custom audiences. Firing it on page load shares behaviour with Meta before consent — and Meta is a joint controller for that data.
Why it matters
Advertising pixels are the clearest example of non-essential tracking that needs prior consent. Because you and Meta are joint controllers (GDPR Art. 26), a pre-consent pixel exposes both the identifiers it drops and the fact that no valid basis existed when it fired.
How to fix it
Never call fbq('init') or fbq('track') on load. Initialise the pixel inside your consent callback, and if the visitor rejects, do not load connect.facebook.net at all.
<!-- Do NOT init on load. Only inside the Accept handler: -->
function onConsentAccepted() {
!function(f,b,e,v,n,t,s){/* standard Meta snippet */}(window,document,'script','https://connect.facebook.net/en_US/fbevents.js');
fbq('init', 'YOUR_PIXEL_ID');
fbq('track', 'PageView');
}
Official sources
- KVKK — Law No. 6698 (official full text, mevzuat.gov.tr)
- KVKK — Kişisel Verileri Koruma Kurumu (Turkish DPA)
- GDPR — full regulation, article by article
- ePrivacy Directive 2002/58/EC — cookies, Art. 5(3)
- EDPB — guidelines on consent & cookies
Links to primary legislation for reference. PrivaScan is not affiliated with these bodies; this is information, not legal advice.
Related guides
- Stop Google Analytics from loading before consent (KVKK/GDPR) KVKK m.5 · GDPR Art. 6 · ePrivacy Art. 5(3)
- Gate Google Tag Manager behind consent KVKK m.5 · GDPR Art. 6 · ePrivacy Art. 5(3)
- Session recording (Hotjar, Clarity, Yandex) needs explicit consent KVKK m.5 · GDPR Art. 6 · Art. 9 risk
- Self-host Google Fonts to stop leaking visitor IPs KVKK m.9 · GDPR Chapter V (transfers)
These guides cover automated checks for trackers, cookies and data flows. A full privacy review also needs legal input.