Every time a visitor lands on a page that contains a Facebook Like button, a LinkedIn share widget, or an embedded TikTok video, something fires in the background. The social platform drops one or more cookies onto that visitor's browser - even if they never click the button. These are social media cookies, and they exist for one reason: to follow people across the web and feed that data back to the platform's advertising engine.
What Are Social Media Cookies?
Social media cookies are small text files placed on a visitor's device by third-party social networking platforms. They activate whenever a website loads a resource from that platform - a tracking pixel, an embed, a share button, or a login widget. The platform's servers deliver the cookie alongside the requested resource, and from that point on, the cookie identifies the visitor as they move from site to site.
These cookies overlap heavily with marketing and advertising cookies. The European Union Agency for Cybersecurity (ENISA) classifies them alongside targeting cookies because they perform near-identical functions: building profiles, enabling retargeting, and measuring ad conversions. The key distinction is the source. Social media cookies are set exclusively by social platforms, not by standalone ad networks.
Which Platforms Set These Cookies (and What Do They Collect)?
The biggest offenders in terms of reach are Meta (Facebook and Instagram), LinkedIn, TikTok, X (formerly Twitter), and Pinterest. Each uses its own tracking pixel or JavaScript tag that website owners voluntarily install to measure ad performance.
| Platform | Key Cookies / Identifiers | Purpose | Default Duration |
|---|---|---|---|
| Meta (Facebook/Instagram) | _fbp, _fbc, fr | Ad attribution, retargeting, conversion tracking | 90 days (rolling) |
bcookie, li_sugr, UserMatchHistory | Insight Tag tracking, audience matching, campaign reporting | 1-2 years | |
| TikTok | _ttp, tt_webid | Pixel conversion tracking, ad optimisation | 13 months |
| X (Twitter) | muc_ads, personalization_id, guest_id | Ad targeting, interest profiling, tweet engagement tracking | Up to 2 years |
_pin_unauth, _pinterest_sess | Conversion tracking, interest-based targeting | 1 year |
Meta's _fbp cookie deserves particular attention. It is a first-party cookie set by the Meta Pixel, present on roughly 18% of all websites according to the Open Cookie Database. Research published by ACM in 2023 found that 87% of websites running the Meta Pixel automatically refresh the _fbp expiration date on each visit, meaning the nominal 90-day lifespan can extend indefinitely. When combined with the _fbc cookie - which stores the Facebook Click ID appended to landing page URLs - Meta can link anonymous browsing activity directly to a logged-in Facebook user profile.
How Social Media Pixels Work Behind the Scenes
The mechanics are straightforward but powerful. A website owner pastes a snippet of JavaScript - the "pixel" - into their site's header. When a page loads, the pixel fires an HTTP request to the platform's server. That request carries the cookie value, the page URL, the referring URL, and often additional event data (page views, add-to-cart actions, purchases). The platform matches this incoming data against its own user database.
Meta's Pixel, for example, tracks over 28 distinct web events, far more than the 18 "standard events" listed in its official documentation. If the site has Automatic Advanced Matching (AAM) enabled, the Pixel also scrapes form fields - email addresses, phone numbers, names - hashes them, and sends the hashes to Meta for identity resolution. This is exactly what triggered enforcement action in Sweden, as covered below.
LinkedIn's Insight Tag works on a similar principle. Once installed, it creates a cookie on the visitor's browser, tracks page visits, button clicks, referrer URLs, IP addresses, and timestamps, then matches the visitor to their LinkedIn member profile. The platform explicitly states it uses this matched data for campaign reporting and ad optimisation.
Why Consent Is Non-Negotiable
Social media cookies are non-essential cookies. They are not required for a website to function, and they are not requested by the visitor. Under Article 5(3) of the ePrivacy Directive, storing or accessing information on a user's device requires prior informed consent - unless the cookie is strictly necessary to deliver a service the user explicitly requested.
A Facebook Like button is not a service the user requested. Neither is a LinkedIn retargeting pixel. The cookie must therefore be blocked until the visitor actively opts in.
The GDPR reinforces this through Article 6 (requiring a lawful basis for processing personal data) and Article 7 (setting the bar for what constitutes valid consent). Consent must be freely given, specific, informed, and unambiguous. Pre-ticked checkboxes do not count. Bundling cookie consent with terms of service does not count. And burying the reject option behind multiple clicks does not count either - a point the French CNIL has made repeatedly and expensively.
Recent Enforcement: The Fines Keep Climbing
In January 2023, the CNIL fined TikTok 5 million euros for making it harder to refuse cookies than to accept them on its website. Users needed several clicks to reject all cookies but only one to accept them - a textbook dark pattern.
In June 2024, Sweden's data protection authority (IMY) fined Avanza Bank SEK 15 million (approximately 1.3 million euros) after the bank's Meta Pixel inadvertently transferred personal data of up to one million customers to Meta over 18 months. The breach occurred because Meta's Automatic Advanced Matching feature was activated without authorisation. Two months later, IMY fined two Swedish pharmacy chains a combined SEK 45 million for the same type of violation - the Meta Pixel had transmitted purchase data including over-the-counter medication details to Meta.
Then in September 2025, the CNIL imposed record-breaking fines of 325 million euros on Google and 150 million euros on Shein for systematic cookie consent failures. Between December 2022 and December 2024 alone, the CNIL issued combined fines exceeding 139 million euros specifically for breaches of Article 82 of the French Data Protection Act (the national transposition of the ePrivacy Directive). In December 2025, the CNIL fined another company 3.5 million euros for transferring loyalty programme member data to a social network for ad targeting without valid consent - and found that 11 cookies requiring consent were placed before the user had even made a choice.
What Website Owners Get Wrong
The most common mistake is loading social media scripts before consent. If the Meta Pixel fires on page load, it drops _fbp immediately. If the LinkedIn Insight Tag initialises before the visitor interacts with your cookie banner, bcookie is already set. By that point, you have already breached the ePrivacy Directive - consent collected afterwards is retrospective and legally meaningless.
The second mistake is failing to delete cookies when consent is withdrawn. The CNIL has specifically stated that revoking consent must result in actual cookie removal - for instance, by sending a Set-Cookie header with an expiry date in the past, or running a local script to delete cookies that lack the httpOnly attribute.
The third is vague banner language. Describing social media cookies as helping to "improve your experience" or "personalise content" does not meet the transparency threshold. The banner must explain that data will be shared with named third parties (Meta, LinkedIn, TikTok) for advertising purposes.
How to Handle Social Media Cookies Properly
The technical fix is well-established. Block all social media scripts by default and load them only after the visitor grants consent to the relevant cookie category (usually "marketing" or "advertising"). A consent management platform handles this by intercepting script tags and replacing them with placeholder elements until consent is recorded.
For Meta's Pixel specifically, the platform provides a built-in consent API. The sequence is: load the Pixel script, immediately call fbq('consent', 'revoke') to suppress cookie placement, then call fbq('consent', 'grant') only when the visitor opts in. This approach lets you initialise the Pixel early (for faster loading) without actually setting cookies or transmitting data before consent.
LinkedIn's Insight Tag and TikTok's Pixel do not offer equivalent built-in consent toggles, so the safest approach is full script blocking. Load them with type="text/plain" and a data-cookieconsent="marketing" attribute so your CMP can swap them in after consent.
Integrating With Google Consent Mode
If you use Google Tag Manager to deploy social media pixels, Google Consent Mode v2 lets you set default consent states for ad_storage and ad_user_data to "denied". Tags associated with these consent types will not fire until the CMP signals a consent update. This creates a single, unified consent flow for Google, Meta, LinkedIn, and other marketing tags.
Social Media Cookies Under Other Privacy Laws
The GDPR and ePrivacy Directive set the strictest standard, but social media cookies trigger obligations under other frameworks too.
Under the CCPA (as amended by the CPRA), sharing personal information with social platforms for cross-context behavioural advertising counts as "sharing" and requires a visible "Do Not Sell or Share My Personal Information" link. Meta even provides a Limited Data Use (LDU) flag that restricts data processing for California users - but the website owner must activate it.
Brazil's LGPD requires consent for processing personal data for advertising purposes. Canada's PIPEDA requires meaningful consent for the collection, use, and disclosure of personal information - and the Office of the Privacy Commissioner has increasingly scrutinised online tracking practices. South Africa's POPIA similarly requires a lawful justification for processing, with consent being the most practical basis for social media tracking.
The Browser Landscape: What Happens Without Consent Tools
Safari's Intelligent Tracking Prevention (ITP) caps first-party cookies set via JavaScript at 7 days and blocks most third-party cookies outright. Firefox's Enhanced Tracking Protection does the same. Chrome, which commands over 60% of the global browser market, still permits third-party cookies by default - though Google reversed its plan to deprecate them in July 2024, and in April 2025 confirmed it would not roll out a separate user-choice prompt either.
Browser protections are not a compliance substitute. Even if Safari blocks a third-party cookie, the Meta Pixel can still transmit event data server-side. And first-party cookies like _fbp are not blocked by ITP's third-party restrictions. A proper consent mechanism remains the only legally defensible approach.
Frequently Asked Questions
Do social media cookies track visitors who are not logged in to the platform?
Yes. Cookies like Meta's _fbp assign a unique identifier to every browser that visits a page with the Pixel installed, regardless of whether the visitor has a Facebook account. The platform can still build a browsing profile and use it for ad targeting.
Can I use social media share buttons without setting cookies?
Some CMP solutions replace embedded share buttons with static placeholder images until the visitor consents to marketing cookies. Another option is to use simple anchor links that open the platform's share URL directly, avoiding any embedded scripts or iframes.
Are social media cookies classified as first-party or third-party?
It depends on how they are set. Meta's _fbp is a first-party cookie stored under your domain, while the fr cookie is a third-party cookie stored under facebook.com. LinkedIn's bcookie is third-party. The legal obligations around consent apply regardless of party classification.
What happens if I load the Meta Pixel before getting consent?
The Pixel will immediately set cookies and begin transmitting visitor data to Meta. This violates Article 5(3) of the ePrivacy Directive in the EU and equivalent national laws. Swedish and French regulators have issued multi-million-euro fines for exactly this scenario.
Do social media cookies fall under the CCPA's definition of "sharing"?
Yes. Transmitting personal information to a social platform for cross-context behavioural advertising qualifies as "sharing" under the CPRA amendments. You must provide a "Do Not Sell or Share" opt-out mechanism and honour Global Privacy Control signals.
How do I audit which social media cookies my site currently sets?
Use a cookie scanner to crawl your domain and identify every cookie, its source, category, and duration. Many social media cookies are only set when specific pages load - run the scan across multiple pages to catch them all.
Is server-side tracking for social platforms exempt from consent requirements?
No. Server-side tracking (such as Meta's Conversions API) still processes personal data and still requires a lawful basis under the GDPR. While it does not rely on browser cookies, it transmits hashed identifiers and event data to the platform, which constitutes personal data processing.
Scan Your Site for Social Media Cookies
If social media pixels are running on your site, they are almost certainly setting cookies - and if those cookies fire before consent, your site is non-compliant. Kukie.io's scanner detects cookies from Meta, LinkedIn, TikTok, X, Pinterest, and dozens of other third-party services, then categorises each one so your consent banner can block them until approval is given.
