What the TikTok Pixel Actually Does
The TikTok pixel is a JavaScript snippet that tracks visitor actions on your website and sends that data back to TikTok Ads Manager. It records page views, button clicks, form submissions, purchases, and other conversion events you define.
Unlike a simple analytics counter, the pixel is designed to match your website visitors with TikTok user profiles. That matching process relies on cookies, hashed identifiers, and browser metadata. The goal is attribution: connecting an ad view on TikTok to a later action on your site.
This makes the pixel a marketing cookie by any reasonable classification.
Cookies Set by the TikTok Pixel
When the TikTok pixel fires, it creates several cookies across two categories. First-party cookies are set under your domain. Third-party cookies are set by TikTok's servers. Both types are enabled by default in the pixel configuration.
| Cookie Name | Type | Purpose | Expiry |
|---|---|---|---|
_ttp | First-party | Assigns a unique visitor ID for ad targeting and attribution | 13 months |
_tt_enable_cookie | First-party | Checks whether cookies are enabled in the browser | 13 months |
ttclid | First-party | Stores the TikTok click identifier from ad URLs | 13 months |
tt_sessionId | First-party | Tracks the current browsing session | Session |
tt_pixel_session_index | First-party | Counts the number of sessions for frequency analysis | Session |
tt_appInfo | First-party | Stores pixel configuration data | Session |
ttcsid | Third-party | Cross-site session identifier for conversion tracking | 13 months |
msToken | Third-party | Security and bot-detection token | Varies |
All TikTok pixel cookies expire 13 months after being set or last used, matching the upper limit that most browsers still permit for first-party cookies. In regions where TikTok Pangle operates, the pixel may also read additional Pangle cookies for cross-network measurement.
Why Every TikTok Pixel Cookie Requires Consent
Article 5(3) of the ePrivacy Directive is clear: storing or accessing information on a user's device requires prior consent unless it is strictly necessary for the service the user requested. Tracking ad conversions is not strictly necessary for delivering your website.
The GDPR reinforces this by requiring a valid legal basis for processing personal data. Because the TikTok pixel collects unique identifiers, IP addresses, and browsing behaviour, legitimate interest is not a viable basis. Consent under Article 6(1)(a) is the only defensible option.
The same logic applies under the UK GDPR and PECR, the LGPD, and the CCPA/CPRA opt-out framework. The mechanism differs - opt-in in Europe and Brazil, opt-out in most US states - but the pixel cannot simply fire on page load without any user interaction.
TikTok and Joint Controllership
When you install the TikTok pixel, you and TikTok become joint data controllers under GDPR. TikTok's Business Products Terms state this explicitly. You decide to deploy the pixel and configure which events to track. TikTok determines how the collected data is processed for ad optimisation and audience building.
Joint controllership under GDPR Article 26 requires a transparent arrangement between both parties. Your obligations include informing visitors that data is shared with TikTok, specifying the purposes, and providing a mechanism to withdraw consent.
The Irish DPC's 2025 enforcement action against TikTok - resulting in a EUR 530 million fine for unlawful data transfers to China - underscores the regulatory scrutiny this platform faces. While that case focused on data transfers rather than cookies, it signals that DPAs are watching TikTok integrations closely.
How to Load the TikTok Pixel Only After Consent
The standard TikTok pixel installation guide tells you to paste the snippet into your page header. Doing this means the pixel fires immediately, before any consent interaction. That approach fails every compliance standard in the EU, UK, and Brazil.
Option 1: Conditional Script Loading via Your CMP
The most reliable method is to block the pixel script until consent is granted. Change the script tag's type attribute from text/javascript to text/plain and assign a consent category. Your cookie consent platform then switches the type back to text/javascript once the visitor accepts marketing cookies.
Option 2: Google Tag Manager with Consent Triggers
If you manage tags through Google Tag Manager, set the TikTok pixel tag to fire only on a consent-granted trigger. With Google Consent Mode v2, the tag will remain blocked until ad_storage consent is granted. This keeps your tag container clean and auditable.
Option 3: TikTok Events API (Server-Side)
The TikTok Events API sends conversion data from your server rather than the visitor's browser. This avoids client-side cookies entirely and sidesteps ad blockers and Intelligent Tracking Prevention.
A server-side approach does not eliminate your consent obligation. You still process personal data - hashed email addresses, IP addresses, user agent strings - and send it to TikTok. The legal basis remains consent. The difference is that you gain more control over exactly what data leaves your server and when.
Hash all personally identifiable information before transmission, apply data minimisation principles, and gate the API call behind your consent state. Server-side tagging is a privacy improvement, not a privacy exemption.
Classifying TikTok Pixel Cookies in Your Banner
Every TikTok pixel cookie falls into the marketing or advertising category. None of them qualify as strictly necessary or even functional. Your cookie categories should reflect this.
In your cookie banner, list each TikTok cookie with its name, purpose, duration, and the third party involved. Visitors who decline marketing cookies must not receive any TikTok pixel cookies at all. Verify this by opening your browser's developer tools after rejecting cookies and checking the Application panel - if _ttp or ttclid still appears, your blocking mechanism is broken.
Your cookie policy should separately document TikTok as a data recipient. Include a reference to TikTok's own privacy policy and explain the joint controllership arrangement.
CNIL's Cookie Enforcement and What It Means for TikTok Pixel Users
The French DPA, CNIL, fined TikTok EUR 5 million in January 2023 for cookie-related violations on the tiktok.com platform itself. The violations included failing to provide an equally simple mechanism to refuse cookies as to accept them.
CNIL has since continued aggressive enforcement against dark patterns in cookie banners. If TikTok's own website attracted a fine, the signal to advertisers using TikTok's pixel is straightforward: your implementation will be judged by the same standards. Pre-ticked marketing categories, buried reject buttons, and pixel scripts that load before consent all carry enforcement risk.
Comparing TikTok Pixel with Meta Pixel
The TikTok pixel and Meta pixel share a similar compliance profile. Both set first-party and third-party cookies, both create joint controllership arrangements, and both offer server-side API alternatives.
| Feature | TikTok Pixel | Meta Pixel |
|---|---|---|
| Primary cookie | _ttp | _fbp |
| Click ID cookie | ttclid | _fbc |
| Cookie expiry | 13 months | 90 days (_fbp) |
| Server-side option | Events API | Conversions API |
| Joint controller status | Yes (GDPR) | Yes (GDPR) |
| Third-party cookies | Yes, by default | Limited by browser restrictions |
The practical difference is that TikTok's third-party cookies are still enabled by default, while most browsers now block third-party cookies from Meta. This makes TikTok pixel compliance slightly more involved, since you need to account for both cookie types in your consent mechanism.
Frequently Asked Questions
Does the TikTok pixel set cookies without consent?
Yes, the default TikTok pixel installation fires immediately on page load and sets cookies before any consent interaction. You must block the script until the visitor grants consent for marketing cookies.
What is the _ttp cookie used for?
The _ttp cookie assigns a unique identifier to each visitor so TikTok can match website actions to TikTok ad views. It is a first-party marketing cookie that expires after 13 months.
Is the TikTok Events API exempt from cookie consent?
No. The Events API avoids client-side cookies but still processes personal data such as hashed emails and IP addresses. You need valid consent before sending this data to TikTok under GDPR and similar regulations.
Can I classify TikTok pixel cookies as functional?
No. TikTok pixel cookies serve advertising and attribution purposes. They are not necessary for your website to function and must be classified as marketing or advertising cookies.
How do I check if TikTok cookies are blocked after consent is refused?
Open Chrome DevTools, go to the Application tab, and inspect Cookies for your domain. If _ttp, ttclid, or any tt_ prefixed cookies appear after you rejected marketing cookies, your blocking is not working.
Are TikTok and my website joint data controllers?
Yes. Under GDPR, deploying the TikTok pixel makes you and TikTok joint controllers. You must inform visitors about this arrangement in your privacy and cookie policies.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
