Meta Files: The Pixel — Smile, you're tracked

Chapter 1 — What is the Meta Pixel?

An invisible programme on other people's websites

"Pixel" sounds like a tiny dot on a screen. In reality, the Meta Pixel (formerly: Facebook Pixel) is today a sophisticated JavaScript programmeJavaScriptA programming language executed in the user's browser — as opposed to server-side code. Enables interactive websites, but can also be used for tracking.. When you open a website on which it is installed, it automatically loads in your browser and immediately sends data to Meta's servers — before you do anything at all.

Meta itself describes it as: "a piece of code that enables you to track visitor activity on your website." — from the website operator's perspective. For the visitor: invisible, without announcement, with no means of objection.^[1]

What the Pixel specifically collects

— identifies your household or your person

Pages visited — which pages, for how long, in what order

Buttons clicked — including the label ("Book appointment", "Learn more")

Search terms on the website — what you typed into internal search fields

Form data — field names and, in certain configurations, the values entered

— if present, links all data directly to your profile

How it recognises you — even without a Facebook account

Anyone logged in to Facebook or Instagram has a cookie in their browser. This cookie is visible on any other website that has the Pixel installed — Meta can thus link your activity on any given website directly to your profile.

But tracking also works without a login cookie. The combination of IP address, browser type, operating system and other technical details is sufficient in many cases to recognise a person over time. This is called browser fingerprintingBrowser fingerprintingA method for identifying users without cookies. Combinations such as screen resolution, browser version, fonts and time zone create a unique "fingerprint"..

⚠️

The Pixel collects data about all visitors — including people without a Facebook account. What Meta does with this data is not publicly known. Meta CPO Chris Cox responded in 2022 to the direct question from the US Congress as to whether Meta held health data from hospitals: "Not to my knowledge." — and promised to follow up in writing.^[4]

Where it is installed

According to an analysis by The Markup, the Meta Pixel is installed on more than 30% of all popular websites.^[2]

In Germany, according to Stiftung Warentest (July 2025), it appears on everyday websites including: spiegel.de, bild.de, tagesschau.de, stern.de, faz.net — as well as on health sites such as apotheken.de, docmorris.de, helios-gesundheit.de and jameda.de.^[5]

Chapter 2 — The hospital scandal

Patient data sent directly to Meta ↑ top

In June 2022, the investigative newsroom The Markup and the health magazine STAT News tested the websites of the 100 largest hospitals in the USA. The result was unambiguous.

33 of the 100 hospitals had the Meta Pixel installed — including on pages for online appointment booking and in password-protected patient portals.^[3]

What the Pixel transmitted to Meta in the process:

Name of the doctor and their speciality
Medical condition selected for the appointment
In one case: first name, surname, email, phone number, postcode — directly upon completing the booking
IP address (classified under US privacy law as protected health information when linked with health data)

Two concrete examples from the investigation: on the website of University Hospitals Cleveland Medical Center, a click on "Book appointment online" sent the doctor's name and the search term "pregnancy termination" to Facebook. On the website of Froedtert Hospital in Wisconsin, the condition "Alzheimer's" was transmitted when booking an appointment.

How large is the problem really?

The Markup investigation was limited to 100 hospitals. A 2021 study examined 3,747 US hospitals: 98.6% of them had at least one tracking tool transmitting data to third parties. The class action against Meta names, on the basis of expert analysis, at least 664 hospital systems and medical provider websites through which Meta received patient data.^[6]

The hospitals' response

Following publication of the investigation, 28 of the 33 identified hospitals removed the Pixel. At least three sent official data breach notifications to patients:

Novant Health (North Carolina): 1.36 million patients affected
Advocate Aurora Health: 3 million patients affected — the hospital's entire patient volume
WakeMed Health and Hospitals: 495,000 patients affected

The 33 identified hospitals together had more than 26 million patient admissions and outpatient visits in 2020.^[4]

Meta's position: the fault lies with the websites

Meta argued in court: the hospitals were responsible, not Meta. When using the Pixel, website operators must confirm that they will not transmit sensitive data.

At the same time, it is known that Meta operates an internal filtering system intended to recognise and remove sensitive health data. Meta had itself admitted that this system was "not yet fully accurate in operation". The Markup also found that the system did not block data relating to appointments at pregnancy counselling services.^[7]

Chapter 3 — Lawsuits in the USA

Class action, settlements — and Zuckerberg's compelled testimony ↑ top

In June 2022, the first class actionClass actionA form of lawsuit in which many affected parties with identical harm sue a defendant collectively. Frequently used in US law. Enables claims even where individual damages are low. was filed. To date, dozens of lawsuits have been consolidated into In re Meta Pixel Healthcare Litigation (US District Court, Northern District of California).

In September 2023, the court partially denied Meta's motion to dismiss: Meta's possible violation of the Electronic Communications Privacy ActECPAA US federal law from 1986 that protects digital communications from unauthorised interception. Considered outdated, as it predates the internet age — but continues to be used in privacy litigation. as well as breach-of-contract claims may proceed to trial.

In April and May 2025, the court ordered that Mark Zuckerberg personally must be available for a limited deposition. Meta had objected and lost — but then filed an appeal with the 9th US Circuit Court of Appeals (Ninth Circuit). At the oral argument in December 2025, the Ninth Circuit panel signalled sympathy for Meta's position. A final decision is still pending.^[6]

Settlements against hospitals

Several hospitals have already settled out of court:

Advocate Aurora Health: USD 12.25 million — affecting approximately 2.5 million patients
Novant Health: USD 6.6 million
WakeMed Health and Hospitals: USD 2.45 million — finally approved November 2025
New York Presbyterian Hospital: USD 300,000 settlement with the New York Attorney General for HIPAA violations

ℹ️

In the USA, HIPAAHIPAAHealth Insurance Portability and Accountability Act — a US federal law from 1996. Governs the protection of medical data. Applies to hospitals and insurers, but not to technology companies such as Meta. is the central patient data protection law. HIPAA prohibits hospitals from sharing protected health information with third parties without explicit consent. Meta has no such agreement with any of the affected hospitals — and is not itself subject to HIPAA. In December 2022, the US Department of Health and Human Services clarified: the use of the Meta Pixel on hospital websites violates HIPAA. In July 2023, the US Department of Health and Human Services and the FTC jointly sent warning letters to 130 healthcare organisations.^[14]

Chapter 4 — Germany and Europe

GDPR rulings: a wave against Meta ↑ top

In Germany the legal position is clear: personal dataPersonal dataAll information that directly or indirectly identifies a natural person. This includes name, email address, IP address, cookie IDs and location data. Subject to GDPR protection. may only be processed on a valid legal basis — in practice this usually means explicit consent. The BundeskartellamtBundeskartellamtGerman competition authority. In 2019 it prohibited Meta from combining third-party site data without consent. The proceedings were groundbreaking: they linked data protection violations to competition law. (Federal Cartel Office) had already established in 2019 that Meta's processing of third-party site data without consent was unlawful.

The problem in practice: the Pixel often collects data before a user has accepted a cookie banner. Or it continues to collect after rejection. And the Conversion API (more on this shortly) is completely invisible to users and cannot be blocked technically.

Wave of German court rulings

Since 2024, German courts have been ruling increasingly against Meta and against websites that deploy the Pixel without effective consent. According to Stiftung Warentest (July 2025), around 500 rulings against Meta have already been handed down — with damages of between €1,000 and €10,000.^[16]

Court	Date	Amount	Status
LG Ellwangen	19.02.2025	€10,000	Appeal
LG Augsburg	28.03.2025	€5,000	Appeal
LG Leipzig	04.07.2025	€5,000	Appeal
LG Hamburg	17.04.2025	€3,000	Appeal
LG Frankfurt a.M.	27.05.2025	€2,500	Appeal
OLG Dresden	03.02.2026	€1,500 each	Final ✓
OLG Jena	02.03.2026	€3,000	BGH revision
OLG München	18.12.2025	€750	Revision admitted

Particularly significant: the OLG Dresden rulings of 3 February 2026 are final — the senate admitted no further appeal. This is the first time in Germany that a final appellate court decision has classified cross-platform Meta tracking without consent as a GDPR violation.

The OLG Jena (2 March 2026) admitted an appeal to the Federal Court of Justice — the BGH will clarify fundamental questions on consent, scope and calculation of damages at the highest judicial level. Meta consistently appeals in all cases.^[17][20]

      The courts are ruling consistently: even the feeling of being spied upon — the so-called loss of controlNon-material damage (GDPR Art. 82)The ECJ ruled on 4 May 2023 (C-300/21): even the feeling of losing control over one's own data is sufficient as demonstrable harm for a damages claim — without any material financial loss. — is sufficient as harm to ground a damages claim, even without proven material loss. This line follows a European Court of Justice ruling of 4 May 2023 (C-300/21).
    

Austria: Max Schrems wins — final ruling

In December 2025, the Austrian Supreme Court ruled with finality: Meta must pay damages for GDPR violations through its tracking tools — and awarded Schrems €500. The claimant was Max Schrems. The proceedings lasted eleven years and were referred to the ECJ for a preliminary ruling twice. In addition, the Supreme Court declared personalised advertising without explicit informed consent to be unlawful in principle and ordered Meta to grant Schrems full access to his data within 14 days.^[5]

Chapter 5 — The Conversion API

The tool that bypasses ad blockers ↑ top

The Meta Pixel can be blocked with an ad blocker. The cookie can be rejected. What many people don't know: Meta has a successor tool that circumvents both — the Conversion APIConversion API (CAPI)A server-to-server interface from Meta. Transmits user data directly from the web server to Meta — bypassing the user's browser. Invisible to users and technically impossible to block..

The crucial difference: while the Pixel runs in the user's browser and can be technically blocked, the Conversion API runs directly on the website's serverServer-side trackingCode that runs not in the user's browser but on the website operator's web server. Ad blockers and browser privacy features have no access to it.. The data is transmitted by the website operator directly to Meta — bypassing the user's browser entirely. The user can neither see nor prevent this.

"Whether websites use the Meta Conversion API and whether they transmit data about a specific visit to Meta is something users cannot detect. Where the programme runs, they cannot prevent the collection of their data either."

Stiftung Warentest, July 2025 ^[5]

Meta publicly promotes the Conversion API as a response to iOS privacy measures (App Tracking TransparencyApp Tracking TransparencyApple feature since iOS 14.5 (2021). Apps must ask users for permission before tracking them across other apps and websites. Has significantly impacted Meta's advertising revenue. since iOS 14.5) and browser privacy in Safari and Firefox. From Meta's perspective this is logical: the more websites use the API instead of the classic Pixel, the less users are able to block their tracking.

Chapter 6 — What you can do

Technical and legal options ↑ top

What helps technically

uBlock OriginuBlock OriginA free, open-source browser extension for blocking advertising and trackers. Considered the most effective ad blocker. Uses filter lists that also cover known tracking scripts such as the Meta Pixel. blocks the Meta Pixel by default — works in Firefox and Chrome
Firefox with Enhanced Tracking ProtectionEnhanced Tracking ProtectionA privacy feature in Firefox. Automatically blocks known trackers, fingerprinting scripts and crypto miners. Active in three levels: Standard, Strict and Custom. blocks many known trackers automatically
Safari limits the lifetime of tracking cookies through Intelligent Tracking PreventionIntelligent Tracking PreventionApple's privacy technology in Safari. Limits the lifetime of third-party cookies to 7 days (with interaction) or 24 hours. Significantly hinders cross-site tracking.
Rejecting cookies should deactivate the Pixel — if the website implements this correctly (not all of them do)

⚠️

Against the Conversion API there is no technical protection available to users. It runs on the website's server, not in the browser — no ad blockerAd blockerA browser extension that blocks advertising and trackers on the basis of filter lists. Only effective against client-side code — i.e. code running in the browser. Powerless against server-side tracking (such as the Conversion API)., no browser setting can block it.

What is legally possible (Germany)

On the basis of current case law, affected users in Germany can claim damagesGDPR damages (Art. 82)A right to compensation for GDPR violations. Since the ECJ ruling C-300/21, non-material harm (loss of control) is sufficient. German courts award €1,000–€10,000. Claims can be brought individually or through law firms.. The feeling of loss of control is sufficient as harm. Stiftung Warentest recommends preserving evidence: screenshots, privacy policies, cookie banners.

ℹ️

Legal status (as of March 2026): The OLG Dresden rulings are final. The OLG Jena ruling is not final — appeal to the BGH admitted. The regional court rulings are likewise not yet final. The ultimate clarification at the highest judicial level by the BGH is still pending.^[17]

Conclusion

The business model is the problem ↑ top

The Meta Pixel is not a concern exclusive to Facebook users. It is present on a third of all popular websites — and that means: almost every person who uses the internet is tracked by Meta. On news sites. On health portals. On medical appointment sites. Sometimes even in password-protected patient portals.

This is not an accident. It is the business model. Meta generated revenue of USD 47.5 billion in the second quarter of 2025 — almost exclusively through personalised advertising. Personalised advertising requires data. The Pixel delivers it: en masse, invisibly, without boundaries.

      The courts are starting to stop this. In Germany, in Austria, in the USA. But the Conversion API shows: Meta always finds new ways to maintain the tracking — deeper in the technology, more invisible to the user.
    

25 Sources

Meta for Developers — official Pixel documentation: developers.facebook.com
The Markup — How We Built a Meta Pixel Inspector (April 2022): themarkup.org
The Markup / STAT News — Facebook receiving sensitive medical information from hospitals (June 2022): themarkup.org
The Markup / STAT News — Meta faces Congress questions (September 2022): themarkup.org
Stiftung Warentest — Meta Business Tools, Meta sieht fast jeden Klick (July 2025): test.de
Cohen Milstein — In re Meta Pixel Healthcare Litigation: cohenmilstein.com
Compliancy Group — Meta claims hospitals to blame (May 2023): compliancy-group.com
Paubox — Meta claims hospitals to blame: paubox.com
Fierce Healthcare — Advocate Aurora, WakeMed class actions (November 2022): fiercehealthcare.com
Healthcare IT Today — Meta faces legal firestorm (November 2022): healthcareittoday.com
Milberg — Advocate Aurora settlement USD 12.25m: milberg.com
HIPAA Journal — one-third of healthcare websites Meta Pixel (2024): hipaajournal.com
HIPAA Journal — Meta facing scrutiny: hipaajournal.com
KL Gates — Pixel tools in healthcare (October 2023): klgates.com
American Bar Association — OCR Guidance HIPAA and Meta Pixel: americanbar.org
Presseportal / Dr. Stoll & Sauer — 500 rulings against Meta (August 2025): presseportal.de
Dr. Stoll & Sauer — OLG Dresden final ruling (February 2026): dr-stoll-kollegen.de
Dr. Stoll & Sauer — LG Leipzig, up to €10,000 possible (August 2025): dr-stoll-kollegen.de
Anwalt.de — 500 rulings, up to €10,000 (August 2025): anwalt.de
Ad-hoc-news — OLG Jena March 2026, BGH revision: ad-hoc-news.de
IT-Kanzlei Lutz — LG Lübeck November 2025: datenschutz-rv.de
WBS Legal — Meta Business Tools and GDPR: wbs.legal
eRecht24 — Meta Pixel and GDPR compliance: e-recht24.de
Borns IT-Blog — ECJ declares Meta's GDPR rules illegal (July 2023): borncity.com
Clayden Law — Meta Pixels, lessons for website operators: claydenlaw.co.uk