What Meta Pixel Does
Meta Pixel is tracking code that:
- Monitors user behavior on your website
- Collects page URLs
- Identifies users via Facebook IDs, cookies, device IDs
- Transmits data to Meta servers
- Builds user profiles
- Enables retargeting
When Meta Pixel Creates VPPA Liability
Scenario 1: Firing on Pages With Embedded Video
- Page URL: example.com/tutorials/makeup-tutorial
- Embedded video: YouTube embed
- Meta Pixel: Standard code fires on page load
- Result: Meta knows user ABC visited tutorial page
- VPPA Violation: YES (unless you have informed written consent)
Scenario 2: Custom Event Tracking for Video
- You track: "User watched video"
- Meta knows: User X watched specific video
- Result: Clear disclosure of video watching
- VPPA Violation: YES (unless you have informed written consent)
Scenario 3: Linked User Data
- You pass email to Meta Pixel
- Meta knows: john@example.com watched makeup tutorial
- Result: Clear linkage between person and video
- VPPA Violation: YES (unless you have informed written consent)
What Data Constitutes PII
Clearly PII:
- Email addresses
- Customer IDs
- Phone numbers
- Usernames
Contested:
- fbp parameter (Meta's pixel ID)
- Device IDs
- IP addresses
Safe Principle: Assume anything that allows a third party to link a person to their video watching is PII.
How to Implement Meta Pixel Defensibly
Option 1: Block Pixel Until Consent
- Don't load Meta Pixel until consent is given
- Display consent banner asking specifically about Meta Pixel
- Block pixel in code until consent is recorded
Option 2: Use Google Tag Manager to Block
- Load pixel into GTM but don't let it fire until consent trigger
Option 3: Don't Use Custom Event Tracking
- Use standard tracking (lower risk) instead of custom video event tracking
The infrastructure answer
The free PieEye compliance scan identifies whether your website has the VPPA vulnerabilities that plaintiffs' attorneys look for — tracking pixels firing on video pages without consent, data flowing to third parties before users have agreed, and policy-to-practice mismatches.
For the complete VPPA compliance framework, see our VPPA compliance guide. For consent mechanisms that satisfy VPPA, see VPPA consent mechanisms. For what counts as PII under VPPA, see VPPA PII explained.
Run a free PieEye compliance scan — it takes minutes, requires no code changes to initiate, and tells you exactly what a plaintiffs' attorney's scanning tool would find if it looked at your website today.
Why Shopify and BigCommerce Stores Are At Risk
Your eCommerce platform doesn't automatically protect you from VPPA liability — in fact, many Shopify and BigCommerce stores are unknowingly exposed. Here's why:
Most stores install Meta Pixel through Shopify's app marketplace or BigCommerce's built-in integrations without any consent logic. The pixel fires on every page load by default, including product pages that may contain embedded product demo videos. If your store has tutorial content, customer testimonial videos, or any embedded video anywhere on your site, Meta Pixel is collecting that viewing data without asking permission first.
Additionally, many stores use Shopify's native customer tracking or BigCommerce's analytics features alongside Meta Pixel. This means data flows to multiple third parties simultaneously — and if any of that data is PII (email, customer ID, phone number), you've created multiple liability vectors instead of one.
The risk is compounded if you're running retargeting campaigns. Retargeting only works because Meta is building a profile of what your customers watched. That profile is the evidence that VPPA violations occurred. When you retarget a customer three weeks later because they watched a product video, you're essentially proving you knew they watched the video — which is the core VPPA violation.
The practical fix: audit which pages on your store contain video (including auto-playing hero videos or testimonial clips), then ensure Meta Pixel doesn't fire on those pages until after consent is collected.
How Cookie Banners Affect VPPA Compliance
A cookie banner alone does not satisfy VPPA requirements — and many eCommerce brands make this mistake.
VPPA has a specific consent requirement: it asks for informed written consent before collecting information about video watching habits. A generic "We use cookies to improve your experience" banner doesn't meet this standard because:
- It doesn't specifically disclose that Meta Pixel tracks video viewing
- It doesn't explain that Meta uses this data for profiling and retargeting
- It doesn't clearly name Meta as the third party collecting the data
- Vague "Accept All" buttons don't constitute informed consent
Your cookie banner needs to explicitly state: "We use Meta Pixel to track what videos you watch on our site so we can show you relevant ads on Facebook and Instagram." Users should be able to reject this specific tracking without losing access to your store's core functionality.
If your current banner says something like "Advertising Cookies" without naming Meta or explaining video tracking, it likely won't defend you in court. A plaintiff's attorney will argue the consent wasn't informed because you didn't clearly disclose the video-tracking aspect.
Many Shopify stores use Termly, OneTrust, or similar consent management tools, but those tools are only as good as the disclosure language you configure. If you've set them up but never updated the specific text to address VPPA and video tracking, your banner is creating a false sense of security.
When Klaviyo Integration Multiplies Your Risk
If you're using Klaviyo for email marketing alongside Meta Pixel, you may have inadvertently created a second VPPA problem.
Many stores send customer email addresses to Meta Pixel through Klaviyo's integration or native Shopify sync features. This serves a legitimate marketing purpose — you want to reach customers across channels — but it creates evidence of linked PII.
Here's the exposure: when you pass an email address to Meta Pixel (whether directly or through a data sync), Meta can now prove it knows which specific person watched which specific video. That linkage is the smoking gun. A plaintiff's attorney would see your Klaviyo-to-Meta data flow and argue you violated VPPA the moment you connected an email to video viewing behavior.
The risk is especially high if you're using Klaviyo for SMS or email follow-ups to customers who visited product pages with videos. Your own marketing automation creates the evidence trail.
Solution: disable email/phone pass-through to Meta Pixel until consent is explicitly collected for video tracking, or use Meta's hash-matching features (which provide some privacy isolation) instead of raw PII.
State-Level Variations Make Compliance Harder
While VPPA is federal law, states like California, Colorado, and Virginia have layered their own privacy rules on top of it.
If your store ships to California residents, you're technically subject to CCPA/CPRA on top of VPPA. CCPA requires disclosure and opt-out rights for "sale or sharing" of personal information — and Meta Pixel is often classified as a "sale" or "share" under CCPA because Meta builds profiles that it monetizes through ad targeting.
This means a California customer could theoretically claim two separate violations: VPPA (for video tracking without informed consent) and CCPA (for data sharing without opt-out rights). Colorado's CPA and Virginia's CDPA have similar requirements.
If you're running a DTC brand with national reach, you likely have customers in multiple privacy jurisdictions. The safest approach is to implement the strictest standard (VPPA's informed written consent for video tracking) across all regions, rather than trying to segment your compliance by geography.