Most people think of Meta — Facebook, Instagram, WhatsApp — as an app they open by choice. The reality is more pervasive: Meta travels with you across the web whether or not you ever log in, and increasingly whether or not your browser is even aware it's being watched.
The mechanism is the Meta Pixel: a JavaScript snippet that tracks visitor behavior on a website and sends that data to Meta for ad targeting and measurement. When a site owner embeds the Pixel, every visit, search, product view, form submission, and purchase can generate a data event that flies back to Meta's servers in real time. The site owner gets ad-campaign analytics. Meta gets a detailed record of your behavior, which it uses to build or enrich an advertising profile tied to your identity.
What makes this uncomfortable is the scope. The Pixel isn't a niche developer tool — it is deployed across millions of websites globally, from e-commerce stores to news publishers to, critically, healthcare providers.
For years, privacy-conscious users had a partial escape route: browser extensions like uBlock Origin, or Apple's Intelligent Tracking Prevention, could intercept the Pixel's client-side JavaScript calls. That escape route is closing.
The Conversions API (CAPI) is a server-side tracking tool built by Meta. Rather than firing from inside the visitor's browser, it sends event data directly from the website's server to Meta — completely bypassing ad blockers, cookie restrictions, and Apple's App Tracking Transparency framework introduced with iOS 14.
Meta's own advertising documentation frames CAPI as a reliability fix, not a privacy concern. According to Meta's 2025 Ads Transparency report, over 50% of browser-side conversions go untracked due to privacy regulations and cookie restrictions — and CAPI is pitched as the solution. From an advertiser's perspective, that framing is accurate. From a consumer's perspective, it means the technical controls that millions of people have adopted to limit tracking are being routed around at the server level, before data ever reaches their device.
Here is the part that surprises most people: you do not need a Facebook or Instagram account to end up in Meta's data apparatus.
When the Pixel or CAPI fires, Meta receives signals including IP addresses, browser fingerprints, hashed email addresses (if you've entered one on a site), and behavioral data. Depending on the context, third-party sites and apps may share a variety of information with Facebook, including websites and apps a person used — and if someone buys something from a site that shares data with Meta through its tracking tools or direct server-to-server connections like the Conversions API, that event is logged. Meta then attempts to match the signal to one of its existing user profiles. For non-users, the data still flows to Meta — it simply sits in an unmatched or "shadow" profile until the company can link it to a real identity.
Beginning in 2019, Facebook allowed users to review and, to some extent, control this data through a feature called Off-Facebook Activity (now Off-Meta Activity). The Off-Facebook Activity feature was unveiled to allow users to view and control the data that other apps and websites share with Facebook — in other words, a way to know what Facebook knows about you. The tool lets you disconnect logged activity from your account — but as Meta's own help pages note, the underlying data can still be used in aggregated, de-identified form. And disconnecting requires knowing the tool exists in the first place.
The Pixel controversy moved from abstract privacy concern to concrete harm most visibly in healthcare.
Markup research revealed that about one-third of the top healthcare providers in the United States may have unknowingly shared protected health information (PHI) with Meta, directly violating HIPAA. The research analyzed 100 hospital systems in the US and found several of these websites had installed the Pixel.
One of the most significant incidents involved Advocate Aurora Health, a 26-hospital healthcare system in Wisconsin and Illinois, which notified patients of a data breach affecting approximately three million people after the Pixel was found transmitting patient data to Meta.
Regulators took notice. The OCR and the Federal Trade Commission wrote to almost 130 healthcare organizations in July 2023 warning them about the compliance risks of using tracking technologies, after these tools were discovered on their websites. The FTC followed through with enforcement: BetterHelp paid $7.8 million to consumers in a settlement filed by the FTC for revealing patient data to Facebook and Snapchat for advertising, and GoodRx paid $1.5 million to settle claims filed by the Justice Department on behalf of the FTC for failing to notify users about disclosing personal health information to Facebook and Google.
The cumulative toll is significant: from 2023 to 2025, hospitals, telehealth platforms, and digital health apps paid over $100 million in penalties and settlements for privacy violations tied to these technologies.
Federal enforcement has been patchy. State attorneys general have increasingly filled the gap — and the legal theories are multiplying.
Texas has been the most aggressive. In July 2024, Texas AG Ken Paxton announced that Meta agreed to pay $1.4 billion to settle a lawsuit over allegations that Meta processed facial geometry data of Texas residents in violation of Texas law — the largest privacy settlement an attorney general has ever obtained. While that case centered on biometric data rather than the Pixel specifically, it established that Texas courts and regulators are willing to hold Meta accountable for data collection practices at scale.
Washington state has pursued a different angle. A federal court denied most of Meta's motions to dismiss Washington AG Bob Ferguson's lawsuit accusing Meta of harming youth mental health, with the judge ruling that asserted violations of the Washington Consumer Protection Act and the federal Children's Online Privacy Protection Act can proceed. Washington courts have also seen the Pixel invoked under the Washington Consumer Protection Act in cases involving prescription-drug searches transmitted to Meta without user consent.
Other states are watching. California reached a $50 million enforcement settlement with Meta, and class-action litigation invoking state wiretapping laws — particularly the California Invasion of Privacy Act (CIPA) — has produced a wave of lawsuits against websites that deployed the Pixel without adequate disclosure.
The courts have not reached consensus on how existing law maps onto pixel-based surveillance, and the split is shaping what remedies are actually available.
The Video Privacy Protection Act (VPPA) has been a favored vehicle for plaintiffs, on the theory that streaming and media sites sharing Pixel data with Meta are illegally disclosing video-watching records. The Second Circuit found in 2025 that strings of code transmitted by the Meta Pixel do not constitute "personally identifiable information" for purposes of the VPPA, because it's not information that would readily permit an ordinary person to identify a specific individual. That decision — which "shut the door" on many VPPA claims in the Second Circuit — creates a circuit split that the U.S. Supreme Court entered the discussion on in February 2026, considering how to define what information the Meta Pixel and Google Analytics transmit.
CIPA claims under California law, wiretapping theories, and state consumer-protection statutes remain live. The inconsistency across jurisdictions means the outcome for any given plaintiff can hinge almost entirely on geography.
The Meta Pixel controversy is not just a story about one company's advertising tools. It is a test case for whether the existing US privacy patchwork — a mix of sector-specific federal law, state consumer-protection statutes, and wiretapping codes written before the internet existed — can keep pace with surveillance infrastructure that was designed, explicitly, to be invisible.
The Conversions API complicates that picture further. As Meta's own data shows, browser-side privacy controls have become effective enough that the company and its advertiser partners have migrated significant tracking volume to the server side — where users have no visibility and no technical recourse. The legal battles in Texas, Washington, California, and now the Supreme Court will determine whether that migration comes with legal consequences or whether it simply becomes the new normal.