CookieChimp Logo
Get Started

Do Tracking Pixels and Fingerprinting Require Consent?

Yes, in the EU and UK pixels, fingerprinting, localStorage and SDKs need consent just like cookies. US laws are technology-neutral too. Here's what applies.

Written by
Daniel
Published on

"We don't use cookies, just the Meta Pixel and server-side tagging." If that sentence has ever been used on your team as a reason to skip the consent banner, this article is for you.

The cookie rules were never actually about cookies. Europe's legal trigger — Article 5(3) of the ePrivacy Directive — covers "the storage of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user." A pixel that makes the browser send data, a script that builds a device fingerprint, a key written to localStorage: regulators treat all of these like cookies.

And in the last two years, the guesswork has been removed. The EDPB adopted final guidelines on exactly this question, the UK ICO published guidance that renames the whole topic from "cookies" to "storage and access technologies," and US enforcers have gone after pixels under laws that never mention the word cookie at all. Here's what actually applies in mid-2026.

Yes. In the EU/EEA and the UK, tracking pixels, device fingerprinting, localStorage, and tracking SDKs require the same prior opt-in consent as cookies whenever they're used for advertising, analytics, or profiling — because the law regulates storing or accessing information on a user's device, not the cookie file format. In the US there's no opt-in requirement, but state privacy laws define tracking technology-neutrally, so pixels and fingerprinting still trigger opt-out rights, Global Privacy Control handling, and notice obligations.

The narrow exceptions (strictly necessary functionality, communication transmission, and in the UK a new limited statistics exception) are purpose-based. They don't care whether the mechanism is a cookie, a pixel, or a hash of your GPU configuration.

Article 5(3) of the ePrivacy Directive — implemented across EU member states and in the UK as PECR — has two important properties that surprise engineering teams:

  1. It's technology-neutral. Anything that stores information on, or reads information from, a phone, laptop, smart TV, or connected device is in scope.
  2. It applies even to non-personal data. Unlike the GDPR, Article 5(3) protects the device, not just the person. The EDPB's Guidelines 2/2023 state explicitly that "information" is not limited to personal data.

Those guidelines — Guidelines 2/2023 on the Technical Scope of Art. 5(3) of the ePrivacy Directive, adopted in final form on 16 October 2024 — were written precisely because the industry was migrating from third-party cookies to "cookieless" tracking and hoping the rules wouldn't follow. They did. The EDPB walks through concrete use cases: URL and pixel tracking, local processing, IP-only tracking, unique identifiers, and IoT reporting. The key move is a broad reading of "gaining access": instructing a browser to send information to your server — which is exactly what a pixel does — counts.

France's CNIL reached the same conclusion years earlier — its cookie guidelines have always covered fingerprinting, localStorage, Flash objects, and OS-level identifiers alongside HTTP cookies. For background on the directive itself, see our developer's guide to the ePrivacy Directive.

Technology EU/EEA UK US states
Meta Pixel, TikTok Pixel, ad pixels Prior consent Prior consent Opt-out of sale/sharing + GPC
Server-side tagging Consent still applies to the client-side collection Same Same opt-out duties
Device fingerprinting Prior consent for tracking purposes Prior consent (explicitly in ICO guidance) Technology-neutral "unique identifier" rules
localStorage / sessionStorage Same rules as cookies Same rules as cookies Counts toward tracking disclosures
Mobile SDKs Prior consent for ad/analytics access Prior consent Opt-out + sensitive-data rules
Email open-tracking pixels Prior consent Prior consent Generally permitted with notice

Marketing pixels (Meta, TikTok, LinkedIn, Google)

A pixel is a snippet that makes the user's browser send a request — page URL, event data, identifiers, browser metadata — to the ad platform's server. Under the EDPB's reading, that's "gaining access" to information on terminal equipment, squarely under Article 5(3). In practice the pixel also sets or reads cookies (Meta's _fbp, for example), which removes any remaining doubt. In the EU and UK: blocked until the user opts in.

Server-side tagging

Server-side tagging moves the vendor call from the browser to your server. It does not remove the collection event: something in the client still captures the page view, sets or reads a first-party identifier, and ships data to your tagging server. That client-side step is in scope, and what your server forwards to Meta or Google afterwards is plain GDPR processing that needs a legal basis. Server-side setups are great for performance and data control — they are not a consent bypass. Regulators check network behavior, not architecture diagrams.

Device fingerprinting

Is fingerprinting legal? It's not banned, but in the EU and UK using it to track people requires the same prior consent as cookies — a position regulators have held since the Article 29 Working Party's Opinion 9/2014, reaffirmed by both the EDPB and the ICO. Reading screen resolution, fonts, GPU and audio-stack quirks to derive a stable identifier is "gaining access to information already stored" on the device.

Fingerprinting has an extra problem: it's covert by design. Transparency is hard, withdrawal of consent is nearly meaningless (you can't delete a fingerprint like a cookie), and regulators are correspondingly hostile. Using fingerprinting to circumvent cookie refusals is about the worst fact pattern you can present an EU supervisory authority.

localStorage, sessionStorage, IndexedDB

Storing an identifier in localStorage instead of a cookie changes nothing legally — it's literally "storage of information on terminal equipment," and CNIL and the ICO both list HTML5 local storage in their guidance. Banners that block cookies but let scripts write tracking IDs to localStorage fail audits.

Mobile and smart-TV SDKs

An analytics or attribution SDK reading the advertising ID (IDFA/AAID) and writing data on the device is in scope for ePrivacy just like a browser tracker — "terminal equipment" includes phones, consoles, and TVs. Apple's App Tracking Transparency prompt is a platform rule on top, not a legal substitute for ePrivacy consent in Europe.

Email tracking pixels

Open-tracking pixels in newsletters instruct the recipient's mail client to fetch a remote image, telling you when, where, and on what device the email was opened. The EDPB's guidelines treat this as gaining access to information on terminal equipment, so EU/UK senders need prior consent for open and click tracking — separate from the consent to receive the email itself. CNIL's €325 million fine against Google in September 2025 (ads inserted into Gmail, plus cookies set without valid consent) shows how seriously French enforcement takes the inbox.

The UK in 2026: "storage and access technologies," not cookies

The UK is the clearest illustration of where this is heading. On 29 April 2026 the ICO published its final guidance on storage and access technologies — deliberately not called "cookie guidance" — covering cookies, tracking pixels, link decoration, scripts, fingerprinting and similar techniques under PECR and UK GDPR.

It lands alongside the Data (Use and Access) Act 2025, whose PECR changes took effect on 5 February 2026. The DUAA inserted new consent exceptions into PECR — notably a statistical purposes (analytics) exception and an appearance/functionality exception, both conditional on clear information and a "simple means of objecting," plus emergency-assistance and security cases. Two things matter here:

  • The exceptions are purpose-based and apply to any storage and access technology — and so does the underlying prohibition. A fingerprinting script doesn't qualify for the statistics exception just because you label it "measurement."
  • First-party, service-improvement analytics is the lane where UK rules genuinely relaxed — covered in depth in our sibling post on whether analytics cookies require consent.

The ICO backs this with sustained pressure: it reported in late 2025 that 99% of the UK's top 1,000 websites now meet its cookie banner standards after targeted interventions.

The US: no opt-in, but pixels are absolutely regulated

US state privacy laws don't require EU-style prior consent for pixels or fingerprinting. But don't read that as "unregulated":

  • Definitions are technology-neutral. The CCPA's "unique identifier" expressly includes "cookies, beacons, pixel tags, mobile ad identifiers, or similar technology" and even probabilistic identifiers — which is fingerprinting by another name.
  • Pixels trigger opt-out rights. Sending page URLs and identifiers to Meta or TikTok is typically "sharing" for cross-context behavioral advertising (California) or "targeted advertising" (most other states). Users can opt out, and covered businesses must honor Global Privacy Control signals as a valid opt-out — the California AG is explicit on this.
  • Enforcement already targets pixels. The largest CCPA settlement to date — the California AG's $1.55 million Healthline settlement of July 2025 — was about exactly this: 118+ third-party cookies and pixels that kept firing after consumers opted out, including via GPC, on pages whose titles implied health conditions.
  • The patchwork keeps growing. Indiana, Kentucky, and Rhode Island came online 1 January 2026, bringing the count to 19 comprehensive state laws, several requiring universal opt-out support.

Banner-and-signal specifics by state are in our guide to cookie banner requirements in US states.

Supportive: Purpose-based, technology-neutral rules are easier to reason about than a cookie whitelist — decide what each tracker is for, and the answer follows.
Cynical: They also mean the "we migrated off cookies" project your ad team just finished changed your compliance position by approximately zero.

What to actually do

  1. Inventory beyond cookies. Scan for pixels, localStorage keys, fingerprinting scripts, SDK endpoints, link decoration, and server-side tagging containers — not just Set-Cookie headers. Automatic cookie scanning gets you the browser-observable part; pair it with a tag manager and SDK review.
  2. Classify by purpose, not mechanism. Strictly necessary, functional, analytics, advertising. The purpose decides whether consent or an exception applies — in every jurisdiction above.
  3. Block before consent in opt-in regions. Pixels and fingerprinting scripts must not fire for EU/UK visitors until consent is given. Verify in the network tab, not the vendor dashboard.
  4. Wire consent state into server-side tagging. Your tagging server should respect the consent signal (e.g., via Google Consent Mode v2) so forwarding stops when consent is absent or withdrawn.
  5. Honor GPC for US traffic. Treat it as a production input that suppresses sharing/targeted-advertising pixels, not a privacy-policy footnote.
  6. Audit email tracking. If you track opens/clicks for EU recipients, get consent — ideally at newsletter signup.
  7. Log evidence. Store what was shown, what was chosen, and when. Healthline and the CNIL sanctions both turned on what actually happened in the browser versus what the policy claimed.
  8. Re-test quarterly. Tags drift. One pixel added through the tag manager can silently undo all of the above.

Where CookieChimp fits

CookieChimp is a simple yet powerful CMP built for this widened scope: automatic scanning that surfaces trackers beyond classic cookies, prior blocking of pixels and scripts until consent, geo-targeted behavior (opt-in for EU/UK, GPC-aware opt-out for US states), Google Consent Mode v2 support for server-side setups, and consent logs you can hand to a regulator.

FAQ

Does the Meta Pixel require consent in the EU?

Yes. The Meta Pixel both sets/reads cookies (like _fbp) and instructs the browser to send behavioral data to Meta — each independently falls under Article 5(3) of the ePrivacy Directive. It must be blocked for EU/EEA and UK visitors until they opt in; the same goes for TikTok, LinkedIn, and Google ad tags.

Is device fingerprinting illegal under GDPR?

Fingerprinting isn't illegal as such, but using it to track or identify users in the EU/UK requires prior consent under ePrivacy rules — regulators have treated it like cookies since 2014, and the EDPB's 2024 guidelines and the ICO's 2026 guidance both confirm it. Using it to keep tracking people who rejected cookies is circumvention, and a fast track to enforcement.

Does server-side tagging avoid cookie consent requirements?

No. Server-side tagging relocates vendor calls, but the client-side collection (first-party identifier, page data sent to your tagging endpoint) still stores or accesses information on the device, and the onward sharing still needs a GDPR legal basis. Consent requirements follow the data flow, not the architecture.

Do email tracking pixels require consent?

In the EU and UK, yes — the EDPB's guidelines on Article 5(3) cover tracking pixels in emails, so open/click tracking needs prior consent from the recipient, separate from their consent to receive the email. In the US, email open tracking is generally lawful with notice, though state laws can apply to the downstream data use.

Does localStorage count as a cookie under GDPR and ePrivacy?

Legally it's treated the same. ePrivacy Article 5(3) covers any storage of information on the user's device, and CNIL and the ICO explicitly include HTML5 local storage. An identifier in localStorage needs the same consent treatment as the equivalent cookie.

Do tracking pixels require consent in the United States?

Not opt-in consent, in most cases. But state laws define personal information to include pixel and probabilistic identifiers, so advertising pixels trigger opt-out rights, GPC obligations, and disclosure duties — and the Healthline settlement shows pixels firing after an opt-out are an enforcement priority. Sensitive data (notably health) can require opt-in even in the US.

References

  1. EDPB, "Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive" (final version 2.0, adopted 16 October 2024): edpb.europa.eu
  2. EDPB, "EDPB provides clarity on tracking techniques covered by the ePrivacy Directive": edpb.europa.eu
  3. ICO, "Final storage and access technologies guidance published" (29 April 2026): ico.org.uk
  4. ICO, "Guidance on the use of storage and access technologies": ico.org.uk
  5. CNIL, "Cookies and other tracking devices: the CNIL publishes new guidelines": cnil.fr
  6. CNIL, "Sanctions and corrective measures: CNIL's actions in 2025": cnil.fr
  7. CNIL, "Cookies and advertisements inserted between emails: GOOGLE fined 325 million euros": cnil.fr
  8. California Attorney General, "California Consumer Privacy Act (CCPA)" — Global Privacy Control: oag.ca.gov
  9. California Attorney General, "Attorney General Bonta Announces Largest CCPA Settlement to Date, Secures $1.55 Million from Healthline.com": oag.ca.gov
  10. IAPP, "New year, new rules: US state privacy requirements coming online as 2026 begins": iapp.org

Your tracking stack moved beyond cookies years ago — your consent setup should too. Get started with CookieChimp and cover pixels, fingerprinting, and SDKs with one modern, region-aware banner.

The content of this article is provided for information purposes only and does not constitute legal or other advice.