It’s commonly known that Facebook uses cookies. On their website, but also on websites that use Facebook widgets such as like buttons, post embeds or videos. In this post we’ll discuss some different implementations of Facebook services or scripts, and why they require consent.
Facebook and consent
As we all know by now, services like Facebook utilize Marketing and tracking cookies require the visitor’s consent. Most website operators understand that using a Facebook tracking Pixel requires the visitor’s consent, as the purpose of the pixel is marketing/tracking related (or at least to gather statistics). Some Complianz users ask us whether the same goes for embedded posts or videos, as the video or embedded post serves a ‘functional’ purpose as part of a page or article. Unfortunately that ship won’t sail, as this content is loaded via an iFrame of facebook.com. This iFrame will load third-party cookies used to track your visitors. This information can then be accessed by Facebook.com. So, even when embedded consent is published purely for a functional purpose, the cookies serve a marketing purpose and require consent.
What is an iFrame?
An iFrame is essentially a frame which loads content from another site. Most embedded posts, like buttons, videos, etcetera are embedded using an iFrame. As the content in the iFrame is loaded from the external site, in most cases it will also load the cookies from the external site. This external site can also access the cookies it places, which makes iFrames still a commonly used method used for tracking.
Third-Party cookies versus Own domain cookies
In the example of an embedded Facebook like button, the like button is loaded via an iFrame via facebook.com. It stores data in cookies on the facebook.com domain. Third-Party cookies are very likely to require consent as they are still the most-used method for cross-domain tracking. Also Browsers are increasingly blocking third-party cookies as part of their privacy settings. This is why Facebook also allows site visitors to load facebook scripts and pixels via a subdomain (eg. facebook.yoursite.com). Technically speaking, cookies placed on a subdomain of your own site are not third-party cookies. This is why they are less likely to be blocked by privacy settings. Though in the perspective of privacy legislation, these scripts and cookies still serve the same marketing purpose and therefor require consent.
Our solution
Complianz will automatically detect Facebook embeds and pixels via the automated site scan. It then allows you to block facebook scripts before consent (or after consent is revoked in opt-out regions). A nice placeholder replaces the blocked content before consent, asking the visitor to accept Facebook cookies. Complianz integrates will all commonly used Facebook implementations and plugins, making consent management for Facebook scripts and cookies a breeze.