In this article, we will explain what to do if you receive a warning from Meta about sending potentially violating personal data. Learn how to fix the issue and stay in line with the privacy regulations.
With all the data regulations piling up and getting stricter, users are more alert than ever about the breach of personal data. In response to the data privacy regulations, Meta has introduced some updates that make including personal parameters in the URL unacceptable.
This happens when Meta detects any URL parameters that potentially contain information that personally identifies individuals. For instance, such information as contact information (phone number, email address), full name, user ID, address, birth date, payment details, login credentials, health-related information, etc.
Meta does not accept events if there are unencrypted PII in the URL parameters. Therefore, you must either encrypt this data before sending it or remove it from the URL entirely. When running Facebook Lead Ads, make sure you're not passing sensitive personal information through URL parameters to stay compliant and avoid this issue.
First, you need to turn off your software or plugin feature that passes the user’s personal data as URL Query Parameter to the thank you page (this occurs post sign-up, subscription, and purchase).
You could use different plugins, and the interfaces could be different, but there should always be an option to de-select this interface.
If Facebook is detecting personal data (PII) in your URL, there’s another way to fix it - especially for server-side tracking.
For web events, Facebook automatically picks up the page URL, so you can’t change it. But for server-side events, you can replace the URL before sending it to Facebook. This stops Facebook from receiving personal data in the URL.
Here’s what to do:
If a page URL has personal data, make sure Facebook’s web tracking doesn’t run on that page.You can do this by adding an exception trigger in Google Tag Manager.
How to do it:
Step 1: Create an Exception Trigger
Step 2: Apply Exception to Facebook Pixel Tags
Step 3: Publish and test
Now, Facebook’s web tracking will not run on pages where the URL contains sensitive user data.
Before sending data to Facebook, remove personal info from the URL.
You can do this using custom JavaScript to clean the URL before Facebook sees it.
This way, you still track events but without sending any private data to Facebook.
How to do it:
1. Go to Google Tag Manager.
2. Go to to Variables → Click New.
3. Choose Variable Type: "Custom JavaScript".
4. Create JavaScript code to clean the URL, example below.
function() {
var url = {{Page URL}}; // This is the page URL captured by the event
var cleanUrl = url.split("?")[0]; // Removes query parameters (everything after '?')
return cleanUrl;
}5. Name the variable: Clean Page URL
6. Click Save.
Before Cleaning (URL with PII):
https://example.com/thank-you?email=john.doe@email.com&phone=1234567890
After Cleaning (URL without PII):
https://example.com/thank-you
By using this method, you can continue tracking Facebook events server-side without sending any personal information to Facebook.
It’s alarming to receive a potentially violating personal data alert from Meta. Luckily, there are ways to fix it. Have you ever encountered such a problem? Let us know in the comments how you handled it and what topic you would like us to cover next on our blog.
Stape has lots of options! Click on Try for free to register and check all the benefits.
Comments