Why Consent Is Failing In Practice

The Gap Between What Pixels Say They Do And What They Actually Do

TikTok and Meta’s pixels are designed to track user actions after an ad is viewed. This helps businesses measure ROI and retarget visitors with advertising on other sites.​

Today, the system harvests product-level commercial intelligence, including product names, unit prices, quantities, cart values and checkout-stage events. Meta’s telemetry extends to the structural layout of checkout forms and buttons, revealing not just what consumers buy, but how organizations design their path to purchase. ​

This isn’t ad attribution. It’s continuous competitive reconnaissance, fed directly into the same advertising platforms that your competitors rely on.​

What most online businesses fail to appreciate is the competitive dimension of what they are sharing. The data flowing through these pixels does not stay siloed to their own campaigns. As platforms accumulate behavioral and commercial intelligence across companies, their targeting systems improve in aggregate, and that advantage disproportionately benefits advertisers with the largest budgets, who can bid against insights their competitors helped generate. ​

Building Persistent Behavioral Profiles

In practice, data that appears anonymized can often be re-associated through predictable attributes such as email addresses, phone numbers and device identifiers. Matching against external datasets enables platforms to re-link behavioral signals over time and maintain persistent user profiles.​

A single individual’s activity—medical searches, app-based purchases and location queries—can appear unrelated in isolation, but within a sufficiently instrumented platform, becomes unified into a single behavioral profile spanning financial, health and location signals. ​

Why Default Behavior Is The Core Problem

Meta’s Automatic Events feature scans page elements and captures checkout interactions, including partial card numbers, expiration dates and cardholder names. Our research at Jscrambler identified instances in which this feature was enabled without the organization’s explicit awareness or activation. As a result, the organization, which believed it was deploying a standard conversion pixel, had no idea this collection was occurring. The burden of opting out falls entirely on the party least likely to know there is anything to opt out of.​

In some configurations, pixel code from major platforms can also begin transmitting data before a site’s consent management system has fired, meaning signals may leave the browser before a user’s consent choice is registered. In certain implementations, data is transmitted in clear text within request URLs, making it visible in browser histories, server logs and any intermediary systems along the traffic path.​

The industry’s position has been that responsibility for correct configuration lies with the organization subscribing to the tracking service. This is not entirely wrong. Misconfiguration is a genuine part of the problem, and the tools are complex enough that getting configuration right is harder than the documentation suggests. Meta and TikTok are the most visible actors here, but they are not the whole problem. ​

The deeper issue is that default-on data collection has become a standard design pattern, while consent frameworks intended to govern it often operate after data capture has already occurred. Telling companies to configure their way out of a problem that’s designed into the default behavior of the tools shifts responsibility without addressing the underlying behavior. The more defensible position is that the harvesting data strategy, by default, should not be permissible at all.​

What This Means For Security And Compliance Teams

The framing of pixel risk as primarily a marketing responsibility or privacy operations issue has kept it outside the security function longer than it should be. Security concerns include the transmission of runtime data (including sensitive data) that may occur before consent is registered and may persist long after the original request for consent. Traditional security approaches often struggle to mitigate this kind of exposure because it spans security controls, product design and business-driven tracking requirements. ​

TikTok and Meta are among the most visible examples of a much larger problem. Dozens of third-party scripts and pixels routinely load on commercial websites, yet their runtime behavior is rarely examined with the same rigor as other components of the application stack. ​

Consent management systems define intent, but they do not control enforcement. A solution is needed that can enforce policy in real time, preventing sensitive data from being accessed or transmitted regardless of pixel configuration, script behavior or downstream platform defaults. ​

Our suggestion is to address these problems with three capabilities:​

• Real-time visibility into what pixels are accessing and transmitting, and when that activity occurs relative to user consent

• Proactive enforcement that restricts pixel access to sensitive data before a problem occurs, rather than detecting it after the fact

• Independent verification that automatic data collection is disabled and remains disabled, rather than assuming default settings reflect intended behavior​

The gap between what these tools are permitted to do and what they actually do is not a footnote in a compliance review. It is an architectural blind spot that existing consent and monitoring systems were never designed to close.​

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?