TikTok and Meta's tracking pixels are quietly harvesting personal data, granular checkout interactions, and detailed commerce intelligence from the websites that implement them. The collection is going far beyond what ad attribution requires, creating serious privacy compliance risks and competitive disadvantages for the businesses involved. 

Jscrambler conducted a runtime analysis of the ad pixels used by TikTok and Meta on actual websites, revealing that their default behavior requires immediate attention from every organization that employs them. The analysis focused on large companies in the retail, hospitality, and healthcare sectors. However, it's worth noting that most businesses with an online presence use these tracking pixels on their websites.

Tracking pixels were once just a small snippet of code on a webpage to confirm an ad impression or to log a visit. Almost all websites use them to track user behavior, measure ad performance, and optimize marketing efforts. These pixels let businesses see which ads drive traffic, conversions, or sales, and provide data to retarget users who showed interest but might not have completed a purchase. What many website owners likely don't realize is that TikTok and Meta's pixels go far beyond traditional tracking tags, collecting user emails, phone numbers, and addresses and turning seemingly anonymous browsing data into persistent, identifiable user profiles.

Shadow Profiling: How Pixels Build Persistent Identities

TikTok's pixel creates three different data records for each user interaction: 

• A primary event record of what the user did, such as viewing a product or adding to a cart 

• A metadata record 

• A performance record all connected using the same session ID 

When personal information like an email or phone number appears on a page, TikTok’s identity module processes it, normalizes it, and converts it into a SHA-256-style hashed identifier before sending it out. Meta takes a similar approach, hashing a wide range of fields, including first and last names, locations, and external identifiers. 

The hashes are deterministic, meaning they produce the same output for the same input each time. But because the hash is built from predictable data like emails and phone numbers, it is easy to re-identify them by matching those hashes against existing hashed data, or by hashing known contacts and comparing the results later. It effectively eliminates anonymization, allowing platforms to recover original user data and build long-term behavioral profiles without the users’ knowledge.

In practice, this is like a candidate-input matching process, where emails or phone numbers are compiled or generated, hashed, and then compared against the target hashes to find matches.

The Commerce Data Problem

Identity resolution is only part of the problem. Jscrambler's research found that TikTok and Meta's ad pixels methodically harvest detailed, product-level intelligence and entire customer journeys from merchant websites. Meta and TikTok’s requests routinely include product names, unit prices, quantities, currency, and total cart values. They also logged specific checkout actions such as AddToCart or AddPaymentInfo.  Meta’s telemetry even records the structure of checkout forms and buttons, providing insight into how a merchant’s site is built.
 

Merchants are unlikely to be aware of the extent to which their websites share data with these tracking pixels. While they might know that pixels collect basic conversion information, much of the detailed product-level, checkout-stage, and structural form data is automatically captured or passed through integrations like Shopify, with little visibility.  While businesses might think they are enabling only standard tracking, in reality, they are feeding third-party platforms with a deep, continuous view of their product catalog, pricing, and customer behavior that could potentially benefit larger rivals.

Data Privacy and Security Implications

The implications from a privacy compliance and sensitive data exposure standpoint should be very concerning for any organization using these pixels. Jscrambler found TikTok pixels capturing sensitive data even before a user had an opportunity to make a consent choice, and in some cases, even after a user had clicked "Reject All". We observed TikTok capturing physical addresses entered into store-locator fields at major French and German retailers and transmitting the data back to its servers.

Figure 1 - Evidence of Meta (left) and TikTok (right) transmitting customer name and address data during checkout

Meta’s pixel includes a feature called Automatic Events, which is enabled by default. The feature automatically scans page elements and captures information such as checkout interactions and visible payment card details, including the last digits, expiration date, and cardholder name. Since this is the default behavior and not an opt-in, merchants may not be aware that the pixel is collecting this information.  On separate sites, Meta captured recipients' full names and delivery addresses when users selected address options during checkout. 

Figure 2 - Evidence of Meta collecting and transmitting card-related checkout metadata, including the last four digits and the cardholder's name

TikTok’s pixel was observed exhibiting similar behavior, harvesting sensitive user data during the checkout process. This included partial payment card details and other personal data provided by the customer.

Figure 3 - Evidence of TikTok collecting and transmitting card-related checkout metadata, including the last four digits and the cardholder's name

Both TikTok and Meta's pixel code can load and begin transmitting data before the website's consent management system has time to block it, meaning information can leave the browser before the user’s choice is applied.  Even more concerning is that data may be transmitted in cleartext—occasionally within the request URL itself—exposing sensitive information to browser histories, server logs, intermediaries, and debugging tools.

This vulnerability stems not only from the pixel’s data-collection methods but also from misconfigurations during its implementation or from issues with the website's underlying architecture. Consequently, the attack surface is significantly broader than a surface-level analysis suggests.

Figure 4- Evidence of tracking activity prior to the user consent choice

The behaviors Jscrambler documented put websites in direct conflict with GDPR, CCPA, and other major privacy regulations. The potential violation triggers include consent failures, inadvertent personal data transmission, and financial or address data exposed in logs that outlast the original request. In addition, the exposure of partial cardholder data and address information increases the risk surface for identity theft and secondary data breaches.

From a competitive standpoint, merchants need to understand that the pixels they implement are not passive measurement tools. They are instead active data-collection systems that feed proprietary commercial intelligence — such as pricing, product mix, conversions, and customer behavior — directly into the same global advertising platforms that every other merchant on those platforms (including rivals) relies on. Larger rivals with bigger ad budgets could benefit because the more data the platform collects from all merchants, the better its targeting becomes. Often, better targeting favors those with the most budget to spend on ads.

Recommendations to mitigate runtime data risks

To manage these risks, organizations need to do considerably more than just review a pixel's documentation. This involves auditing actual pixel configurations and implementing continuous monitoring to catch "scope creep" - where a third-party script begins collecting more data than originally intended.

To protect your organization and maintain user trust, consider the following recommendations to mitigate runtime data risks: 

• Monitor Runtime Behavior: Use tools to gain visibility into pixel activity at runtime, with particular focus on the data they access, the data they collect, and how that information is transmitted to their servers.

• Enforce Runtime Controls: Use tools to proactively restrict pixel access to sensitive fields and block unauthorized data exfiltration.

• Disable AAM/Automatic Features: Manually disable AdvancedMatching and AutoAdvancedMatching flags if they do not align with your data governance policies.

• Region-Aware and Consent Enforcement: Ensure pixels are loaded, blocked, or configured according to the user’s consent choices and applicable regional and sector-specific regulatory requirements.
  

It is the responsibility of every organization to ensure that the tracking pixels it implements on its website are configured correctly to close the gap between what it is permitted to do and what it is actually doing.