Ad targeting data not shared with third parties without affirmative opt-in
Why it matters
Behavioral data — browsing history, content preferences, inferred demographics — is among the most sensitive data a community platform holds. Sharing it with ad networks (Google Ads, Meta Pixel, TikTok) without explicit opt-in violates GDPR Art. 6 (no lawful basis), GDPR Art. 7 (no consent), CCPA §1798.120 (right to opt out of sale/sharing), and eprivacy Art. 5(3) (tracking without consent). Regulators have issued nine-figure fines for exactly this pattern. A Facebook Pixel firing on page load without consent is not an implementation detail — it is an ongoing violation for every page view.
Severity rationale
Medium because the data leaves the platform boundary on every affected page load, but the immediate harm requires the third party to act on the data rather than causing direct account compromise.
Remediation
Initialize ad network SDKs and pixels only after checking consent — never on page load unconditionally. Wrap all ad SDK initialization behind a consent gate in src/lib/analytics/adNetworks.ts:
export async function initAdNetworks(userId: string) {
const hasConsent = await getConsentStatus(userId, 'ad_targeting');
if (!hasConsent) return;
// Google
gtag('config', process.env.GA_MEASUREMENT_ID!);
// Meta Pixel
fbq('init', process.env.META_PIXEL_ID!);
fbq('track', 'PageView');
}
For server-side ad data sharing (Conversions API, audience uploads), add an identical consent check before every API call to the ad network — client-side gating alone is insufficient if server-side sharing continues.
Detection
-
ID:
ad-targeting-opt-in -
Severity:
medium -
What to look for: Enumerate every relevant item. Check whether behavioral data (browsing history, content preferences, demographics, interests) is shared with ad networks or third-party marketing platforms. Look for integrations with Google Ads, Facebook Pixel, or similar. Verify each is covered by explicit opt-in consent. Check privacy policy for ad-related disclosures.
-
Pass criteria: At least 1 of the following conditions is met. Ad targeting data is only shared with third parties after explicit user opt-in. Users can see which ad networks receive data and disable sharing in settings. Sharing defaults to off.
-
Fail criteria: Ad targeting data automatically sent to third parties. No opt-in consent flow. Users cannot disable ad targeting. Privacy policy is vague about data sharing.
-
Skip (N/A) when: Never — ad sharing requires consent.
-
Detail on fail: Describe the unauthorized sharing. Example:
"User behavioral data sent to Google Ads API without user opt-in. No setting to disable."or"Facebook Pixel fires on all pages with no user consent mechanism." -
Remediation: Require explicit opt-in for ad networks:
// Only initialize ad SDK if user has consented async function initializeAdNetworks(userId: string) { const consent = await getConsentStatus(userId, 'ad_targeting'); if (consent) { // Initialize Google Ads gtag('config', 'GA_MEASUREMENT_ID'); // Initialize Facebook Pixel fbq('init', 'PIXEL_ID'); fbq('track', 'PageView'); } } // Share audience data only with consent async function shareUserWithAdNetwork(userId: string, adNetwork: string) { const consent = await getConsentStatus(userId, 'ad_targeting'); if (!consent) { return { error: 'No consent for ad targeting' }; } await sendToAdNetwork(adNetwork, userId, getUserTaxonomy(userId)); }
External references
- gdpr · Art. 6 — Lawfulness of processing — consent required for ad targeting
- gdpr · Art. 7 — Conditions for consent
- ccpa · §1798.120 — Right to opt-out of sale or sharing of personal information
- eprivacy · Art. 5(3) — Consent required for behavioral advertising
Taxons
History
- 2026-04-18·v1.0.0·Initial import from community-privacy-controls·automated