facebook.com

#03

Privacy audit of Meta's flagship social platform

2026-03-094.1/10 overall

TL;DR

✅

Strong security headers and CSP

5 of 6 security headers present, including a comprehensive Content-Security-Policy with strict source lists and upgrade-insecure-requests. TLS 1.3 with modern cipher suite.

🚨

Reject button doesn't stop cookie drops

The 'datr' cookie (400-day lifetime) is set regardless of whether users click 'Allow all' or 'Decline optional'. Meta Beacon telemetry fires in both scenarios.

🔍

WebGL fingerprinting fires before consent

Facebook probes WebGL renderer info via getExtension(WEBGL_debug_renderer_info) and getParameter before any consent interaction — equivalent to cookie tracking under ePrivacy Art. 5(3).

Score breakdown

4.6

Consent

4.6 / 10

6.5

Legal Pages

6.5 / 10

6.8

Cross-Border

6.8 / 10

3.7

Dark Patterns

3.7 / 10

8.5

Security Headers

8.5 / 10

4.6

Cookie Management

4.6 / 10

2.8

Pre-Consent Tracking

2.8 / 10

Full audit deck

Loading deck…

GDPR compliance

Article	Topic	Status	Finding
ePrivacy 5(3)	Cookie consent requirement	fail	Meta Beacon telemetry fires and WebGL fingerprinting probes execute before any consent interaction
Art. 6(1)(a)	Valid consent	fail	Consent mechanism undermined by datr cookie placement regardless of user choice (accept or decline)
Art. 5(1)(a)	Lawfulness and transparency	partial	Cookie dialog explains purposes but does not mention WebGL fingerprinting or pre-consent beacon activity
Art. 7(3)	Withdrawal of consent	fail	No consent revocation mechanism found on the logged-out homepage — no way to withdraw after acceptance
Art. 13	Information to data subjects	partial	Privacy policy is comprehensive but vague on retention periods, international transfer safeguards, and automated decision-making
Art. 25	Data protection by design	fail	Default behaviour includes pre-consent fingerprinting and tracking regardless of user's consent choice
EDPB Dark Patterns	Deceptive design in consent	fail	Accept button significantly more prominent than decline option — violates EDPB Guidelines 03/2022

Recommendations

critical

Honour reject choice by not setting datr cookie after decline

The datr cookie (400 days) is set regardless of whether users accept or decline optional cookies. This directly undermines the consent mechanism and violates the principle that rejection must be effective.

ePrivacy Art. 5(3) · CNIL vs Facebook Ireland EUR 60M (Jan 2022); Irish DPC vs Meta EUR 1.2B (May 2023)

critical

Remove pre-consent WebGL fingerprinting

WebGL renderer probing via getExtension(WEBGL_debug_renderer_info) fires before consent. Device fingerprinting falls under ePrivacy Art. 5(3) and requires consent.

ePrivacy Art. 5(3) · EDPB Guidelines 2023 on tracking — fingerprinting equivalent to cookie tracking

high

Gate Meta Beacon telemetry behind consent

The /ajax/bz beacon endpoint fires pre-consent, transmitting device info, connection quality, and session identifiers. This should be deferred until after positive consent.

ePrivacy Art. 5(3) · CNIL vs Google EUR 150M (Dec 2021) — analytics without consent

high

Add consent revocation mechanism

No way to withdraw consent was found on the logged-out page. GDPR Art. 7(3) requires withdrawal to be 'as easy as giving consent'.

Art. 7(3) · EDPB Guidelines 05/2020 — revocation must match acceptance ease

medium

Equalise accept and reject button prominence

Replace the plain-text 'Decline optional cookies' with a button matching the visual weight of the blue 'Allow all cookies' button.

EDPB Guidelines 03/2022 · CNIL vs Google (Android) EUR 150M (Jan 2022) — reject must be equally prominent

medium

Add Referrer-Policy header and implement SRI

Referrer-Policy is the only missing security header. Zero of 68 external scripts have Subresource Integrity attributes — implement SRI for at least critical CDN resources.

Art. 32