1

I hope this question is on-topic here, as it's about the tech side of the Facebook tracking.

Some months ago, Facebook released their Conversions API (CAPI) to make it possible to send them user activity events directly from your servers, instead of sending the events from the client using the classic Facebook pixel.

Supposedly, they released CAPI because the Facebook pixel uses third-party cookies to identify the user, and at some point in 2023 Google Chrome will start blocking third-party cookies. This change should render the client-side Facebook pixel useless, supposedly, or at least that's what every marketing blog out there says.

The thing is, from what I can see in my browser devtools, the Facebook pixel inserts a cookie named _fbp on a first-party context (and also another one named _fbc if the visitor landed on the website from a Facebook ad). These two cookies are unique to the user and the website. Then, the Facebook pixel attaches the cookie values as query params to the GET request that does to the Facebook servers on every event.

So, if the Facebook pixel is generating and reading these first-party cookies & attaching them as query params on every event, what's the deal with Conversions API? Supposedly it should solve the problem of third-party cookies blocking, but we're not using third-party cookies here, and anyway we are attaching the value to the cookie in the URL instead of sending the values in the cookie headers.

I guess I'm misunderstanding something. Any help is much appreciated! Thanks!

TheMrAngel
  • 76
  • 4
  • Without 3rd-party cookies, how would Facebook know _which_ user this actually is? All they would be able to do, is accumulate data based on a random identifier across your site only. That does not allow them to match this data to any actual user in their system - which is rather the point of all that tracking and privacy invasion to begin with though. – CBroe Apr 20 '22 at 13:04
  • Hi @CBroe! The thing is, the pixel is NOT using third-party cookies currently, if I checked my devtools correctly (maybe I'm wrong here). That's why this is puzzling me. I have the hypothesis that they match you using a combination of the _fbc cookie (which is an ID of a a click on ad, so they know the FB account which clicked) and some other fingerprinting techniques. – TheMrAngel Apr 20 '22 at 13:17
  • But the pixel code makes a request to Facebook, so if that's a cross-domain request with the `credentials` flag set, it would also send the cookies your browser has stored for `facebook.com`. – CBroe Apr 20 '22 at 14:03
  • Hi! I'm not seeing such credentials flah set (do you have more info about it, or a link?). Do you find any example of website where the Facebook pixel is setting the cookies third-party or is sending them anyway with a flag like `credentials`? – TheMrAngel Apr 20 '22 at 16:30
  • No, I have not looked into it in detail yet. – CBroe Apr 21 '22 at 06:07
  • Hi @TheMrAngel Could you let me know if you got any more info on this? I'm also trying to better understand it – kufer Aug 25 '23 at 08:34
  • Hi @kufer Sadly not! I didn't return to this topic again. If you happen to find the answer, would you please share it here? – TheMrAngel Aug 26 '23 at 16:00

0 Answers0