There are 1,500 CIPA lawsuits filed in 18 months — and the courts are treating client-side pixels as potential wiretapping devices because of what they transmit without explicit user consent. Most WooCommerce store owners know they have a Meta Pixel installed. Fewer than one in ten can answer this question: what exactly does that pixel send to Facebook every time a visitor lands on your store?

This isn’t an audit guide or a scare piece. It’s an inventory. You’re about to see the default data parameters each major platform pixel transmits from your WooCommerce store — and once you see it, you’ll understand why “I have a privacy policy” is not the same as “I know what my pixels do.”

The Problem: Installation Without Understanding

Installing a tracking pixel takes five minutes. Understanding what it sends takes this article. Most WooCommerce documentation stops at installation — here’s the tag, paste it in your header, done. The data transmission side is rarely documented in plain language, because the platform vendors have little incentive to spell it out.

31.5% of your visitors use ad blockers, meaning your pixel fires but the data never reaches its destination for nearly one in three site visits. That’s a separate problem. The legal and privacy problem runs in the opposite direction: for the other 68.5% of visitors, those pixels are sending data you may not have fully accounted for in your privacy disclosures.

CIPA — California’s Invasion of Privacy Act — allows $5,000 in statutory damages per violation per consumer with no cap on class size. The Camplisson v. Adidas case (November 2025) and the acceleration of demand letters across e-commerce are a direct consequence of pixel data transmission that wasn’t disclosed. You don’t need to be negligent. You need to have transmitted data without adequate disclosure. That’s the gap this inventory closes.

You may be interested in: Your WooCommerce Tracking Plugin Sends the Wrong Product IDs

What Each Platform Pixel Actually Transmits

The following covers default transmission — what each pixel sends before any custom configuration, before any consent management, before any data minimization. This is what fires if you install the standard pixel and walk away.

Meta Pixel (Facebook)

Every page load with the Meta Pixel installed sends a PageView event. That event carries:

• IP address — transmitted directly to Meta’s servers from the visitor’s browser
• User agent string — browser type, version, operating system
• Full page URL — including any query parameters (which can contain email addresses from email campaign links)
• HTTP referrer — where the visitor came from
• Browser fingerprint signals — screen resolution, language, timezone, plugins
• Facebook Click ID (fbclid) — if the visitor arrived via a Facebook ad

On WooCommerce stores, standard events add product-level data. An AddToCart event sends content_ids (your product IDs), content_type, value, and currency. A Purchase event sends the transaction value, currency, and the array of purchased items. If Automatic Advanced Matching is enabled — and it is by default in most pixel implementations — the pixel also attempts to hash and send any email addresses, phone numbers, or names it finds in the page source. That includes WooCommerce checkout fields.

Google Analytics 4

GA4 collects a broader behavioral dataset than most store owners expect. Automatically collected events (no configuration required) include page views, scroll depth, outbound link clicks, site search queries, video engagement, and file downloads. The measurement ID ties all of this to a persistent client ID stored in a first-party cookie.

For WooCommerce, GA4 e-commerce events add transaction IDs, item arrays with product names and SKUs, revenue values, tax, shipping, and coupon codes. GA4 also derives geographic location from IP address and stores it as a dimension — even though the raw IP is not retained after geolocation processing.

Google Ads (Tag / gtag.js)

The Google Ads conversion tag sends conversion events when specific actions occur — purchases, form submissions, phone clicks. Each event carries the conversion value, currency, transaction ID, and the Google Click ID (gclid) if the visitor arrived via a Google Ad. The tag also reads and writes the _gcl_aw cookie for cross-session attribution. Enhanced Conversions additionally hashes and sends email addresses from checkout fields to improve match rates.

TikTok Pixel

TikTok’s pixel sends a similar baseline: IP address, user agent, page URL, referrer, and TikTok Click ID (ttclid) when applicable. Standard e-commerce events carry content IDs, content type, currency, and value. TikTok’s Advanced Matching feature operates comparably to Meta’s Automatic Advanced Matching — it hashes PII from forms and sends it to improve attribution. The default data transmission for TikTok closely mirrors Meta’s — most store owners don’t realise they’ve accepted two near-identical data agreements.

The Performance Tax You’re Also Paying

Each tracking script adds 50–100ms to your page load time. Run four of them — Meta, GA4, Google Ads, TikTok — and you’ve added 200–400ms of overhead before your page has finished rendering. Five simultaneous scripts create 250–500ms of avoidable load overhead, according to Google’s own Web Fundamentals benchmarks. That’s a conversion rate problem sitting right next to your privacy problem.

You may be interested in: Facebook Requires content_ids But Google Wants item_id

The Privacy Policy Problem This Creates

A privacy policy is a disclosure document. It has to accurately describe what data you collect and where it goes. If you installed your pixels via a plugin and haven’t reviewed the transmission parameters above, your privacy policy almost certainly has gaps — not because you were careless, but because the installation workflow never prompted you to think about data parameters.

52% of consumers across 48 global markets have installed or used an ad blocker — and a significant portion of them made that choice because they don’t trust what tracking does with their data. The users who haven’t blocked pixels are the ones your pixels are collecting data from. They’re also the potential plaintiffs in CIPA class actions.

The specific liability created by client-side pixels isn’t the data collection itself — it’s the disclosure gap. Courts have held that transmitting data to a third party (Meta, Google, TikTok) without clearly disclosing it to users constitutes a potential wiretapping violation under CIPA. The plaintiff doesn’t need to prove harm. They just need to prove transmission without adequate consent.

You can’t write accurate consent language for data you haven’t inventoried. That’s the practical problem this article solves: now you have the inventory.

Server-Side CAPI: The Architecture That Gives You Control

Client-side pixels collect what they want. Server-side Conversions APIs send what you configure. That distinction is the entire basis for switching architectures.

With the Conversions API (CAPI) — Meta’s server-side equivalent — events are sent from your server, not the visitor’s browser. You define exactly which parameters are included in each event. You control whether PII is hashed before transmission. You decide what constitutes a “purchase” event payload. CAPI replaces the browser pixel’s opaque, automatic collection with a transparent, configured data flow you can document in your privacy policy with precision.

The Transmute Engine™ is a WordPress-native server-side tracking system built specifically to replace the client-side pixel stack. Instead of four browser scripts loading at page render, a single lightweight WordPress plugin (inPIPE) captures WooCommerce events and sends them via authenticated API to your own first-party Transmute Engine server — running on your own subdomain. From there, Transmute Engine routes to GA4, Meta CAPI, Google Ads Enhanced Conversions, TikTok Events API, and Klaviyo simultaneously, with full logging of what was sent and confirmed received.

The data inventory becomes defined by design. You know exactly what parameters Transmute Engine sends to each destination because you configured it. That’s the privacy policy foundation CIPA plaintiff attorneys can’t reach — not because you hid anything, but because you controlled everything.

Key Takeaways

• Every client-side pixel sends IP address, browser fingerprint, full page URL, and referrer by default — before any purchase event, before any form submission.
• Automatic Advanced Matching (Meta) and Enhanced Conversions (Google) hash and transmit PII from your checkout fields — usually enabled by default in plugin-based implementations.
• 1,500 CIPA lawsuits in 18 months target the gap between what pixels transmit and what privacy policies disclose. That gap starts with not knowing your data inventory.
• Performance costs are real: four simultaneous pixel scripts add 200–400ms of page load overhead that comes directly out of your conversion rate.
• Server-side CAPI gives you a defined, auditable data inventory. You configure what’s sent. You document it accurately. You close the disclosure gap before litigation finds it for you.

Audit what your pixels send before someone else maps it for you in court. If you’re ready to replace the client-side stack with a server-side architecture where you define every parameter, Transmute Engine is built for exactly that.