Gianna Jiang, Privacy Engineering Consultant
In a world driven by technology, where ads seem to follow you around the internet, have you ever wondered how it all works? Buckle up, because we’re about to uncover the new secret sauce of targeted advertising in the digital age. Say hello to the Conversions Application Programming Interface (“CAPI”), which is changing the game for advertisers and consumers alike. But before you take the leap into using CAPIs to meet your business and professional goals, you need to understand the potential privacy risks, and what you can do to comply with applicable legal and regulatory requirements.
Intro to CAPIs + History of Tracking Technology
What is a CAPI?
Within the ever-evolving landscape of digital marketing, the art of tracking user interactions and conversions has become a cornerstone for optimizing campaigns and unlocking valuable returns. CAPIs are an increasingly popular tool for this, as they function as a vital bridge connecting marketing platforms with invaluable troves of user data. CAPIs facilitate in-depth analysis, ad personalization and optimization, to provide marketing professionals with a continuous stream of real-time, reliable insights, enabling them to make informed decisions about their potential audience, unlike the inconsistent (and potentially deprecated) third party cookies.
How Do CAPIs work?
Picture this: you’re a marketer, and you’ve decided to invest in Facebook ads to expand your reach and drive conversions. Now, let’s unveil the magic behind the scenes – the Facebook CAPI. The CAPI creates a direct connection between marketing data from your server and Facebook’s server, where the Facebook Ad Manager is housed.
After setting up the Facebook CAPI, when a Facebook user clicks on your ad, this user’s journey takes on a new dimension. As they are directed to your website, their interactions with the ads as they view webpage content, sign up for newsletter, register for events or subscribe to a service, become accessible for future analysis. The record of these interaction provides valuable data that can be used for various purposes, including:
- Ad Targeting. Enabling the creation of targeted campaigns, custom audiences, and retargeting strategies);
- Ad Reporting. Offering insights into ad performance, aiding in refining advertising strategies);
- Audience Insights. Enhancing understanding of the audience’s behavior and preferences);
- Dynamic Advertising. Leveraging real-time data and automation to deliver highly personalized and relevant content to individual users); and,
- Conversion Optimization for ads. Fine-tuning ad campaigns for improved conversion rates).
Regulatory and Industry Developments
In recent years, marketers have relied heavily on third-party cookies for cross-site tracking which allowed advertisers to piece together user behavior across various websites. This approach provided a comprehensive view of user behavior for advertisers, however, it raised significant privacy concerns and led to increased scrutiny from regulators and browser developers. In response, regulators and other industry players began to require or recommend that certain capabilities be offered to users:
- European Regulations: The EU was at the forefront of monitoring and regulating processing of personal data on digital properties when it enacted the ePrivacy Directive. As one of the first directives or regulations of its kind, it requires that organizations obtain explicit opt-in consent before collecting personal data from a site visitor, particularly via tracking technologies.
- State Regulations: Individual state laws  and state enforcement actions require that consumers have the right to opt-out of tracking technologies that may be interpreted as a sale or sharing of consumer personal information for targeted advertising purposes. In addition, some states further require that organizations honor any universal opt-out mechanisms that the user may have enabled on their browser (i.e., Global Privacy Controls or “GPC”).
- Web Browsers: Some web browsers (e.g., Firefox, DuckDuckGo) have implemented cookie-blocking capabilities, such as GPC, to give users more control over their digital footprints.
- Masking Tools: Ad Blockers and other related tools joined the party, playing hide-and-seek with pixels and cutting down the amount of data available to marketers and advertisers.
- Organizations: Apple’s iOS 14.5 update threw more hurdles with a stricter opt-in model for ad tracking, raising the challenges businesses face in collecting user data for targeted ads. The limitations on third-party cookies and the App Tracking Transparency (ATT) framework also add complexities to data tracking and analytics, requiring advertisers to adapt their strategies to navigate this evolving privacy landscape.
As a result, the implementation of third-party cookies has become a minefield of regulatory and technological requirements and – even where implemented correctly – may not result in the same level of accuracy due to the low volume of opt-ins or high volume of opt-outs. As such, advertising platforms have pivoted and are adapting their tracking mechanisms to rely more on first-party cookies and other privacy-compliant technologies. This is where cutting-edge technologies like CAPIs come in.
Highlighting the Difference Between CAPIs and Pixels
A big question marketing, privacy and legal teams are asking is, “how do CAPIs pull off their magic without using third-party cookies? What sets it apart and makes it the trailblazer in this ever-evolving digital landscape?” Let’s uncover the secrets.
It’s important to understand that pixels are a browser-side tool and CAPIs are a server-side tool. This means that instead of tracking a customer’s browser using pixels that rely on cookies (“browser pixel events”), the CAPI enables conversion tracking directly through the marketer’s website’s server (“server events”).
That makes CAPIs very appealing because they operate independent of cookies or tracking technologies and their tracking capabilities aren’t impacted by a consumer’s browser or opt-out settings. Additionally, without the use of tracking technologies, certain uses of CAPIs may not be subject to the same stringent regulatory requirements as cookies.
CAPI Privacy Risks in the US and the EU
Despite CAPIs unique characteristic of leveraging technologies that circumvent browser-based opt-out or blocking technologies, scrutiny can be anticipated from regulators and privacy advocates. From a privacy perspective, risks associated with using CAPIs may include:
- Cross-site tracking: As CAPIs allow tracking from the server side, concerns may be raised about the potential for the aggregation of user data from various sites, leading to a more detailed and potentially intrusive user profiling.
- Transparency and Choice: Provision of appropriate notice and an actionable option to opt out can be challenging with server-to-server tracking methods.
- Data Accuracy and Reliability: CAPIs rely on server-to-server communication, which may not always be as accurate as browser-based tracking methods.
- Data Retention and Deletion: Questions may be raised by data subjects and regulators regarding retention periods and the duration for which personal data generated and stored by CAPIs may be stored.
US Compliance Considerations
- Opt-Out Functionality: In the US, state privacy regulations provide consumers (i.e., site visitors) with the right to opt out of the sale of their personal information or the use of their personal information for targeted advertising. Since personal information shared through CAPIs and the corresponding pixel is expressly being used to enable stronger targeted advertising and is being sent to a server such as Facebook’s, it would almost certainly be considered “sharing” by regulators and would therefore be subject to consumer opt-out requirements. To comply with the individual state requirements to opt users out of the sharing of their personal information, marketers should have a process in place to accept and honor consumer opt-outs. Depending on the server and CAPI configuration, this may be accomplished through manual opt-out requests (i.e., do not sell webform), however there are also emerging technologies (plug-ins and certain privacy platform solutions) that connect on the back end to provide real-time consumer opt-outs for sharing through CAPIs.
- Data Minimization: Certain CAPIs permit the organization to determine what data elements are shared or accessible from their server to the downstream server. Where applicable, marketers should evaluate the minimum amount of consumer personal information necessary to meet their needs and ensure that the CAPI is configured to share only the limited data elements.
- Transparency: Most state regulations that address the consumer’s right to opt out of the sale or sharing of their personal information also require a level of transparency around the organization’s use of personal information and consumer’s rights. As such, details around the sharing of consumer personal information should be clearly stated in the privacy or cookie notice to meet transparency requirements.
EU Compliance Considerations
- Legal Basis: In the EU, the GDPR requires organizations to identify a lawful basis before processing data subject (i.e., site visitor) personal information. One of those legal bases is legitimate interest, where an organization can process data subject personal information if they can identify a legitimate business use that is not outweighed by the rights and interests of the data subject. GDPR Recital 47 states that organizations have a legitimate interest in direct marketing . Since the personal data shared through the CAPI is collected through server-side tracking and it is utilized for marketing purposes, marketers may rely on legitimate interest in the server-to-server transfers of data from the CAPI.
- Data Minimization: Similar to the US, marketers should evaluate the minimum amount of consumer personal information required to meet their needs and ensure that the CAPI is configured to share only the limited data elements. How much data is shared and how much of the API functionality is used are factors that should be considered when determining the level of risk your organization is taking on.
- Legitimate Interest Assessment: Where marketers are relying on legitimate interest to share personal data through the server-to-server CAPI, a Legitimate Interest Assessment (“LIA”) should be completed and documented. The LIA should demonstrate that marketers’ interest in the marketing activities are not infringing upon the privacy rights of data subjects by describing the legitimate interest, why the processing is necessary, and balancing the business needs against the rights of the data subject.
- Opt-in Cookie Consent: Under the ePrivacy Directive, organizations must obtain opt-in consent in order to place non-essential tracking technologies on an EU data subject’s browser. CAPIs function best when accompanied by the corresponding pixel or tag, so if marketers want to place these tracking technologies they must ensure that the EU sites have a compliant cookie pop-up that obtains data subject consent before placing the pixel. The pop-up should offer site visitors with the option to provide granular consent, meaning that they can select to opt-in only to certain categories. Pixels associated with the CAPI should be categorized as targeting tracking technologies. If the site visitor chooses not to opt-in, the pixel may not be placed. Where the site visitor has provided consent, the site visitor should have an option to opt-out and turn off the pixel at any time. Alternatively, a “Server-Only Implementation ” may be implemented, which sends events through the CAPI without using pixels. In this setup, the server retains the ability to capture events that might be missed by the browser (pixel), such as purchases on a separate website, lead conversions, or phone calls. Moreover, the Conversions API empowers marketers with enhanced control over the data they choose to share. This means they can selectively append insights to their events, incorporating details like product margins or historical information such as customer value scores. However, it’s essential to note that the functionalities of the Conversions API and pixels can overlap and complement each other. While the Server-Only Implementation provides valuable control, it does have limitations. Page view events, pages viewed, time spent, mouse hover, scroll, and certain mouse clicks, may not be directly captured in this implementation mode
- EU Privacy Notice Updates: The consumer-facing privacy notice and cookie notice should be updated to clearly notify the consumer about the use of CAPIs to share their personal information. The notice updates should include details about the CAPI in all relevant sections including sections on data sharing and legal basis.
- Conversions API: CAPIs are an emerging tracking tool that facilitates server-side tracking, allowing data to be sent directly from a website’s server to platforms like Facebook or Pinterest. It offers an alternative to traditional browser-based tracking methods, providing a more reliable way to capture user interactions.
- History of Tracking Pixels and the Third-party Cookies: Tracking pixels, commonly used for browser-based tracking, have faced challenges due to increasing privacy concerns and browser restrictions. The phase-out of third-party cookies has accelerated the need for alternative tracking methods like CAPIs.
- Risks of Using CAPIs: While CAPIs deliver the capability to utilize various technologies that can bypass browser-based opt-out or blocking mechanisms, the handling or sharing of personal information still presents privacy concerns and associated risks, including integration challenges, cross-site tracking, user consent and transparency, etc.
- Marketers’ Compliance Measures: In compliance with US regulations, marketers utilizing CAPIs should consider data minimization strategies and incorporate opt-out functionality to align with state requirements. For the EU, data minimization remains crucial, alongside the identification of a legal basis and completion of Legitimate Interest Assessments when relying on Legitimate Interest as the legal basis for processing. Where required, marketers are encouraged to obtain opt-in consent through compliant cookie pop-ups, allowing granular choices, and update privacy notices to inform consumers about CAPI use, ensuring transparency in data sharing practices.
 As of December 2023, the list of states with privacy laws in effect that require opt-out include California, Virginia, Connecticut, Colorado, and Utah.
 The use of legitimate interest for targeted advertising under the Recital 47 exemption for marketing purposes is remains unsettled in the EU. On October 27, 2023, the EDPB issued an urgent binding decision banning Meta from processing personal data for the purposes of behavioral advertising.
 Meta, ‘Conversions API End-to-End Implementation’, last modified 2023, https://developers.facebook.com/docs/marketing-api/conversions-api/guides/end-to-end-implementation/.