Facebook for WooCommerce not compliant with GDPR

[lynnjat7]

🔎 Isolate the bug

As per this thread in the forums:
https://wordpress.org/support/topic/cookies-being-set-before-customer-consent/

The Facebook for WooCommerce plugin sets the _fbq cookie before consent is granted with standard cookie-consent plugins. This removes the ability of the visitor to deny consent to Facebook tracking.

This issue will cause companies who are audited by ICO to fail the audit and potentially face a fine.

The reporting merchant included this information about a potential fix:

To resolve this issue, we had to hardcode the following changes

• Remove noscript
• Added fbq('consent', 'revoke');
• Added window.addEventListener('CookiebotOnConsentReady',function(e){ fbq('consent',Cookiebot.consent.marketing?'grant':'revoke')},!1)

In WC_Facebookcommerce_EventsTracker we need to be able to remove the actions, and add our own, or we need to be able to edit the output from those two functions

add_action( ‘wp_head’, array( $this, ‘inject_base_pixel’ ) );
add_action( ‘wp_footer’, array( $this, ‘inject_base_pixel_noscript’ ) );

• I have confirmed this occurs in the most recent version of WordPress, WooCommerce, and Facebook for WooCommerce.
• [x ] I have confirmed this occurs when only WooCommerce and Facebook for WooCommerce are active and when using a default WordPress or WooCommerce theme.

There is an existing report on this from back in 2024:
#2748

However, opening this fresh issue to bring fresh attention to this problem. It's a major security issue.

Note that on the forum thread, Facebook support indicates that this issue is "being worked on" but there is no ETA for a fix. Can we get an update on this, especially as it has been a known issue since May 2024?

[lynnjat7]

Pinging on this, any word on a fix, Meta?