How it works technically<\/h2>\n\n\n\n
The advertising pixel script scans HTML pages and searches for form fields that look like email, phone, name, address, or zip code. It detects this based on attributes such as Once the user submits the form (or in some cases just leaves the page), the pixel hashes the values from these fields using SHA-256 and sends them to the platform’s server. The platform then compares the hash with its database \u2014 if it finds a match, it knows that user X filled out the form on your website.<\/p>\n\n\n\n TikTok goes even further \u2014 its Automatic Advanced Matching<\/a> not only scans form fields, but also static text on the page (such as the logged-in user’s displayed email) and selected JavaScript variables such as This is not a marginal issue. In some form, it is a standard feature of all major advertising platforms. For each one, I list what the feature is called, what it collects, and\u2014most importantly\u2014whether it scans forms automatically and whether it is enabled or disabled after creating an account.<\/p>\n\n\n\n “Automatic Advanced Matching” feature<\/strong><\/p>\n\n\n\n Pixel searches forms and collects email, phone number, first and last name, city, state, postal code, country, date of birth, gender, and external ID. By default, this feature is disabled<\/strong>\u2014you must actively enable it in Events Manager (Data Sources \u2192 Pixel \u2192 Settings). Companies in “restricted industries” (banking, insurance, pharmaceuticals, healthcare) cannot use automatic pairing at all and must resort to the manual option.<\/p>\n\n\n\n \u201eUser-Provided Data” function (in GA4) \/ \u201eEnhanced Conversions” (in Google Ads)<\/strong><\/p>\n\n\n\n In GA4, this feature is called “User-provided data collection,” and in Google Ads, it is called “Enhanced Conversions.” The Google tag can automatically detect data that looks like an email address, phone number, or name and address. By default (after creating an account), it does not send data, even though it may appear to do so.<\/p>\n\n\n\n To turn it on, you need to:<\/p>\n\n\n\n If both conditions are met, the parameters Funkce \u201eAutomatic Advanced Matching”<\/strong><\/p>\n\n\n\n Pixel automatically identifies form fields<\/a>, hashes and collects emails, phone numbers, names, addresses, and other identifiers. TikTok goes the furthest of all \u2014 it scans not only forms, but also static text on the page (e.g., the displayed email of a logged-in user) and JavaScript variables such as By default, the feature is disabled \u2014 it can be enabled in the pixel settings in Events Manager. And, unsurprisingly, TikTok marks the feature as recommended.<\/p>\n\n\n\n \u201eAutomatic Enhanced Match” function<\/strong><\/p>\n\n\n\n Pinterest tag collects emails, names, phone numbers, gender, birth dates, external IDs, cities, states, zip codes, and countries.<\/p>\n\n\n\n When you create a new tracking tag, “Enable automatic enhanced match” is enabled <\/strong>by default. Unless someone checks this, form scanning runs from day one.<\/p>\n\n\n\n I consider this to be the biggest dark pattern of all the platforms mentioned. A platform full of fashion and cakes, yet with a data appetite like Meta after three days of fasting.<\/p>\n\n\n\n Not all platforms scan forms automatically. Some only allow manual user linking\u2014you have to submit personal data to the platform in the source code. In my opinion, this is a better option\u2014you have control over what you send and can monitor all the necessary data.<\/p>\n\n\n\n Google Tag Manager works with several levels of consent \u2014 This can lead to a situation where the platform “takes” personal data without consent<\/strong> after the pixel is triggered.<\/p>\n\n\n\n Unsurprisingly: turn everything on. Every platform emphasizes in its documentation that the more data you send, the better the matching, attribution, and campaign performance will be. Meta recommends “enabling all parameters.” TikTok says “use manual and automatic matching at the same time.” Google offers “automatic detection” as the easiest way.<\/p>\n\n\n\n From the platform’s perspective, this makes sense \u2014 more data = better machine learning = better ad results. From the perspective of the website operator and GDPR compliance, it’s more complicated.<\/p>\n\n\n\n The issue here is not whether these technologies are “bad.” The issue is that they run automatically, and many website operators are unaware that personal data is being collected from forms on their sites and sent to third parties.<\/p>\n\n\n\n Consider a few things:<\/p>\n\n\n\n Awareness<\/strong>. Do you know which pixels on your website scan forms? Do you have an overview of what data they send? If you use Google Tag Manager and have pixels from five platforms, it is quite possible that each of them collects data in its own way.<\/p>\n\n\n\n Control<\/strong>. Automatic scanning is convenient, but it takes away your control. Pixel decides for itself what looks like an email or phone number. It can even collect data that you didn’t want to share \u2014 such as a customer support email address displayed on a page, as one implementation expert points out.<\/p>\n\n\n\n Legal responsibility<\/strong>. Under GDPR, you are responsible for the processing of personal data on your website. “We didn’t know, the pixel did it itself” is not a defensible position. The Austrian Data Protection Authority has already ruled that the use of Meta Pixel without prior consent violates GDPR.<\/p>\n\n\n\n Visitor trust<\/strong>. Your customers fill out a form expecting that your company will receive their data. Not Google, Meta, TikTok, and Pinterest all at once.<\/p>\n\n\n\n I’m not saying you should turn everything off. I’m saying: make a conscious decision.<\/p>\n\n\n\n Do a pixel audit on your website. Go through the settings of each platform and check if you have automatic form scanning enabled that you might not even know about. For Google Tag, check the “Allow user-provided data capabilities” setting. For Meta, look at Automatic Advanced Matching in Events Manager. For Pinterest, verify\u2014especially if you’re a new advertiser\u2014that the default settings align with your intentions.<\/p>\n\n\n\n Make sure your consent management actually controls pixel loading. Having a cookie banner isn’t enough\u2014it must really block scripts until consent is given.<\/p>\n\n\n\n And most importantly: consciously decide who you want to send what data to and how. Instead of automatic scanning where you have no control over what the pixel collects, consider manual implementation (manual advanced matching), where you explicitly define what data is sent and on what action. Or use Conversion API \/ server-side solutions, where you have full control over what leaves your server.<\/p>\n\n\n\n There’s a difference between “we send the hashed email of a customer who completed an order and agreed to the terms” and “the pixel automatically scans all forms on the site and sends whatever it finds.”<\/p>\n\n\n\ntype=\"email\"<\/code>, type=\"tel\"<\/code>, or field names and placeholders (e.g., name=\"phone\"<\/code>, placeholder=\"Your email\"<\/code>).<\/p>\n\n\n\nwindow.dataLayer<\/code>.<\/p>\n\n\n\nWhich platforms are affected?<\/h2>\n\n\n\n
Meta (Facebook\/Instagram)<\/strong><\/h3>\n\n\n\n
![\"\"](\"https:\/\/www.sabatka.net\/wp-content\/uploads\/2026\/02\/form-scanning-meta-1024x523.png\")
<\/figure>\n\n\n\nGoogle<\/strong><\/h3>\n\n\n\n
\n
This setting is enabled by default.![\"\"](\"https:\/\/www.sabatka.net\/wp-content\/uploads\/2026\/02\/form-scanning-ga4-1-1024x659.png\")
<\/li>\n\n\n\n
Here, you need to enable User-provided data collection.![\"\"](\"https:\/\/www.sabatka.net\/wp-content\/uploads\/2026\/02\/form-scanning-google-2-1024x285.png\")
<\/li>\n<\/ol>\n\n\n\nem <\/code>(with email hash), ecid<\/code> (matching identifier), and ec_mode=a<\/code> (detection mode, where a means automatic detection) will be added to requests to GA4.<\/p>\n\n\n\nTikTok<\/strong><\/h3>\n\n\n\n
window.dataLayer<\/code>.<\/p>\n\n\n\n![\"\"](\"https:\/\/www.sabatka.net\/wp-content\/uploads\/2026\/02\/form-scanning-tiktok-1024x373.png\")
<\/figure>\n\n\n\nPinterest<\/strong><\/h3>\n\n\n\n
![\"\"](\"https:\/\/www.sabatka.net\/wp-content\/uploads\/2026\/02\/form-scanning-pinterest-1024x571.png\")
<\/figure>\n\n\n\nManual user matching<\/h2>\n\n\n\n
\n
Cookie bars and consent settings<\/h2>\n\n\n\n
ad_storage<\/code>, analytics_storage<\/code>, ad_user_data<\/code>, and ad_personalization<\/code>. Advertising pixels are typically triggered based on ad_storage<\/code> (sometimes in combination with ad_personalization<\/code>). However, the transfer of personal data falls under ad_user_data<\/code>.<\/p>\n\n\n\nWhat do the platforms recommend?<\/h2>\n\n\n\n
Why you should care<\/h2>\n\n\n\n
What to do<\/h2>\n\n\n\n