Facebook Login

Facebook Login

Facebook Login is a Meta OAuth authentication service that allows users to sign in to third-party websites using their Facebook account. Scripts load the Meta SDK, set cross-site session cookies for authentication, and may share login activity data with Meta.

Facebook
Part of Facebook
Back to Vendor Library

Overview

Facebook Login is Meta's OAuth-based authentication service that allows users to sign in to third-party websites and applications using their Facebook account credentials. It simplifies registration and login flows by leveraging the user's existing Facebook identity. While it serves a clear functional purpose (authentication), it loads Meta's JavaScript SDK and establishes a data connection between your website and Meta's platform that extends beyond the authentication transaction itself.

What This Script Does

Facebook Login is implemented by loading Meta's JavaScript SDK from connect.facebook.net/en_US/sdk.js and invoking the FB.login() method when the user clicks a "Log in with Facebook" button.

Authentication Flow

When a user clicks the Facebook Login button:

  1. The SDK opens a Facebook OAuth dialog (either a pop-up window or redirect to www.facebook.com/dialog/oauth)
  2. The user authenticates with Facebook and reviews the permissions your application is requesting (email, public profile, etc.)
  3. Facebook returns an authorization code or access token to your application
  4. Your server-side code exchanges this for user profile data (name, email, profile picture, Facebook user ID) through Meta's Graph API

Script and Cookie Behavior

Unlike the Like Button or Share Button, the Login SDK is typically loaded on specific pages (login, registration) rather than site-wide. However, when loaded:

  • The sdk.js script connects to connect.facebook.net and initializes with your Facebook App ID
  • The SDK checks for existing Facebook session state by reading .facebook.com cookies (c_user, xs, datr, fr)
  • If the user is already logged into Facebook, the SDK can detect this and enable "auto-login" or show a personalized login prompt with the user's name and profile picture
  • The _fbp cookie may be set on the host domain if Meta Pixel integration is active
  • fbsr_[app_id] — a signed request cookie set on your domain containing the user's Facebook session information after successful authentication. Used to maintain the Facebook login state across page loads.

Data Exchange

During the login flow, Meta receives:

  • Your application's App ID and the permissions requested
  • The page URL where login was initiated
  • The visitor's IP address and browser metadata
  • Confirmation that the user authorized your application

Your application receives (based on requested permissions):

  • The user's Facebook user ID, name, email address, and profile picture
  • Optionally: friends list, birthday, location, and other profile data depending on approved permissions

Consent & Compliance

Facebook Login is classified as functional. It serves a clear purpose: authenticating users. However, the consent analysis requires nuance because the SDK's loading behavior and Meta's data processing extend beyond pure authentication.

Under GDPR, the login itself typically relies on the "performance of a contract" or "consent" lawful basis — the user is explicitly choosing to authenticate via Facebook. However, loading the SDK before the user clicks the login button may trigger ePrivacy concerns if it sets cookies or transmits data during initialization. The recommended approach is to defer loading sdk.js until the user clicks the login button, ensuring no data is transmitted to Meta before the user initiates the authentication flow.

The data Meta receives through Facebook Login is also subject to Meta's own data processing policies. Users should be informed that logging in with Facebook shares data with Meta beyond what is necessary for authentication on your site.

Under CCPA/CPRA, the personal information exchanged during Facebook Login must be disclosed in your privacy policy. The user's decision to use Facebook Login constitutes an affirmative action, but they should understand what data is shared.

Should You Block This Without Consent?

Conditional. Facebook Login serves a legitimate functional purpose that the user explicitly initiates. The recommended approach is: do not load the connect.facebook.net/en_US/sdk.js script on page load. Instead, display the "Log in with Facebook" button as a static element, and only load the SDK when the user clicks it. This ensures no data is transmitted to Meta until the user has affirmatively chosen to authenticate via Facebook. If you load the SDK on page load (for features like auto-login detection), consent should be obtained first.

Visit website

Consent Categories

Functional

Also Known As

facebook loginmeta loginfacebook oauthsocial login consentfacebook login cookiesmeta sdk privacy

Industries

Computers Electronics and TechnologySocial Networks and Online Communities

Tracked Domains (1)

login.facebook.comFunctional

Frequently Asked Questions

Is consent required for Facebook Login?

Conditional. Facebook Login is classified as functional — users explicitly initiate the authentication. However, loading the SDK on page load (for auto-login detection) triggers ePrivacy concerns. The recommended approach is to load connect.facebook.net only when the user clicks the Login button, not on page load.

What data does Facebook Login collect?

During the OAuth flow, Meta receives your App ID, the page URL, visitor IP, and browser metadata. It reads existing facebook.com cookies (datr, fr) during SDK initialization. After login, fbsr_[app_id] is set on your domain to maintain Facebook session state. Your app receives the user's name, email, and Facebook user ID.

How does ConsentStack handle Facebook Login?

ConsentStack classifies Facebook Login as functional. It recommends deferred SDK loading — displaying a static Login button that triggers connect.facebook.net only on click. ConsentStack does not block Login pages by default but flags any configuration where the SDK loads on page load before user interaction.

Other Facebook Products

Instagram
Instagram
Instagram tracking scripts support conversion measurement for Meta advertising campaigns running on Instagram. Scripts fire on advertiser websites to capture click-through and view-through conversions from Instagram ad placements. Collected data flows into Meta Ads Manager for attribution reporting and audience building.
Meta Pixel
Meta Pixel
Meta Pixel (formerly Facebook Pixel) is a conversion tracking and audience-building tool used by advertisers running campaigns on Facebook and Instagram. Scripts fire events on advertiser websites when users complete actions like purchases or form submissions. Collected data is used for ad targeting, retargeting, and conversion attribution.
Facebook Comments
Facebook Comments
Facebook Comments is a Meta social plugin that embeds a comment system on external websites. Scripts load the Meta SDK, set Facebook tracking cookies on page load, and send engagement data to Meta regardless of whether visitors interact with the widget.
Facebook Like Button
Facebook Like Button
Facebook Like Button is a Meta social plugin that embeds a like and react button on external websites. Scripts load the Meta SDK and set Facebook tracking cookies on page load regardless of visitor interaction. Browsing data may be shared with Meta for ad targeting purposes.
Facebook Share Button
Facebook Share Button
Facebook Share Button is a Meta social plugin that lets visitors share web content to their Facebook feed. Scripts load the Meta SDK and set cross-site tracking cookies on page load, enabling Meta to track visits and attribute browsing behavior for advertising purposes.
Instagram Feed
Instagram Feed
Instagram Feed embeds allow websites to display Instagram posts and media galleries. Scripts load Meta's Instagram embed code, set tracking cookies, and send interaction data to Meta. Visitor browser data may be shared with Meta on page load regardless of whether visitors interact with the content.

Related Vendors

Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Google Search
Google Search
Google Search appears on websites through the Programmable Search Engine, enabling custom site-specific search functionality. Scripts load the search widget from Google's servers to render search bars and display results within the host website. Sends search queries to Google's index and may set cookies for search personalization and query history.
Google Maps
Google Maps
Google Maps is the dominant web mapping service used for embedded maps and location features on websites. Scripts load interactive map tiles, geocoding, and Places API functionality through the Maps JavaScript API. May set cookies to remember map preferences and manage API quota.
Microsoft Teams
Microsoft Teams
Microsoft Teams is a workplace communication and collaboration platform that can be embedded on websites for chat, meetings, and document sharing. Embedded widgets load from Microsoft's servers to enable real-time messaging, video calls, and file collaboration. Sets authentication and session cookies to verify participant identity and maintain connection state.
Apple Business Chat
Apple Business Chat
Apple Business Chat enables direct customer messaging between websites and Apple's Messages app. Scripts load chat buttons and conversation interfaces that connect visitors to business support agents through iMessage. Sets minimal session cookies to maintain conversation context but does not track browsing behavior or collect analytics data.
Apple Maps JS
Apple Maps JS
Apple Maps JS is Apple's JavaScript mapping framework for embedding interactive maps on websites. Scripts load map tiles, location pins, and routing data from Apple's MapKit servers to render navigable maps within web pages. Requires a MapKit JS token for authentication but does not set tracking cookies or collect behavioral analytics data.

Manage consent for Facebook Login

ConsentStack automatically detects and manages Facebook Login trackers so your site stays compliant with global privacy regulations.

Get started free