Meta Ads not working for Health Wellness Brands!!!!
The digital advertising landscape is constantly shifting, and recent changes from Meta have created significant challenges for businesses, particularly those in the health and wellness sector. Meta is cracking down on the collection and sharing of sensitive user data and it is critical for businesses to understand what this means for them and how to stay compliant while maintaining their ad performance.
But this is not just for the Health & Wellness businesses alone. It’s for all those who fall under the restricted businesses category under the Core Setup.
In this blog, we’ll delve deep into these changes such as the Custom events being restricted (that’s not what’s really happening though), explain the reasoning behind Meta’s moves, and, most importantly, provide concrete steps you can take to navigate this new landscape.
This blog is an outcome of both my comprehensive research across Meta’s documentations, expert statements and from the interview with Vishnu Vankayala, CEO and Founder of CustomerLabs 1PD Ops, a leading expert in data privacy and first-party data strategies. Vishnu and I have been closely observing this evolving landscape and offer practical solutions for performance marketers and businesses of all sizes through tech that makes it very easy for Marketers.
The Core Issue: Why the Restrictions?
Vishnu starts by explaining that these restrictions stem from Meta’s growing need to address data privacy and comply with legal regulations. He also emphasizes that this is not something new that came up in 2025. The root cause behind all of this points at the Core Setup. It has been in place since July 2023, and is trying to reduce how much information Meta stores, processes and handles.
We’ve spoken about it in a gist in our blog Health and Wellness Ads: Meta’s New Restrictions (The Fix)
Here’s a breakdown:
Sensitive User Data:
Meta is cracking down on the sharing of sensitive user data or the prohibited information (PII) and Protected Health Information (PHI).
- PII (Personally Identifiable Information): This is data that can be used to identify an individual directly or indirectly.
- PHI (Protected Health Information): This is data related to an individual’s health or medical conditions.
HIPAA Compliance:
One of the core reasons for Meta restricting the sensitive user data is the importance of HIPAA, GDPR, CCPA compliance, which is making Meta and other platforms restrict how they collect user information. It is the regulations that dictate – platforms cannot share health information even if there is consent from the user for general purposes such as advertising.
Meta is proactively avoiding potential lawsuits by restricting the handling of health related user information. Recently there has been a series of lawsuits in the US against entities sharing PHI, and therefore Meta has to be compliant.
Meta’s Shift
Meta’s aim is to reduce any legal liability. This means that, for Meta, there is a shift where they want to avoid legal trouble and to clearly define what data they want to store, process, and handle. If you have been observing Meta’s moves, the launch of Conversions API and promoting advertisers to use both pixel and CAPI together, is for the same purposes. Meta made it clear that it is just an advertising platform and not a tool for collecting data.
The Meta Pixel: How It Works and What’s Changing
The Meta Pixel, a small piece of code embedded on websites, traditionally tracks various user interactions (page views, content views, etc.). The pixel collects not only page views but is also said to collect content IDs, parameters, and even details from the URL, which can contain sensitive information. For example, a user browsing “natural pregnancy kits,” can be tracked using a Meta Pixel. This data is stored in the Meta’s database, and Meta can easily identify who the user is.
Meta’s User Understanding – With complete privacy
With the above information tracked, Meta connects user actions across devices, and makes informed decisions about user’s preferences. Meta learns about users and their potential preferences including their personal health information, which is against the data privacy policy of many regulations. Therefore, Meta doesn’t want to collect this data, leading to this data being restricted. The goal of Meta’s ad platform is to improve campaign performance by building an user profile based on the tracked user actions and parameters. Not to invade a user’s privacy and get all the health details.
Restrictions to Businesses by Meta: A misunderstood concept
While Meta’s intentions may be good, Vishnu points out a clear miscommunication here in this aspect. The platform is not restricting advertising as a whole for the healthcare and wellness industry, but rather the sharing of PII (without hashing using SHA256) and PHI. But this limitation affects ad performance. Meta has not clearly communicated how businesses can use the platform while being compliant leading to many healthcare and wellness brands assuming that they cannot run ads anymore. However, there’s a workaround for this, which we’ll discuss further.
The Impact on Performance Marketers
- Performance Impact: It’s clear that the restrictions impact performance marketers the most, as optimizing for lower-funnel events like purchases becomes a major challenge.
- Not the End of the World: Vishnu insists that this should not be the end of the world. Businesses will still be able to advertise if they understand the core setup and take measures accordingly.
- Privacy and Awareness: While it is important to respect user privacy, it is also very important for businesses to share and create awareness about products that can benefit their users.
- Finding Solutions: Performance marketers must now understand how to carefully set up systems to continue to get performance, while still respecting user privacy.
These have another positive impact on the businesses which comply with Meta’s recent recommendations – providing complete privacy to the users by using their health data effectively without sharing with any other third-party platforms including Meta.
Another thing the performance marketers are noticing in their events manager is – the approval option and review of event data sent.
Meta’s “Approval” Option: What Does It Mean?
Meta is allowing businesses to approve custom events, but the onus is on them to verify their data. So, what it means to performance marketers or businesses is – every single data point shared with Meta must be thoroughly verified and then submitted to Meta for review/approval.
Vishnu views this “approval” approach as a way for Meta to shift responsibility. Instead of collecting data indiscriminately, Meta puts the onus on businesses to collect and send only clean and compliant data.
Now, when we say data, it is beyond the user’s details. It also includes the content on your website, the URL slug, and more.
Meta expects business owners to be more responsible, and not send sensitive parameters like the entire URL. It is because the URL slug might sometimes contain health-related information. For example, /appointment-booked-cardiology might convey heart related information of the user.
Meta is expecting only domain name to be sent, and any PHI information in the URL slug must be constrained. Instead of doing this, if you go ahead and stick to the major quick fix most marketers are suggesting: Going with ToFu events alone for Health/Wellness Brands, then you are missing out on understanding the basic logic of Meta’s algorithm’s learning.
A Step-by-Step Approach to Compliance
Vishnu walks through the steps a business must follow to be compliant with the core setup and still run ads, even if you’re a healthcare and wellness brand. He emphasizes the need to understand the learning models and how they’re built. This is a key to understanding how to be compliant.
Making the Custom Event Clean
The event data passed on to Meta must not contain any personal health related information, and to do that, we must ensure the below.
Generic Event Names
Use generic, non-descriptive names for custom events. For example, instead of using the term purchase_vitaminc_tablets or appointment_booked_cardiologist, you can code it in a way that you only understand what it is – pur_vc, or apt_crd
Domain Only
Send only the domain name (e.g., “yourwebsite.com”), not the full URL. It is because the URL slug might have certain health/sensitive information.
Hashing
Hash any sensitive user data (PII – Personal Identifiable Information) including email address, phone number, etc., with SHA256 encryption.
Remove context from custom event parameters; only include essential information like currency and value. Do not include any parameters which may give any PHI context to the user’s details. This ensures you are in-line with the core setup.
Meta is expecting the data to be sent in a clean format. Using the above steps, you can ensure to pass the custom event data even under core setup restrictions on your Meta Ad account.
With this being said, you have to consider how to go beyond these restrictions and adapt to the new normal – the first-party data ops, or the 1PD Ops.
The First-Party Data Imperative
First party data is crucial and helps your businesses offer more trust to your customers. In addition to that, 1PD has offered 2.9X Higher revenue uplift achieved by brands deploying all four sophisticated activations.
Control Over Data
Businesses should prioritize collecting and handling their own first-party data while removing context that can be used to identify and analyze the user’s information or health condition. Meta wants businesses to send only the necessary data, not the entire data payload. Once you have this control & ownership over your data, things become smoother even if your Ad account is restricted
Compliance and Privacy
Complying with data privacy laws is essential, especially with GDPR, CCPA, HIPAA, and various other data privacy regulations dictating the Ad platforms. With first-party data (1PD), you can ensure to be in compliance with all the data privacy regulations. It is because you collect the user’s data with consent, and use it only for your business, not share with others.
Restrictions are Coming For All, So be cautious!
Vishnu warns that if any business does not see any restrictions, they should expect them to be implemented soon. We have already seen that the Finance (BFSI) industry is also impacted as they contain certain sensitive data of the users.
Understand your audience behavior
First-party data helps you understand & analyze your audience behavior and accordingly act to convert them at a later stage. For example, people who have visited more than 3 pages on your website, and spent a decent amount of time but did not make a purchase or take any action, might have dropped because of some other reason. It might be because some notification popped up on WhatsApp or they got a call or something else. So, when you understand this behavior of your users, you can retarget them with relevant messaging.
Tag Governance & Data Clean Rooms:
- Tag Governance: Vishnu highlights the importance of tag governance. A business must have control over which data it sends and which it does not. And any tag that collects data must not directly push it to the Ad platform without the business letting that data slide in.
- Zero Trust Policy: Vishnu recommends implementing a zero-trust data sharing policy, where, by default, all data is restricted, and only explicitly allowed data is sent, for purposes of staying compliant.
- Data Clean Rooms: These should also be explored to ensure data is cleaned and compliant before being sent to ad platforms, which includes the same thing we discussed in the tag governance.
This is an example of how you can collect your user data
There are two data samples you must notice; 1. The event data collected from your website or any other source, and 2. The event data requested by the destination – in this case Meta.
Event collected data
{
"event_from": "website",
"p1": "FS_ALL",
"p2": {
"additional_info": {
"browser": "Chrome 132",
"continent": "Asia",
"country": "XXXXXX",
"ip_address": "###.xx.xx.xxx",
"latitude": "xx.xxxxxx",
"longitude": "xx.xxxxxx",
"mobile_desktop": "Other",
"platform": "Windows 10",
"postal_code": "111111",
"screen_size": "1280 x 720",
"time_zone": "xxxx/xxxx",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36"
},
"browser": "Chrome xxx",
"browser_language": "en-US",
"city": "xxxxxxxxx",
"continent": "xxxx",
"country": "xxxxxxxxxx",
"cuid": "undefined",
"enabled_integrations": [
"google_adwords_####",
"google_analytics_gtag_####",
"google_sheets_####",
"bigquery_####",
"facebook_####"
],
"env": "app",
"event": "FS_ALL",
"event_datetime": "2025-01-25T10:57:02Z",
"event_from": "website",
"event_name": "FS_ALL",
"external_ids": {
"customerlabs_user_id": "cl###################-###-####-bdcf-###########",
"default": "[email protected]",
"google_analytics__client_id": "##########.##########",
"google_analytics__session_id": "##########",
"identify_by_email": "[email protected]",
"identify_by_phone": "11101111111"
},
"gid": "clxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx",
"group": {},
"group_external_ids": "{}",
"group_name": "",
"group_segments": {},
"identified": "false",
"ip": "xxx.xx.xx.xxx",
"isp": "nil",
"latitude": "xx.xxxx",
"link": "https://yourdomain.com/",
"longitude": "xx.xxxx",
"mid": "clxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx",
"mobile_desktop": "Other",
"other_params": {
"user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36"
},
"platform": "Windows 10",
"postal_code": "111111111",
"products": [],
"screen_size": "1280 x 720",
"segments": {},
"sid": "CL-########-####-#####-####",
"src": "www.google.com",
"src_typ": "Organic",
"state": "xxxxxxxxxx",
"time_zone": "xxxxx/xxxxxxx",
"title": "Mental Health Provider",
"traits": {
"email": "[email protected]",
"first_name": "name",
"last_name": " name",
"phone": "(111) 011-1111"
},
"type": "pageview",
"uid": "cl###################################",
"user_additional_info": "{}",
"utm": {
"utm_cl_referrer_path": "www.google.com/",
"utm_cl_sub_domain": "www.google.com",
"utm_medium": "Organic Search",
"utm_source": "www.google.com"
},
"v_typ": "New",
"version": "null",
"webhook_doc_id": ""
},
"p3": [],
"p4": false,
"p5": "default"
}The below is an example of how Facebook requests data, and you must send it:
Destination requested data
{
"action_source": "website",
"custom_data": {},
"event_id": "clxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx",
"event_name": "FS_ALL",
"event_source_url": "https://yourdomain.com/",
"event_time": 1737802682,
"user_data": {
"anon_id": "clxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx",
"client_ip_address": "xxx.xx.xx.xxx",
"client_user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36",
"country": [
"eb3102a6cb586765d01fad324523ec0bc67b9efd6a2d9589c135adfedf7922cc"
],
"ct": [
"2a495a6770e82baef293e553a9f5e45575902f50a4011356eceead37492e7507"
],
"em": [
"548577f3141e55e478f02286898e066db90ca261471949f68e4b25231a1537a9"
],
"external_id": [
"e63c0ad6c4ef1f2707d2df69c31e2d622341070ce28a91b75de111b7ae6b9227"
],
"fn": [
"6dce69facae598b79f7aab72a638381e6a79594b33ea60a89d34d02171fbc44a"
],
"ln": [
"2f48b881ea7073f1c6f083b296a360bd4c9cf51edaacba1cd9c34d8ae3d994ec"
],
"ph": [
"43ae9cc8445fe3f7a5f434ec7c8a6835c4e1a95d564c68722eb482b3d5bbe3fa"
],
"st": [
"2a495a6770e82baef293e553a9f5e45575902f50a4011356eceead37492e7507"
],
"zp": [
"b762f726481f40a3331227db78ea41f3009dc5f1dc86fd231e1f59183488fefc"
]
}
}
TL;DR – Essential Steps Forward for Meta health and wellness brands
- Custom Events (with caution): The optimization event should be a custom event but without the context. For example, instead of an event that says form submit, use something like TG_1203. Keep custom event payloads light by removing parameters like URLs, content info, and custom data.
- Server-Side Tracking: Rely solely on server-side tracking via the Conversions API and remove the Meta Pixel from your website. And to track, use HIPAA compliant tools such as CustomerLabs 1PD Ops.
- Clear Data Policies: Hash user PII using SHA256 encryption, and avoid including any PHI in the data you share with Meta. And a business should have clear data monitoring policies in place. Ensure to never even unknowingly send PHI, and get into trouble with Meta.
- CustomerLabs 1PD Ops (as an example): Vishnu mentions that CustomerLabs provides solutions that can help businesses achieve compliance while maintaining ad performance. These tools are also affordable for small and medium businesses. The idea is that with first-party data operations, the small and medium businesses will also have the same level of data access as big organizations.
Conclusion
Meta’s data privacy changes present challenges, but they also highlight the need for businesses to prioritize data privacy and gain more control over how they collect, manage, and share user data.
It’s not the end of Meta ads—it’s the beginning of Meta ads done right.
By implementing a first-party data ops strategy and following the advice from experts like Vishnu, businesses can continue to achieve their advertising goals in this new, more privacy-conscious landscape. It’s essential to see these changes not as restrictions but as opportunities to build stronger, more compliant, and more privacy-respecting advertising strategies.
Next Steps
- Audit and clean your existing event data.
- Implement server-side tracking and CAPI.
- Explore tools for data management and compliance
- Join privacy-focused communities to stay informed. (1PD Ops Club for example)
- Implement all the data protection mechanisms for the sake of the end-user, not just the ad platforms.
- Meet our team who can help you – Book a Call here!
