Meta Platform Restrictions Explained: What Core Setup Actually Means and How to Avoid Getting Your Ad Account Suspended

Contributed by Jason Garrett, Founder & CEO of Coast Studio — a performance marketing agency specializing in compliance-first growth for healthtech, fintech, and other regulated industries.

If you run paid ads on Meta for a healthcare or wellness company, there’s a good chance you’ve already gotten the email. Maybe it was a vague notification in Events Manager. Maybe your campaigns just quietly stopped converting and you couldn’t figure out why. Either way, Meta’s data sharing restrictions have been one of the most disruptive changes to hit healthcare advertisers since iOS 14.5 — and most teams I talk to still don’t fully understand what’s happening under the hood.

I run a performance marketing agency that works almost exclusively with companies in regulated industries — healthtech, fintech, edtech. We manage paid acquisition across Meta, Google, and TikTok for digital health companies. So when Meta started rolling out its new data source categorization system in early 2025, it hit close to home. Several of our clients were affected immediately, and the lack of clear documentation from Meta made it significantly harder to respond quickly.

This post is my attempt to break down what’s actually going on, what “Core Setup” really means in practice, and what you can do right now to avoid the worst outcomes — including full account suspension.

Why Meta Is Doing This

Let’s start with the “why” because it actually matters for how you respond.

In 2023, the FTC brought enforcement actions against BetterHelp and GoodRx for sharing sensitive user health data with Meta through tracking pixels. The FTC and HHS followed up by warning telehealth providers and hospital systems about the risks of using tracking pixels on their websites. Meta, staring down massive legal liability, decided to get ahead of the problem.

The result: Meta now categorizes every data source (your website, your app) that sends data through Meta Business Tools. If your data source falls into a sensitive category — health and wellness being the big one, but also financial services, politics, and others — Meta applies restrictions on what data you’re allowed to share with them. The restrictions vary by category, by region, and by how sensitive Meta considers your specific data source to be.

This isn’t a policy you can debate your way out of. Meta is protecting itself from liability, and the enforcement is largely automated. Understanding that dynamic is the first step toward navigating it effectively.

The Three Tiers of Restriction

Meta applies restrictions on a spectrum. In practice, I see three distinct levels across the accounts we manage, and the impact of each is dramatically different.

Tier 1: Core Setup

Core Setup is Meta’s baseline restriction layer, and it’s the one most healthcare advertisers encounter first. When Core Setup is enabled on your data source, Meta restricts two specific types of data from being shared:

• Custom parameters — any parameter you’ve created beyond Meta’s standard list. These are the extra data points advertisers typically attach to events for more granular tracking and audience building.

• URL data after the domain — this means query strings, path parameters, product names in URLs, and UTM structures. Anything after the “/” gets stripped.

In practical terms, this means your custom audiences may shrink or stop working if they relied on URL-based rules. Catalog items added via the Meta Pixel may break. Advanced matching capabilities may be reduced. And your visibility inside Events Manager will be limited.

Here’s the critical thing most advertisers miss: you can turn on Core Setup voluntarily in Events Manager as a proactive compliance measure. But if Meta turns it on for you — because their system flagged your data source — you cannot turn it off. It’s permanent until you successfully appeal your categorization.

Tier 2: Restriction on Standard Events

This is where things start to hurt. At this level, Meta blocks mid- and lower-funnel standard events — the ones that actually drive performance. Events like Purchase, Add to Cart, Complete Registration, Schedule, and Add Payment Info may be restricted. You can still fire upper-funnel events like PageView, ViewContent, and Search, but you’ve lost the conversion signals that make Meta’s algorithm actually work for you.

If you’re a digital health company optimizing campaigns toward booked appointments or completed registrations, this tier essentially removes your ability to do performance marketing on Meta in any meaningful sense using standard events.

Tier 3: Full Restrictions

This is the worst case. All events from your data source are blocked — nothing gets through to Meta, whether it’s sent via the Pixel or server-side through CAPI. Your campaigns don’t get paused automatically, but they effectively become blind. No optimization, no retargeting, no conversion measurement. Performance degrades rapidly.

Full restrictions tend to hit data sources associated with specific medical conditions, patient portals, or anything Meta considers to be directly tied to a provider-patient relationship. If your domain is something like “treatmigraines.com” or your site content heavily references specific diagnoses, you’re at high risk for this tier.

The silent part is what kills you.

Across all three tiers, one of the most dangerous aspects of these restrictions is that your campaigns will keep running. Meta doesn’t pause your ads. They don’t send you a notification that says “your campaigns are no longer optimizing correctly.” You’ll get the initial categorization notice in Events Manager or via email, and that’s it. From that point forward, your campaigns are quietly spending budget against degraded signals. I’ve seen accounts burn through weeks of spend before anyone realized that the optimization engine was essentially flying blind. By the time you notice your CPA climbing or your conversion volume dropping off a cliff, the damage is already done. If you’re not proactively monitoring your data source categorization in Events Manager, this will sneak up on you.

How Meta Decides Where You Fall

Meta’s categorization process is automated, which is both the good news and the bad news. The system scans your data source — your website or app — and evaluates the content, the products or services you offer, and the data you’re sending through Meta Business Tools. Based on that scan, Meta assigns your data source to a category.

For healthcare, the key distinction Meta draws is whether your brand is “associated with medical conditions, specific health statuses, or provider/patient relationships.” That’s a broad definition, and it catches a lot of companies that don’t think of themselves as traditional healthcare.

Here’s what I’ve seen trigger categorization in practice:

• URLs containing condition-specific terms. If your URL structure includes paths like /depression-treatment or /diabetes-management, Meta’s systems will pick that up.

• Event payloads with health-related data. Standard event parameters that include product names referencing conditions (e.g., “weight-loss-supplement” as a content_id) get flagged.

• Landing page content. Even if your tracking is clean, Meta scans your actual page content. If your landing pages reference specific medical conditions, diagnoses, or treatments, that factors into categorization.

• Your broader web presence. Meta doesn’t just look at the specific pages you’re advertising. The overall topic and positioning of your domain matters.

The frustrating part is that this categorization isn’t always accurate. I’ve seen supplement brands that sell general wellness products get flagged as health and wellness. I’ve seen ergonomic pillow companies get categorized as medical equipment. Meta’s automation casts a wide net, and the appeal process — while available — is slow and inconsistent.

How to Check Your Status Right Now

Before you do anything else, go check your categorization:

1. Log into Meta Events Manager

2. Select your data source (pixel or app)

3. Go to Settings

4. Look for “Data Source Categories”

If you see a category assigned — particularly “Health and Wellness” — review whether it’s accurate. If it’s not, you can request a review directly from Events Manager. Across the accounts we manage, we see successful appeals very infrequently. The process typically takes 3–7 business days, often longer, and in our experience Meta sides with its original categorization far more often than not. It’s still worth doing if you believe you’ve been miscategorized, but don’t build your strategy around winning an appeal.

Even if you haven’t been categorized yet, don’t assume you’re safe. Meta’s system is continuously scanning and recategorizing data sources. Proactive compliance is significantly less painful than reactive damage control.

How to Avoid Getting Restricted (or Worse, Suspended)

Here’s the practical playbook based on what I’ve seen work across the healthtech accounts we manage.

1. Audit your tracking implementation — thoroughly.

Go through every event you’re sending to Meta. Check the event names, the parameters, the content IDs, and the URLs being passed. Look for anything that could be interpreted as protected health information (PHI) or that references specific medical conditions. This includes product names, category labels, and URL paths.

The standard I use: if a data point, combined with a user identifier, could reveal something about someone’s health status, it shouldn’t be going to Meta.

2. Clean up your URLs before they hit Meta.

If your site uses descriptive URL paths that include condition-specific language (e.g., /services/anxiety-treatment), you need a strategy for ensuring that data doesn’t reach Meta. Core Setup strips URL data after the domain, but if you’re not yet in Core Setup and you’re sending full URLs through your pixel or CAPI implementation, you’re exposing yourself.

Consider restructuring URLs on key landing pages to use generic paths, or use a server-side intermediary that sanitizes URLs before they’re sent to Meta.

3. Rename and restructure your events.

Renaming events used to be a reliable workaround — changing “Purchase” to something generic, for example. That alone doesn’t work anymore. Meta now scans the full payload, not just event names. But combined with payload cleansing (removing condition-specific content IDs, scrubbing sensitive parameters), restructured events can still be effective.

An important distinction here: custom conversions and custom events are two different things in Meta's system. Custom conversions are filters applied on top of standard events (e.g., purchases with a specific content ID or purchases under $100) — so if your standard events are restricted, custom conversions built on them will be too. Custom events, on the other hand, are entirely standalone. They're not tied to standard events, which means they can still function even when standard event restrictions are in place. Custom events with compliant naming conventions and clean payloads are your best bet for maintaining some level of optimization signal without triggering restrictions.

4. Move to server-side tracking with a compliance layer.

This is the single most impactful change you can make. A server-side implementation using CAPI, routed through a HIPAA-compliant intermediary, lets you control exactly what data reaches Meta. You can strip PHI, anonymize identifiers, and filter out sensitive parameters before anything is transmitted.

This is where a purpose-built platform matters. Tools like Ours Privacy act as a privacy shield between your data and Meta, giving you the ability to maintain conversion tracking and campaign optimization while ensuring that nothing non-compliant ever reaches Meta’s systems. For healthcare companies, this isn’t optional — it’s the foundation of a sustainable Meta ads strategy.

5. Diversify your creative and messaging approach.

Even with compliant tracking, your ad creative and landing page copy matter. Meta’s systems evaluate ad content as well as tracking data. Avoid creative that explicitly references medical conditions, diagnoses, or symptoms. Instead, focus on outcomes, emotions, and intent.

For example, instead of “Struggling with anxiety? Get treatment today,” try “Ready to feel like yourself again? We can help.” The message reaches the same audience, but it doesn’t create a compliance signal for Meta’s automated systems.

6. Don’t ignore the warnings.

If you receive a notification from Meta about your data source categorization or potential policy violations, treat it as urgent. Multiple warnings build a profile inside Meta’s system, and that profile can escalate your restriction level — from Core Setup all the way to full restriction or account suspension.

Address each warning immediately: audit your tracking, clean your data, and if necessary, request a categorization review.

What to Do If You’re Already Restricted

If you’re already dealing with restrictions, here’s how to triage:

If you’re in Core Setup only: You can still run effective campaigns. Focus on standard events that are still available, use custom events with clean payloads, and implement server-side tracking to maintain data quality. This tier is manageable.

If you’re mid-restricted (standard events blocked): Shift your campaign strategy to upper-funnel objectives — awareness, engagement, traffic. These aren’t as efficient for direct response, but they keep your Meta presence alive while you work on compliance. Simultaneously, explore whether custom events sent through a compliant server-side connection can restore some optimization signal.

If you’re fully restricted: You can try appealing your categorization, but as I mentioned, successful appeals are rare in our experience. More realistically, you need to fundamentally change your approach. Consider building a compliant microsite on a separate domain that can pass Meta’s categorization process, while your main site continues to serve patients. This is a more complex strategy, but for some healthcare organizations, it’s the only path back to performance marketing on Meta.

In all cases, don’t put all your eggs in Meta’s basket. Diversify across Google, TikTok, and other channels. Meta remains one of the most powerful advertising platforms in the world, but for healthcare companies, it now requires a compliance infrastructure that many teams haven’t built yet.

The Bottom Line

Meta’s platform restrictions aren’t going away. If anything, they’re going to expand to more categories and get stricter over time. The companies that will continue to grow on Meta are the ones that invest in compliant data infrastructure now — not the ones scrambling to fix things after they’ve already been restricted.

For healthcare marketers specifically, the gap between “we think we’re compliant” and “we can prove we’re compliant” is where most of the risk lives. A HIPAA-compliant CDP like Ours Privacy closes that gap by giving you control over every data point that leaves your ecosystem, so you can keep running high-performing campaigns without the constant threat of restrictions or suspension.

I’ve seen this playbook work across multiple healthtech clients. The investment in compliant infrastructure pays for itself the first time you don’t get restricted while your competitors do.

Jason Garrett is the Founder & CEO of Coast Studio, a performance marketing agency that specializes in compliance-first growth for startups in regulated industries including healthtech, fintech, and edtech. Coast Studio manages paid acquisition across Meta, Google, and TikTok for digital health brands navigating complex regulatory environments.