Book Consultation
Pricing
Cases
About us
Webinars
Book Consultation
Pricing
Cases
About us
Webinars
Case Study

IMY Imposes Fines on Apoteket and Apohem for Meta Pixel Data Transfer

by Berner Setterwall
August 30, 2024
The Swedish Authority for Privacy Protection (IMY) has imposed significant fines on Apoteket and Apohem for transferring sensitive personal data to Meta through the Meta Pixel, emphasizing the need for server-side tracking solutions.

Background

On August 30, 2024, the Swedish Authority for Privacy Protection (IMY) imposed substantial fines on two pharmacy companies - Apoteket AB (37 million SEK) and Apohem AB (8 million SEK) - for improperly transferring sensitive personal data to Meta through the Meta Pixel tracking tool.

The Investigation

IMY's investigation revealed several serious violations:

  1. Sensitive Data Transfer: Both companies were found to be inadvertently sharing sensitive health-related information with Meta through their websites.
  2. Lack of Protection: The implementation of Meta Pixel resulted in unauthorized transfer of personal data, including information about medical products and health conditions.
  3. Insufficient Controls: The companies failed to implement adequate safeguards to protect sensitive personal data.

Key Findings

  1. Types of Data Transferred:

    • Information about purchased medicines
    • Health-related search queries
    • User browsing patterns on health-related pages

  2. Legal Violations:

    • Breach of GDPR Article 9 (processing of special categories of personal data)
    • Inadequate technical and organizational measures
    • Lack of proper impact assessments

Server-Side Tracking as a Solution

This case highlights why server-side implementation of tracking pixels is crucial:

  1. Data Control:

    • Filter sensitive information before sharing
    • Control exactly what data is sent to third parties
    • Implement proper anonymization

  2. Compliance Benefits:

    • Maintain control over data flows
    • Implement proper consent management
    • Ensure GDPR compliance

Implementation Guidelines

  1. Moving Meta Pixel Server-Side:

    • Implement server-side tracking container
    • Filter sensitive data parameters
    • Control data flow through server-side rules

  2. Data Protection Measures:

    • Implement proper consent management
    • Regular privacy impact assessments
    • Document all data processing activities

  3. Best Practices:

    • Regular audits of data flows
    • Staff training on privacy requirements
    • Clear documentation of technical measures

Recommendations for Companies

  1. Immediate Actions:

    • Audit current tracking implementations
    • Identify potential data leakage points
    • Document all third-party tools in use

  2. Long-term Solutions:

    • Move to server-side tracking
    • Implement proper data filtering
    • Regular compliance reviews

Conclusion

The IMY ruling against Apoteket and Apohem serves as a crucial reminder of the importance of properly implementing tracking tools, especially when dealing with sensitive personal data. Server-side tracking emerges as a key solution to maintain marketing capabilities while ensuring GDPR compliance and protecting user privacy. Companies must take proactive steps to review their tracking implementations and consider moving to server-side solutions to avoid similar penalties.