8 Million fine for Meta Pixel use in the EU: Is your digital marketing setup compliant with Sweden’s new decision?

Blog
Table of Contents
Recently, the Swedish Data Protection Authority (Integritetsskyddsmyndigheten, IMY) issued another significant decision related to the use of Meta Pixel. Does this mean that you should stop using your Meta Pixel (formerly known as Facebook Pixel) on your website?
In this blog post, we’ll break down the decision, explain what it means for marketers, and suggest what you should do to avoid compliance risks while still maximizing the potential of tools like Meta Pixel.
This is the second of five Meta Pixel decisions that the Swedish Data Protection Authority (IMY) DEP is releasing in 2024 (you can find our blog post about the first Swedish Meta Pixel decision here).
Are you running Meta Ads in the EU??​
If so, this decision is crucial for you.
Since most Data Protection Authorities in the EU align their rulings and base them on the EU GDPR, there is good reason to believe that other European Data Protection Authorities could reach the same conclusion.

What is this Swedish Meta Pixel IMY decision about?

This second decision is about a Swedish online pharmacy’s use of Meta Pixel, highlighting a breach of the EU’s General Data Protection Regulation (GDPR).

The decision primarily concerns the unlawful transfer of personal data from the online pharmacy’s website to Meta (formerly Facebook) due to inadequate security measures during the implementation and use of Meta Pixel.
This online pharmacy was fined 8 million SEK ($700,000 approximately) for this violation, which can raise questions for digital marketers about the use of tracking technologies like Meta Pixel.
As digital marketing is heavily reliant on data collection, this ruling can have implications for marketers who use similar tools to track user behavior, measure conversions, and optimize ad campaigns. But what is the Meta Pixel?

What is the Meta Pixel and why is it important for your Facebook Ads and Instagram Ads?

Meta Pixel is a snippet of JavaScript code that can be embedded in websites to track your website visitors and their actions (e.g., page views, clicks, purchases).
The data collected through Meta Pixel is transmitted to Meta, where it can be used to track conversions and target ads based on user behavior. Many businesses and advertisers, including e-commerce platforms, rely on Meta Pixel for:
  • Tracking user actions
    Meta Pixel allows businesses to know which actions users take on their websites, such as adding items to a cart or completing a purchase.
  • Measuring campaign performance
    It helps you understand how Facebook and Instagram ads are performing by linking actions on the website to ad interactions.
  • Optimizing targeting
    By tracking user behavior, Meta Pixel allows you to retarget users who have shown interest in your specific products or services.
However, the ability to collect detailed user information makes tools like Meta Pixel susceptible to privacy concerns, particularly under the GDPR, which requires you as a business to obtain explicit consent from users before collecting their personal data. This can easily be done if you have a cookie banner that is set up in a compliant way.
Looking to streamline your compliance with the latest privacy regulations while optimizing your marketing results?
With Cookie Information’s Consent Management platform, you can gather valid user consents effortlessly. Our platform includes a customizable consent banner for your website and supports Google Consent Mode v2. Try it free for 14 days.

What is the new Swedish Meta Pixel case about?

In the case of this Swedish online pharmacy, the issue arose when Meta Pixel inadvertently transmitted more user data to Meta than intended. The data included:
  • Personal information like names, addresses, and email addresses of customers who interacted with the pharmacy’s website.
  • Purchase information, including the types of products bought, such as cosmetics, hygiene products, and over-the-counter medicines.
  • Website behavior data like pages visited, products added to the cart, and purchases made.
The primary problem identified by IMY was that the data transferred to Meta included more sensitive information than was legally permissible, particularly without sufficient consent and adequate security measures in place.
Specifically, Meta’s “Automatic Advanced Matching” (AAM) function was unintentionally activated, which collected additional personal information unintentionally. This transfer occurred for over a year (from April 2021 to April 2022) before the online pharmacy identified and corrected the issue.
IMY concluded that the online pharmacy had violated Article 32 of the GDPR by failing to implement appropriate technical and organizational measures to ensure the security of personal data, particularly considering the sensitive nature of the data involved.
As a result, the online pharmacy was held accountable for the breach and was fined.

What does this new Swedish Meta Pixel case mean for digital marketing?

The decision raises several important issues for you as a digital marketer, particularly those using tracking technologies like Meta Pixel. Here are 6 steps you should be aware of as a digital marketer:
1. Shared responsibility between platforms and businesses
The ruling highlights joint responsibility for data processing between businesses and platforms like Meta. The pharmacy was deemed the data controller, meaning businesses cannot fully rely on Meta for GDPR compliance. If you use tracking pixels, you share accountability with the platform.
2. Informed Consent is Essential
A major issue was the lack of informed consent for the data collected. GDPR mandates businesses to provide clear information on what data is being collected, why, and how it’s processed.
3. Sensitive Data Needs Extra Caution
Even though the pharmacy didn’t intend to share sensitive data, some information could still indirectly reveal health details. Sensitive data like health or sexual behavior requires special handling.
4. Regular Audits Are Crucial
The pharmacy failed to monitor its data transfer, leading to a year-long breach. This highlights the need for regular audits to ensure ongoing compliance.
5. Don’t Rely Solely on Platform Filters
The pharmacy trusted Meta’s filters to block sensitive data, but relying solely on third-party systems didn’t prevent the breach. GDPR requires proactive measures, not just reactive filtering.
6. High Stakes: Fines and Reputation
The 8 million SEK fine underscores the risks of GDPR non-compliance. Beyond fines, a data breach can damage customer trust and brand reputation.

What should you do with your Meta Pixel and digital marketing efforts after the new Swedish Online Pharmacy Meta Pixel case?

1. Review your use of Meta Pixel
Ensure that the data you are collecting through Meta Pixel aligns with what your customers have consented to. Pay special attention to any sensitive data that may inadvertently be transferred.
2. Strengthen your data consent practices
Use clear, transparent consent mechanisms to inform users about data collection and processing activities. Always allow users to opt-out of tracking, especially for marketing purposes.
3. Enhance security measures
Ensure that you have both technical (encryption, pseudonymization) and organizational (staff training, internal audits) measures in place to safeguard personal data.
4. Regularly audit tracking technologies
Frequently review the tracking tools implemented on your website to ensure that they are collecting only the data you intend to and that they comply with GDPR.
5. Consider the sensitivity of data
Be aware that even non-sensitive data can sometimes reveal sensitive information, such as health status or sexual behavior. Take extra precautions when handling any data that could be linked to sensitive categories.
This case serves as a stark reminder that even tools as commonly used as Meta Pixel can lead to serious GDPR violations if not properly managed.
As a digital marketer, it’s essential that you stay informed about the evolving landscape of data protection and ensure that the tools you use are aligned with both legal requirements and the expectations of your users.
By adopting a privacy-first approach, you can build more trustworthy relationships with your audience and mitigate the risks of regulatory penalties and reputational harm.
As a business and brand, you need to stay on top.
Keep in mind that data privacy isn’t just about complying with authorities’ regulations.
It is a competitive advantage in a market where consumers increasingly value and demand control over their personal information.

Ensure you stay compliant with the latest privacy regulations while driving better marketing outcomes.

With Cookie Information’s Consent Management platform, you can easily gather valid user consents through a website consent banner, complete with Google Consent Mode v2 integration.