Avanza Bank – €1,320,000 Fine (Sweden, 2024)

The controller, Avanza Bank AB, used Meta’s analytics tool Meta Pixel to measure the effectiveness of the bank’s Facebook advertising. By collecting information about which pages on the controller’s website a person visited, the controller wanted to optimise its marketing measures. This tool would only collect information about a data subject’s website visits, IP addresses and information about certain unique events such as searches on the websites. Two new functions of the analytics tool, the Automatic Advanced Matching (AAM) and the Automatic Events (AE), were activated by the controller by mistake. The AAM looked for recognisable form fields and other sources on the controller’s website that contain information such as first name, last name and email address. It transferred data to Meta in hashed form (an irreversible one-way process that converts data into a unique string of characters) if a data subject filled in any of the five different forms of the controller’s website or mobile app. When users logged in and accepted marketing cookies, the AAM collected the personal data, including personal identification number, contact details, loan amounts on existing loans, employers, type of employment and account numbers. With this, Meta-Pixel could match the hashed data with the behaviour of data subjects to the website to obtain a more detailed profile of the data subjects. It is unknown whether this resulted in targeted advertising. The AE analysed which buttons on the controller’s website and mobile app the user pressed and transmitted this data in plain text to Meta to then make suggestions about marketing on Facebook. However, the controller categorised visual fields as buttons on their website and mobile app. Via AE, personal data of data subjects were collected, including securities holdings and value, loan amounts, account number and email address and social security number. The controller found out by an external source that the personal data of 500,001 to