Apoteket AB – €3,256,000 Fine (Sweden, 2024)
Apoteket AB, a Swedish pharmacy, was fined over €3 million for improperly using a tracking tool that sent customer data to Meta without consent. This case is significant because it emphasizes the importance of obtaining user consent for data collection, especially in marketing. Companies need to ensure they have proper controls in place to protect customer information.
What happened
Apoteket AB used a Meta pixel that collected customer data without proper consent.
Who was affected
Customers of Apoteket AB whose personal data was transmitted to Meta without their consent.
What the authority found
The data protection authority found that Apoteket AB failed to implement adequate measures to protect personal data, violating GDPR requirements.
Why this matters
This ruling serves as a warning to businesses about the consequences of failing to secure user consent for data tracking. Companies should review their data collection practices to avoid similar penalties.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Entities Involved
A Swedish pharmacy company - Apoteket AB (the controller) was using [https://www.facebook.com/business/tools/meta-pixel the Meta pixel] for marketing purposes since 2017. The purpose of the pixel was to measure the controller’s marketing activity within Facebook and Instagram and additionally to promote controller’s products to visitors of certain pages (self-care product category). By default, the controller disabled the pixel within the part of the website dedicated to the prescription goods. At the same time, the pixel collected the data about other products offered by the controller, in particular products to treat variety of disorders (for example allergy or stomach disorder) or sexual wellness products. In 2020, an employee of controller, acting without the authorisation or knowledge of the controller, activated [https://developers.facebook.com/docs/meta-pixel/advanced/advanced-matching/ Advanced Matching] function of the pixel. The employee was one of three employees managing the pixel within the controller structure. As a result, the controller was provided with supplementary data, which was not necessary for the purposes of data processing, as the pixel collected more data referring to the customers. Additionally, the additional data was transferred to Meta. When a customer made a purchase with the controller, Meta received hashed data related to the customer, namely the contact data, name and surname, social security data, address data. Meta was then able to match the data with Facebook user ID and eventually deleted the hashed data. The estimated number of data subjects affected by the incident was up to 930,000. As soon as the controller identified the new settings of the pixel (2022), they disabled the Advanced Matching function. The controller requested Meta to delete the data collected via the pixel. Meta explained they already deleted the data older than two years and regarding newer data, Meta claimed to be unable to delete them manually. Additi
Violations (2)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Apoteket AB in SE
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
29 August 2024
Authority
Integritetsskyddsmyndigheten
Fine Amount
€3,256,000
37,000,000 SEK
GDPRhub ID
gdprhub-8238About this data
Cite as: Cookie Fines. Apoteket AB - Sweden (2024). Retrieved from cookiefines.eu
Last updated: