Norsk Helseinformatikk AS – Violation Found (Norway, 2025)
Norsk Helseinformatikk AS was found to have a cookie banner that made it hard for visitors to reject cookies. The website's cookie options favored accepting cookies over rejecting them. This is significant because it shows that companies must provide clear and fair cookie consent options.
What happened
Norsk Helseinformatikk AS's cookie banner did not clearly allow users to reject non-essential cookies.
Who was affected
Visitors to the www.nhi.no website who were tracked by cookies without proper consent.
What the authority found
The Norwegian data protection authority found that the company violated GDPR by not providing clear consent options for cookies.
Why this matters
This case reinforces the need for businesses to ensure their cookie consent mechanisms are user-friendly and comply with privacy regulations.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Following media reports about online tracking, the DPA started several ex officio investigations over the use of tracking tools on websites. Among others, the DPA investigated www.nhi.no, a website providing information about medical topics. The website included many subpages providing information on specific health conditions. The website was published by the company Norsk Helseinformatikk AS (the controller). The investigation found that the website presented visitors with a cookie banner provided by the cookie management platform Cookiebot. The banner offered visitors three options: “Only necessary cookies”, “Customize”, and “Allow all cookies”. The “Only necessary cookies” button was somewhat visible but featured less prominent colors than the others. The investigation found that the website implemented the Meta pixel. The Meta pixel is not a cookie and is not stored client-side. The pixel tracked information about actions taken by the user on the website and shared it with Meta. In addition, the pixel stored a tracking cookie (-fbp) on the users’ browser. The website implemented the pixel on both the home page and subpages, which made it possible to track an individual user’s journey through the website. The website forwarded other information to Meta, including IP addresses, fingerprints for the user’s device, and the unique identifier from the _fbp cookie. The investigation found that the controller implemented other trackers. However, the DPA decided to limit the scope of the proceedings to the use of the Meta pixel. The DPA held that the controller unlawfully processed sensitive data via the Meta pixel, in violation of Articles 6 and 9 GDPR. The DPA held that Norsk Helseinformatikk was only a controller for the initial data processing via the pixel. So, the DPA did not examine the subsequent processing of these data after their disclosure to Meta. The DPA issued a warning against the controller. The DPA clarified that an injunction to remove the pixel was
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Violations (3)
Refusing cookies requires more clicks or steps than accepting them, or the reject option is less visually prominent.
Art. 7 GDPR
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
The cookie banner or cookie policy provides vague, incomplete, or unclear information about what cookies are used and why.
Art. 12, 13 GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Norsk Helseinformatikk AS in NO
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Norsk Helseinformatikk AS - Norway (2025). Retrieved from cookiefines.eu
Last updated: