Kristiansand Municipality – €21,750 Fine (Norway, 2025)
Kristiansand Municipality was fined EUR 21,750 for using tracking tools on its website without proper consent. They had multiple tracking cookies that were not disclosed in their privacy policy. This case shows the importance of transparency in data collection practices.
What happened
The municipality used tracking pixels on its website without obtaining user consent or providing clear information about them.
Who was affected
Visitors to the municipality's website who were tracked without their knowledge or consent.
What the authority found
The Norwegian DPA ruled that the municipality violated GDPR by processing personal data through tracking tools without a lawful basis.
Why this matters
This ruling serves as a warning to all website operators about the need for clear consent mechanisms and transparency regarding data collection. Small businesses should ensure their privacy policies are up-to-date and compliant.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Following media reports about the use of invasive tracking tools on website, DPA investigated www.116111.no. The website is a help line for abused minors operated by the Kristiansand Municipality (the controller). The investigation found 17 cookies on the website along with Meta and Snap pixels. A pixel is a tracking tool attached to the website that directly sends user’s data to its operator. The DPA decided to limit its investigation to the use of the pixels. At the time of the investigation, the controller’s privacy policy did not mention the cookies and the pixels. The privacy policy was later amended to list cookies and tracking pixels more completely. However, the new privacy policy still failed to specify the legal basis for processing personal data, and the categories of data processed via the trackers. The DPA fined the controller 250,000 NOK (€21,600) for processing personal data via the Snap and Meta pixels without a lawful basis. The DPA clarified that it did not issue an injunction to remove the trackers because the controller already did so at the time of the decision. = The DPA fist established that the municipality was a data controller for the pixels as per Article 4(7) GDPR as it operated the website, integrated the tracking tools and determined the purpose of processing (i.e.: to measure the reach of its media campaign). In this regard, the DPA clarified that it was not relevant that the municipality had no access to the data processed via the pixels. On this point, the DPA referred to the Fashion ID ruling of the CJEUCJEU, case C-40/17, Fashion ID, 29 July 2019 (available here).. = Third party pixel collected personal information including unique user IDs, IP addresses, and device fingerprints which could be used as identifiers by Meta and Snap. For this reasons, the DPA held the pixels collected personal data, contrary to what the controller’s privacy policy stated. The DPA then assess whether the controller could rely on a legal basis for
Violations (3)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
The cookie banner or cookie policy provides vague, incomplete, or unclear information about what cookies are used and why.
Art. 12, 13 GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Kristiansand Municipality in NO
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
26 March 2025
Authority
Datatilsynet (Norway)
Fine Amount
€21,750
250,000 NOK
GDPRhub ID
gdprhub-9349About this data
Cite as: Cookie Fines. Kristiansand Municipality - Norway (2025). Retrieved from cookiefines.eu
Last updated: