The Swedish pharmacies Apoteket AB and Apohem AB have together been fined a total of SKr 45m ($4.4m) for GDPR failures when using the so-called Meta pixel on their websites and then transferring privacy-sensitive personal data to Meta.
The sensitive data included information about the purchase of over-the-counter medicines, self-tests, sex toys, and the treatment of venereal diseases.
The fines, SKr 37m ($3.6m) and SKr 8m ($781,593), were brought by Integrationsmyndigheten (IMY), the Swedish Data Protection Authority, after it received reports that both companies transferred more personal data than intended to Meta over a longer period of time.
“Our review shows that the companies have not had the routines required to discover the deficiencies themselves. The transfer of the personal data has therefore been going on for a long time and was only stopped after the companies were made aware of the incident by outsiders,” said Maja Welander, lawyer at IMY.
Sensitive personal data
The incidents were reported to IMY in 2022, and the failures occurred between January 19, 2020 and April 25, 2022 for Apoteket, and between April 15, 2021 and April 26, 2022 for Apohem.
By activating a partial function of the pixel, both companies transferred privacy-sensitive material about a large number of customers. The amount of data depended on customer’s actions on the website. For those who had consented to marketing cookies on Apotekets website, the information generally included:
- URL;
- total value of product or shopping cart;
- currency (SKr);
- content/product ID (Apoteket’s internal product number)
- type of product; and
- IP address.
But whene the extra pixel function was activated, more information was transferred to Meta, which included:
- first and last name;
- e-mail address;
- telephone number;
- social security number;
- gender;
- city;
- postal code; and
- country.
For those who had accepted marketing cookies on Apohem’s website, the following data was transferred to Meta through the pixel:
- IP addresses;
- purchase information such as category, product group and name of merchandise and others;
- non-prescription products including product code, quantity and price; and
- website behavior/triggered events such as visited page, visited product page, what was added to cart, and completed purchase(s).
With the extra pixel function activated, Apohem also submitted information on first and last name, and email address, of those who had either accepted marketing cookies, added products to the shopping basket or filed out a checkout form.
1,000,000 users
According to the filings, neither Apoteket or Apohem submitted any information about prescription medicine. However they did transfer information on purchases, which could both include sex toys, self-tests and treatment for sexually transmitted diseases, pregnancy products, and other sensitive treatments.
“Processing this type of privacy-sensitive personal data involves high risks that entail requirements for a high level of protection. The companies have had an obligation to take appropriate measures to protect the data from, for example, being shared with unauthorized persons,” said Shirin Daneshgari Nejad, lawyer at IMY.
About 500,000 – 1,000,000 Apoteket users are believed to have been affected, and around 15,000 Apohem customers.
Apoteket AB, the state-owned pharmaceuticals retailer, was fined SKr 37m ($3.6m), and Apohem AB, a full-scale online retail pharmacy, was fined SKr 8m ($781,593).
Both companies have, since discovering the incorrect data transfer, developed and implemented internal procedures to ensure correct and secure processing of personal data.
IMY had earlier started similar investigations on other companies. In June 2024, Avanza Bank AB was fined SKr 15m ($1.5m) for using the Meta pixel on its website and app, and therefor transferred information to Meta about customers’ securities holdings and account numbers.
IMY is also currently investigation Kry (a digital-first healthcare provider) over its use of the Meta-pixel.