On 29 August 2024, the Swedish Privacy Protection Authority (IMY) issued two fines against major pharmacy companies, Apoteket AB and Apohem AB, for violations of Article 32 of the GDPR. Both cases involved the misuse of Meta’s analytics tool, Meta Pixel, which led to the unintentional transfer of sensitive customer data to Meta Platforms Ireland. The breaches occurred due to the activation of the Advanced Matching (AAM) function, resulting in the exposure of personal information, including health-related data. Apoteket was fined SEK 37 million (approximately $3.6 million), while Apohem was fined SEK 8 million (approximately $780,000).
Details of the Breaches
- Apoteket used Meta Pixel from January 2020 to April 2022, transferring customer data such as names, emails, addresses, and product purchases related to non-prescription items (e.g., sexual health treatments, self-tests, and gender-specific products). Approximately 930,000 users were affected, with 9% of sales linked to sensitive products. Apoteket was fined SEK 37 million (approx. $3.6 million).
- Apohem experienced a similar breach between April 2021 and April 2022, affecting around 15,000 users. Like Apoteket, they transferred sensitive purchase data to Meta, though their breach involved fewer customers. Apohem was fined SEK 8 million (approx. $780,000).
Common Violations
The Meta Pixel is a piece of tracking code embedded on websites to collect user interaction data (such as viewed pages, products added to cart, and completed purchases) and send it to Meta for targeted advertising and performance measurement. However, in these cases, the companies mistakenly activated the AAM function, which enabled the transmission of additional sensitive user data—like names, addresses, and health-related product purchases—to Meta.
IMY’s decisions emphasize that the data involved was information that customers themselves actively input while using the website, through selecting products or completing purchase forms. IMY’s distinction in these cases might seem counterintuitive because the Meta Pixel collects data from users’ devices, especially through cookies. However, IMY focuses on the type of data involved – specifically, data that users actively provide (e.g., names, contact details, and purchase choices) versus data that is passively collected from their devices (like tracking data from cookies). IMY argues that, in these cases, the critical data (such as product selections or personal details) was inputted voluntarily by the data subjects during interactions with the website, like filling out a checkout form or selecting products, rather than being automatically extracted from the device’s memory or cookies without user action.
This distinction means the breaches primarily concern GDPR’s rules on data protection rather than the law implementing the ePrivacy Directive, which governs cookie-based tracking. If the ePrivacy rules would apply, IMY would lose jurisdiction over the matter as in Sweden these two laws have different enforcement authorities. I personally think IMY’s reasoning is not stellar, and I’m curious if any of the sanctioned entities will appeal on this point.
IMY concluded that both Apoteket and Apohem failed to implement sufficient technical and organizational measures to secure sensitive customer data, as required by GDPR Article 32. The companies had no processes in place to detect or prevent these breaches internally and relied on external sources to identify the issue. Additionally, neither company performed the necessary risk assessments before activating the AAM function, which escalated the risk of exposing sensitive health-related data to Meta.
These are similar to the findings in the sanction against Avanza Bank, about which I wrote here.
I’m disappointed that IMY did not look into Meta’s responsibility at all – there’s no concern as to whether they are a joint controller, what consequences the default activation of AAM has, nothing. Is this really that far from the FashionID case that involved Facebook Like buttons and it was found to result in joint controllership? I think not – in my view whenever websites use third-party tools (the Facebook Like button in Fashion ID and Meta Pixel) to collect user data and transmit it to Meta, they become joint controllers for the data collection.
Outcomes and Remediation
Per IMY, both companies have since improved their data protection policies, enhancing their internal procedures and security protocols to prevent future occurrences. The fines were proportional to the number of affected customers and the severity of the breaches, with Apoteket facing the larger penalty due to the scale of the incident.
You can read the press release here, the Apoteket decision here, and the Apohem decision here (in Swedish).
♻️ Share this if you found it useful.
💥 Follow me on Linkedin for updates and discussions on privacy, digital and AI education.
📍 Subscribe to my newsletter for weekly updates and insights – subscribers get an integrated view of the week and more information than on the blog.
