IMY tracker fines in Sweden: 85 MSEK across five decisions

Between June 2023 and August 2024, the Swedish Authority for Privacy Protection (IMY) issued five separate fines to Swedish companies for tracker and consent violations. Three involved Meta Pixel transmitting personal data without valid consent (Apoteket, Apohem, Avanza). One involved profiling for direct marketing without consent (Bonnier News/Dagens Industri). One involved Google Analytics third-country transfers (Tele2). The fines total 85 million SEK. Every decision is final.

This article is the verified record. Every claim below is anchored to the IMY decision URL and the official reference number. If anything changes in the source, this article is wrong — the source wins.

The five decisions, side by side

• Apoteket AB — IMY-2022-3270, decided 2024-08-29. Fine: 37,000,000 SEK (~3.36M EUR). Articles: GDPR Art 6(1)(a), LEK 9 ch. §28, ePrivacy Art 5(3). Source: imy.se/tillsyner/apoteket/
• Apohem AB — IMY-2022-3272, decided 2024-08-29. Fine: 8,000,000 SEK (~727k EUR). Articles: same as Apoteket. Source: imy.se/tillsyner/apohem/
• Avanza Bank AB — DI-2021-5544, decided 2024-06-24. Fine: 15,000,000 SEK (~1.36M EUR). Articles: GDPR Art 5(1)(f) + Art 32(1) (Meta Pixel security failure — IMY characterised this as a security violation, not a Art 33 breach-notification case; LEK 9 kap. 28 § was found NOT to apply). 500,001 to 1,000,000 customers affected. Source: imy.se/tillsyner/avanza/
• Dagens Industri (Bonnier News AB) — DI-2022-2178, decided 2023-06-26. Fine: 13,000,000 SEK (~1.18M EUR). Articles: GDPR Art 6(1)(a) (profiling for direct marketing, telemarketing and direct mail without valid consent — NOT a Meta Pixel case). Source: imy.se/tillsyner/bonnier-news-ab/
• Tele2 Sverige AB — DI-2022-2175, decided 2023-06-30. Fine: 12,000,000 SEK (~1.09M EUR). Articles: GDPR Art 6(1)(a), Art 44 (Google Analytics third-country transfer — distinct from Meta Pixel cluster). Source: imy.se/tillsyner/tele2-sverige-ab-tele2.se/

These five decisions across 2023–2024 are IMY's tracker-and-consent enforcement cluster. Bonnier News (Dagens Industri) and Tele2 were decided in late June 2023 (Bonnier was profiling for direct marketing/telemarketing/mail without consent; Tele2 was a separate Google Analytics third-country-transfer case under Art 44). Avanza followed on 24 June 2024 (Meta Pixel security failure under Art 5(1)(f) + Art 32(1) — not a consent or breach-notification case). Apoteket and Apohem were decided together on 29 August 2024 (Meta Pixel consent failures involving health data).

What the Meta Pixel actually did

Meta Pixel is a JavaScript snippet that loads inside the browser when a visitor opens a page. When the page loads, the script reads details about the page (URL, page title, button clicks, form events) and sends them as HTTP requests to facebook.com/tr. If the visitor is logged in to Facebook, Meta links those requests to that visitor's Facebook profile.

The technical mechanism is the same on every site. What differed across the five cases was the type of data leaving the browser:

• Apoteket and Apohem: search queries for prescription medications. Health-related browsing (GDPR Art 9 special category data territory).
• Avanza: a programming error caused customer financial data — including amounts and product searches — to leak to the Pixel for ~500,000 customers between November 2020 and June 2021.
• Dagens Industri: subscriber browsing patterns and reading behavior used for advertising profiling.
• Tele2: browsing activity on the customer-account portion of tele2.se without separate consent for tracking.

Why two different article paths

The five decisions split into two patterns by the articles IMY chose to apply:

Path A — consent failure (Apoteket, Apohem, DI, Tele2)

The pixel ran without valid consent. IMY applied GDPR Art 6(1)(a) (consent as the legal basis that was missing) and, in two of the four cases, also Art 32 (security of processing). Apoteket and Apohem additionally invoked LEK 9 kap. §28 — Sweden's transposition of ePrivacy Art 5(3), the cookies/storage-access consent rule.

Path B — security failure (Avanza)

Avanza had a coding mistake — the Pixel was misconfigured and transmitted financial data it should never have touched. IMY framed this primarily as a security breach: GDPR Art 32 (insufficient technical measures) plus Art 33 (failure to notify the data breach within 72 hours, since the company spotted the leak in June 2021 but did not file a breach notification at the time).

The path matters because it changes what "compliance" looks like operationally:

• Path A defects are caught by testing your consent banner: does the Pixel run before consent? Does it stop on reject? Does the consent banner exist at all on this page?
• Path B defects are caught by reviewing what the Pixel is actually configured to send. Avanza's banner was not the issue — the data flowing through the Pixel was the issue.

A complete audit covers both paths. A consent banner test will not catch an Avanza-style misconfiguration. A code review of the Pixel configuration will not catch an Apoteket-style consent failure.

How IMY proves it

IMY's decisions describe the evidence pattern. In each case the authority loaded the live website, observed network traffic, and matched outbound requests to facebook.com/tr against the documented consent state. When the requests fired before consent — or after the user clicked reject — the violation was demonstrated by reproducible network logs.

This is the same method any external auditor (or competitor's lawyer) can use. It does not require access to your servers, your CRM, or your consent management platform's database. The browser tells the truth.

The fine math

GDPR Art 83(5) sets the upper bound for consent and lawfulness violations at the higher of 20,000,000 EUR or 4% of worldwide annual turnover. The IMY fines in this cluster are far below that ceiling — IMY exercises judgment proportional to the controller's revenue and the scale of the violation.

Looking at the spread:

• Apoteket: 37M SEK on a state-owned pharmacy with health data — highest in the cluster, consistent with Art 9 sensitivity.
• Avanza: 15M SEK on a financial services breach affecting ~500,000 customers — sized to security failure scope.
• DI/Tele2: 12-13M SEK each on consumer-facing media/telecom companies — mid-range.
• Apohem: 8M SEK — smaller pharmacy, smaller business, same pattern.

Note that pharmacy fines exceed media fines despite Apohem being a smaller company than Tele2. The presence of health data (Art 9 special-category) drove the multiplier even when the company itself was small.

What the cluster does not say

Three things the five decisions do not establish, even though they are sometimes claimed:

• They do not say Meta Pixel is illegal. They say running it without a valid legal basis is illegal. The Pixel is lawful with valid consent and proper data minimization.
• They do not invalidate consent management platforms. CMPs that block the Pixel before consent and stop it on reject can be compliant. The fines hit sites where the CMP either did not exist, did not block the Pixel, or did not propagate the reject signal.
• They do not all cite the same article. Treating all five as "Article 6(1)(a) cases" is wrong — Avanza is primarily an Art 32 + Art 33 case. The legal basis for the fine is not interchangeable with the technical fix.

What this means if your site has a Pixel

Three concrete checks, each runnable today:

1. 1. Run your site with a fresh browser profile. Without clicking the consent banner, observe network requests. Any request to facebook.com/tr before a consent action is a Path A defect.
2. 2. Click reject on the consent banner. Wait 5 seconds. Reload. Observe again. If the Pixel runs after reject, that is also a Path A defect — a CMP that does not propagate the reject signal.
3. 3. Inspect the Pixel's actual payload. Look at one network request to facebook.com/tr in DevTools, decode the payload, and check what is in the custom data fields. If anything beyond the bare page URL is in there — search terms, customer IDs, financial values — you have an Avanza-style Path B exposure.

If any of these fail, you are not yet at IMY's door — but you are reproducing exactly the conditions IMY observed in five cases that resulted in fines totaling 85 million SEK. Fixing this is cheaper than the smallest fine in the cluster.

Bottom line

IMY's Meta Pixel cluster is the clearest enforcement signal in the Swedish GDPR record. Five fines, two distinct legal pathways, one consistent pattern: the Pixel transmitted personal data without a valid legal basis, and the auditor caught it by watching the browser do what it was configured to do.

If your site has a Meta Pixel, you cannot rely on "we have a consent banner." The five fined companies all had banners. What mattered was whether the banner actually controlled the Pixel — or whether the Pixel ran anyway. That is a five-minute test, and it is the same test IMY runs.