Vakteye Logo
VAKTEYE
PRICINGABOUTCONTACTINSIGHTSCAREERS
Sign In
Back to Insights
COMPLIANCE

Meta Pixel GDPR-sanktioner i Sverige: 85 miljoner kronor, fem beslut, ett mönster

Vakteye Team/May 6, 2026/9 min read

Between June 2023 and June 2024 the Swedish Authority for Privacy Protection (IMY, Integritetsskyddsmyndigheten) issued five separate fines to Swedish companies for the same underlying problem: a Meta Pixel on the website that transmitted personal data to Meta/Facebook without a valid legal basis. The fines total 85 million SEK. Every decision is final.

This article is the verified record. Every claim below is anchored to the IMY decision URL and the official reference number. If anything changes in the source, this article is wrong — the source wins.

The five decisions, side by side

  • Apoteket AB — DI-2023-13015, decided 2024-06-17. Fine: 37,000,000 SEK (~3.36M EUR). Articles: GDPR Art 6(1)(a), LEK 9 ch. §28, ePrivacy Art 5(3). Source: imy.se/tillsyner/apoteket/
  • Apohem AB — DI-2023-13016, decided 2024-06-17. Fine: 8,000,000 SEK (~727k EUR). Articles: same as Apoteket. Source: imy.se/tillsyner/apohem/
  • Avanza Bank AB — DI-2022-2177, decided 2023-06-27. Fine: 15,000,000 SEK (~1.36M EUR). Articles: GDPR Art 32, Art 33. Source: imy.se/tillsyner/avanza/
  • Dagens Industri (Bonnier News AB) — DI-2022-2178, decided 2023-06-27. Fine: 13,000,000 SEK (~1.18M EUR). Articles: GDPR Art 6(1)(a), Art 32. Source: imy.se/tillsyner/bonnier-news-ab/
  • Tele2 Sverige AB — DI-2022-2175, decided 2023-06-27. Fine: 12,000,000 SEK (~1.09M EUR). Articles: GDPR Art 6(1)(a), Art 32. Source: imy.se/tillsyner/tele2-sverige-ab-tele2.se/

Three of these (Avanza, DI, Tele2) were decided on the same day, June 27, 2023, as part of a coordinated enforcement wave. The pharmacy pair (Apoteket, Apohem) was decided exactly one year later on June 17, 2024.

What the Meta Pixel actually did

Meta Pixel is a JavaScript snippet that loads inside the browser when a visitor opens a page. When the page loads, the script reads details about the page (URL, page title, button clicks, form events) and sends them as HTTP requests to facebook.com/tr. If the visitor is logged in to Facebook, Meta links those requests to that visitor's Facebook profile.

The technical mechanism is the same on every site. What differed across the five cases was the type of data leaving the browser:

  • Apoteket and Apohem: search queries for prescription medications. Health-related browsing (GDPR Art 9 special category data territory).
  • Avanza: a programming error caused customer financial data — including amounts and product searches — to leak to the Pixel for ~500,000 customers between November 2020 and June 2021.
  • Dagens Industri: subscriber browsing patterns and reading behavior used for advertising profiling.
  • Tele2: browsing activity on the customer-account portion of tele2.se without separate consent for tracking.

The legal violation is not having a Meta Pixel. The violation is loading it (and letting it transmit) without a valid legal basis. For most consumer sites that legal basis can only be the visitor's prior, informed, freely given consent under GDPR Art 6(1)(a) and ePrivacy Art 5(3) — implemented in Sweden as LEK 9 kap. §28.

Why two different article paths

The five decisions split into two patterns by the articles IMY chose to apply:

Path A — consent failure (Apoteket, Apohem, DI, Tele2)

The pixel ran without valid consent. IMY applied GDPR Art 6(1)(a) (consent as the legal basis that was missing) and, in two of the four cases, also Art 32 (security of processing). Apoteket and Apohem additionally invoked LEK 9 kap. §28 — Sweden's transposition of ePrivacy Art 5(3), the cookies/storage-access consent rule.

Path B — security failure (Avanza)

Avanza had a coding mistake — the Pixel was misconfigured and transmitted financial data it should never have touched. IMY framed this primarily as a security breach: GDPR Art 32 (insufficient technical measures) plus Art 33 (failure to notify the data breach within 72 hours, since the company spotted the leak in June 2021 but did not file a breach notification at the time).

The path matters because it changes what "compliance" looks like operationally:

  • Path A defects are caught by testing your consent banner: does the Pixel run before consent? Does it stop on reject? Does the consent banner exist at all on this page?
  • Path B defects are caught by reviewing what the Pixel is actually configured to send. Avanza's banner was not the issue — the data flowing through the Pixel was the issue.

A complete audit covers both paths. A consent banner test will not catch an Avanza-style misconfiguration. A code review of the Pixel configuration will not catch an Apoteket-style consent failure.

How IMY proves it

IMY's decisions describe the evidence pattern. In each case the authority loaded the live website, observed network traffic, and matched outbound requests to facebook.com/tr against the documented consent state. When the requests fired before consent — or after the user clicked reject — the violation was demonstrated by reproducible network logs.

This is the same method any external auditor (or competitor's lawyer) can use. It does not require access to your servers, your CRM, or your consent management platform's database. The browser tells the truth.

If your site loads the Meta Pixel, open DevTools right now, filter Network for 'facebook.com/tr', reload the page without clicking the consent banner, and look. If requests fire before you've consented, you are reproducing exactly what IMY observed in the five cases above.

The fine math

GDPR Art 83(5) sets the upper bound for consent and lawfulness violations at the higher of 20,000,000 EUR or 4% of worldwide annual turnover. The IMY fines in this cluster are far below that ceiling — IMY exercises judgment proportional to the controller's revenue and the scale of the violation.

Looking at the spread:

  • Apoteket: 37M SEK on a state-owned pharmacy with health data — highest in the cluster, consistent with Art 9 sensitivity.
  • Avanza: 15M SEK on a financial services breach affecting ~500,000 customers — sized to security failure scope.
  • DI/Tele2: 12-13M SEK each on consumer-facing media/telecom companies — mid-range.
  • Apohem: 8M SEK — smaller pharmacy, smaller business, same pattern.

Note that pharmacy fines exceed media fines despite Apohem being a smaller company than Tele2. The presence of health data (Art 9 special-category) drove the multiplier even when the company itself was small.

Test your own Pixel posture in 90 seconds

Vakteye's scanner reproduces IMY's evidence-gathering method: it opens your live site, watches outbound network traffic, clicks reject on your consent banner, and verifies the Pixel actually stops. Findings are mapped to the GDPR articles cited in the five cases above.

Scan your domain

What the cluster does not say

Three things the five decisions do not establish, even though they are sometimes claimed:

  • They do not say Meta Pixel is illegal. They say running it without a valid legal basis is illegal. The Pixel is lawful with valid consent and proper data minimization.
  • They do not invalidate consent management platforms. CMPs that block the Pixel before consent and stop it on reject can be compliant. The fines hit sites where the CMP either did not exist, did not block the Pixel, or did not propagate the reject signal.
  • They do not all cite the same article. Treating all five as "Article 6(1)(a) cases" is wrong — Avanza is primarily an Art 32 + Art 33 case. The legal basis for the fine is not interchangeable with the technical fix.

What this means if your site has a Pixel

Three concrete checks, each runnable today:

  1. 1. Run your site with a fresh browser profile. Without clicking the consent banner, observe network requests. Any request to facebook.com/tr before a consent action is a Path A defect.
  2. 2. Click reject on the consent banner. Wait 5 seconds. Reload. Observe again. If the Pixel runs after reject, that is also a Path A defect — a CMP that does not propagate the reject signal.
  3. 3. Inspect the Pixel's actual payload. Look at one network request to facebook.com/tr in DevTools, decode the payload, and check what is in the custom data fields. If anything beyond the bare page URL is in there — search terms, customer IDs, financial values — you have an Avanza-style Path B exposure.

If any of these fail, you are not yet at IMY's door — but you are reproducing exactly the conditions IMY observed in five cases that resulted in fines totaling 85 million SEK. Fixing this is cheaper than the smallest fine in the cluster.

Verifiable totals: Apoteket 37M + Avanza 15M + DI 13M + Tele2 12M + Apohem 8M = 85,000,000 SEK across five final IMY decisions. Source: imy.se/tillsyner/ pages linked above. All decisions verified against the IMY canonical record on 2026-05-05.

Bottom line

IMY's Meta Pixel cluster is the clearest enforcement signal in the Swedish GDPR record. Five fines, two distinct legal pathways, one consistent pattern: the Pixel transmitted personal data without a valid legal basis, and the auditor caught it by watching the browser do what it was configured to do.

If your site has a Meta Pixel, you cannot rely on "we have a consent banner." The five fined companies all had banners. What mattered was whether the banner actually controlled the Pixel — or whether the Pixel ran anyway. That is a five-minute test, and it is the same test IMY runs.

From banner to behavior

Vakteye verifies that your consent banner actually stops trackers, not just that it exists. Every finding is mapped to the cited GDPR article and the relevant Swedish enforcement precedent.

Run a free Pixel audit

Are you at risk?

Get your free compliance report

We scan your site live and show you exactly which risks are exposed — before IMY finds them.

Book demo · free scan
Previous

NIS2 audit Sweden: what MCF and PTS actually examine

Next

Policy vs Reality: How GDPR Audits Actually Work

Related Articles

COMPLIANCE5 min read

IMY's Cookie Crackdown: What ATG, Aller Media & Warner Music Mean for You

In April 2025, IMY issued its first formal cookie banner decisions against three Swedish companies. The violations were textbook dark patterns, and your site probably has the same ones.

COMPLIANCE7 min read

NIS2 is here: Sweden's cybersecurity act since January 2026

Sweden's NIS2 implementation (Cybersäkerhetslagen) is live since January 15, 2026. No grace period. Here's what it requires and what happens if you ignore it.

COMPLIANCE6 min read

EDPB 2026: Why Transparency Enforcement Hits Swedish Businesses

The EDPB's 2026 coordinated enforcement focuses on transparency. Organizations should prepare for any 2026 EDPB coordinated enforcement framework by ensuring transparency mechanisms (Art 13/14 disclosures) are current and verifiable.

COMPANY

  • PRICING
  • ABOUT US
  • CONTACT
  • INSIGHTS
  • info@vakteye.com

LEGAL

  • Privacy Policy
  • Terms of Service
  • Cookies Policy
  • Data Rights (GDPR)
  • Security policy
  • Scanner identity
Vakteye
VAKTEYE

Evidence ledger for GDPR, NIS2 and ePrivacy. Every finding tied to a statute and signed by an analyst.

Vakteye
Privacy VerifiedContinuously monitored by Vakteye

© 2026 Vakteye AB. All rights reserved.