SEK 45 Million in Fines: How Meta Pixel Leaked Health Data from Swedish Pharmacies

SEK 45 million. That's what it cost two Swedish pharmacies to have Meta Pixel installed on their websites.

— IMY decisions against Apoteket AB (37 MSEK) and Apohem AB (8 MSEK), August 2024

Apoteket alone estimated that up to 930,000 individuals were affected, with Apohem reporting approximately 15,000 more. Their medication purchases, sexual health product searches, and prescription queries were transmitted to Meta's advertising servers. No hack, no breach. A marketing team installed a JavaScript snippet and didn't understand what it was sending.

What happened

Apoteket AB, Sweden's largest pharmacy chain, and Apohem AB, an online pharmacy, both had Meta Pixel (formerly Facebook Pixel) deployed on their websites. The pixel tracked user behavior across the site, including product pages for prescription medications, sexual health products, and other health-related items.

Meta Pixel works by sending event data back to Meta every time a user takes an action: viewing a page, adding to cart, completing a purchase. On a clothing store, that means Meta learns you looked at a jacket. On a pharmacy website, it means Meta learns you searched for antidepressants.

IMY's investigation found that the data transmitted included product names, categories, and purchase events. This data, combined with the user identifiers Meta Pixel collects, constituted health data under GDPR Article 9, a special category of personal data with the highest level of protection.

How Meta Pixel actually works

To understand this fine, you need to know how Meta Pixel works technically. When you install it, you add a JavaScript snippet to your site. That snippet does several things.

• Drops a _fbp cookie that identifies the browser across sessions.
• Matches the visitor to a Facebook/Instagram profile using fbclid parameters, email hashes, or phone hashes.
• Sends every page URL, including query parameters, to Meta's servers (graph.facebook.com).
• Transmits standard events (PageView, ViewContent, AddToCart, Purchase) with associated metadata.
• On pharmacy sites: this metadata included product names like specific medication brands and health product categories.

The data leaves the user's browser and arrives at Meta's servers in the United States. From that moment, it is a cross-border transfer of special category personal data with no valid legal basis.

Why this triggered the highest level of scrutiny

The data transmitted constituted health data under GDPR Article 9, a special category of personal data with the highest level of protection. IMY based the fines on Article 32: failure to implement appropriate technical and organizational security measures to prevent the unauthorized transfer. The involvement of Article 9 special category data elevated the severity of the violation.

Neither Apoteket nor Apohem had adequate safeguards. Their implementations allowed sensitive health data to flow to Meta's servers without appropriate technical controls. IMY found this constituted a failure to ensure the security of processing as required under Article 32.

The fine breakdown

• Apoteket AB: SEK 37 million (approximately EUR 3.3 million). Larger fine due to market position, volume of affected individuals, and duration of the violation.
• Apohem AB: SEK 8 million (approximately EUR 720,000). Smaller company, fewer affected individuals, but same fundamental violation.
• Combined: up to 945,000 individuals affected (930,000 via Apoteket, approximately 15,000 via Apohem). Data transmitted over a period of several years before the issue was identified and remediated.

IMY applied fines under GDPR Article 83(4) for the Article 32 security violation. The involvement of special category health data under Article 9 was a significant aggravating factor in determining the fine amounts.

Every site with Meta Pixel has this exposure

If your website has Meta Pixel and you operate in healthcare, insurance, legal services, or any sector where user behavior reveals sensitive information, you have the same exposure. A law firm's website with Meta Pixel leaks what legal topics visitors research. A mental health platform leaks which therapy pages users visit.

Even e-commerce sites outside healthcare are at risk. Product categories can reveal religious beliefs (halal/kosher products), political opinions (party merchandise), or sexual orientation. Any of these constitute special category data under Article 9.

What you need to do

1. Audit every third-party tracker on your site. Know exactly what data each one collects and where it sends it.
2. Map your data flows. If any tracker transmits data that could reveal health, religion, politics, sexual orientation, or ethnicity, you need explicit consent, not just a cookie banner.
3. Review your Meta Pixel configuration. If you use custom events or enhanced matching, check what data fields you're sending.
4. Consider server-side alternatives. Server-side tracking gives you control over what data leaves your infrastructure.
5. Document everything. If IMY comes knocking, you need to demonstrate you assessed the risk and took appropriate measures.

How Vakteye catches this

Vakteye's network scanner intercepts every outbound request your website makes. We identify third-party tracker endpoints, analyze the data payloads being transmitted, and flag cases where sensitive page context (health, legal, financial) is being sent to advertising platforms.

Our CNAME detection resolves DNS chains to catch trackers disguised as first-party domains. And our consent verification confirms that trackers actually stop when users click reject, not just that the banner disappears.

The Apoteket and Apohem cases could have been prevented with a single scan. The Meta Pixel was visible in the page source, the data transfers were visible in network logs, and the consent mechanism was inadequate. All of this is detectable automatically.