Unintentionally leaking data to Meta will get you in trouble

Published 3 February 2025
This post thumbnail

The Privacy risks of using Meta Pixel

Sharing is not always caring

The Meta Pixel, a widely used tracking tool, allows businesses to analyze customer behavior and optimize their digital marketing efforts. However, its use comes with significant privacy risks, as demonstrated by enforcement actions from the Swedish Data Protection Authority (IMY). Several organizations, including major pharmacies, financial institutions, and healthcare providers, have been found to violate GDPR due to improper implementation of the Meta Pixel. See how you can use Meta Pixel and still be compliant to GDPR

These cases highlight the severe consequences of failing to properly handle personal data when using this tool. This article explores the highest privacy risks associated with Meta Pixel and how businesses can avoid costly regulatory fines.

The Highest Privacy Risks of Using Meta Pixel

1. Unintentional Transfer of Sensitive Data

One of the biggest risks with Meta Pixel is the unintentional transmission of sensitive personal data to Meta. Even when businesses do not explicitly intend to share certain information, technical misconfigurations or Meta’s Automatic Advanced Matching (AAM) feature can result in unauthorized data transfers.

Case Example: Apoteket AB

Apoteket AB, a major Swedish pharmacy, was fined 37 million SEK for transferring personal data to Meta, including person names, phone numbers, and even personal identification numbers. While the company had attempted to filter out prescription medications, data related to sensitive health products (e.g., pregnancy tests, allergy treatments, and sexual health items) was still shared unintentionally.

Case Example: Avanza Bank

Avanza Bank mistakenly enabled Meta’s AAM function, leading to the sharing of loan amounts, account numbers, and even employer details of its customers. This serious breach of financial privacy resulted in a 15 million SEK fine.

2. Lack of Proper Security Measures

Under GDPR’s Article 32, businesses must implement appropriate technical and organizational security measures to protect personal data. Many companies fined by IMY failed to do so, leading to unauthorized exposure of customer information.

Case Example: Kry International AB

Kry, a digital healthcare provider, used Meta Pixel for marketing but accidentally shared hashed phone numbers and emails of patients. Despite encryption, the potential for re-identification remained, leading to a reprimand from IMY.

Case Example: Länsförsäkringar AB

Länsförsäkringar, a major financial institution, erroneously activated Meta’s advanced matching function, resulting in the unintentional transfer of contact details (name, phone number, email, and location) from users filling out forms. The lack of internal security controls led to regulatory scrutiny.

3. Failure to Conduct a Risk Assessment

GDPR requires companies to conduct Data Protection Impact Assessments (DPIAs) before implementing tools that could pose high risks to individuals' privacy. Several of the sanctioned companies enabled Meta Pixel without properly assessing the risks of transferring data to a third party.

Case Example: Apohem AB

Apohem, an online pharmacy, enabled Meta Pixel for marketing but failed to realize that customers' names, emails, phone numbers, and purchase history were being shared. Without a proper risk assessment, the company lacked awareness of how its data was processed, leading to an 8 million SEK fine.

4. No Clear Legal Basis for Data Processing

Under Article 6 of GDPR, companies must have a lawful basis for processing personal data. Many of the fined companies relied on cookie consent mechanisms, but these proved insufficient when the data transferred included personal identifiers.

Case Example: Apotea AB

Apotea, another pharmacy, argued that its Meta Pixel use was limited to non-sensitive product marketing. However, due to technical misconfigurations, hashing errors caused personal data to be transferred, leading to IMY intervention.

5. Meta’s Lack of Transparency

A recurring issue in these cases is that Meta’s own filtering mechanisms are not foolproof. Several companies assumed that Meta would automatically remove sensitive data, but there is no way to verify how effectively this is done.

Case Example: Länsförsäkringar AB

The company relied on Meta’s filtering system to prevent unauthorized data processing, but IMY found no sufficient guarantees that the filtering function actually removed all sensitive data before processing.

Conclusion

The Swedid DPA's (IMY) many decisions serve as a critical warning for businesses using Meta Pixel. While the tool offers valuable marketing insights, failure to properly implement it can lead to severe GDPR violations, substantial fines, and reputational damage.

Companies must take a proactive approach to privacy compliance, ensuring they understand how Meta Pixel processes user data and establishing robust security and legal safeguards. Ignorance is no excuse—businesses that handle user data must take responsibility for protecting it.

© 2023 GDPRControl. By Anders Svensson and Jan Ove Skogheim.