The Norwegian Data Protection Authority (DPA), the Datatilsynet, launched a series of investigations into six companies accused of illegally using tracking pixels without consent.
Here’s a look at what these website operators allegedly did wrong, how the Datatilsynet approached enforcement, and six tips from the regulator about managing pixels and other tracking technologies in a legally compliant way.
Jump to:
The investigations
The Datatilsynet investigated six websites processing potentially sensitive personal data relating to health, religion, and children.
Each of the websites was found to have shared personal data with companies such as Meta, which operates Facebook and Instagram, without people’s consent. The companies allegedly used pixels without a legal basis and without fulfilling the GDPR’s transparency obligations.
Five of the websites received a reprimand. The Datatilsynet said that while the alleged legal violations were serious, it appeared that the website operators did not understand the technology. Because the companies cooperated with the Datatilsynet’s investigations, a reprimand was deemed sufficient.
116111.no, a support website for children run by a local government body, received a NOK 250,000 ($24,500) fine. The violations were found to be particularly serious in this case, as the website involved children’s data.
The Datatilsynet states that in future enforcement sweeps, its sanctions might be stricter.
The alleged violations
Across the six websites it investigated, the Datatilsynet found evidence of the following legal violations:
- Giving website visitors incorrect information, falsely claiming that they were anonymous
- Unlawfully sharing special categories of personal data (e.g., relating to health or religious belief) with third parties
- Unlawfully sharing personal data about children with third parties
- “Nudging” visitors to consent to tracking (a form of “dark patterns”)
- Providing misleading, unclear information about the consequences of giving consent.
The nature of pixels means that they can expose a person’s internet browsing history. Sharing such information without consent can be intrusive, particularly if they are visiting a website of a particularly sensitive nature.
“A person’s browsing history, alone or through combination of data from various sources, often makes it possible to derive private or sensitive personal data,” said a Datatilsynet press release.
Guidance on pixels
Following its enforcement sweep, the Datatilsynet has published guidance about tracking tools. Here’s an overview of the advice:
- Identify all pixels, cookies, and other tracking tools on your website. Ensure you understand how these tools share personal data, and whether the recipient might use that personal data for its own purposes
- Consider what type of person visits your website, and whether it would be reasonable to share this information with third parties at all
- If your service is primarily used by children, the Datatilsynet questions whether using tracking pixels is appropriate at all
- Don’t use “dark patterns” by nudging or misleading users into accepting tracking. If a user rejects tracking, they must still be allowed to use your service
- Provide clear disclosures about what pixels do, both in your consent mechanism (e.g. cookie banner) and in your privacy notice
- Remove any tracking tools from your website if you are unable to control what happens to the data they collect. You are responsible for any pixels, cookies, and similar technologies deployed on your website, even if they are developed by a third party.
