Norwegian Data Protection Authority Cracks Down on Unlawful Data Sharing Through Tracking Pixels

Key Takeaways

• Unlawful Data Sharing: Six websites, including one serving vulnerable children, were found to unlawfully share personal data with third parties through tracking pixels.
• Administrative Fine: The Norwegian DPA imposed a USD 25,141.75 (NOK 250,000) fine for unlawfully sharing children’s personal data.
• Lack of Understanding: Many of the websites were unaware of how tracking pixels worked, leading to data privacy violations.
• New Guidance: The DPA issued updated guidance to help websites comply with GDPR when using tracking tools, aiming to prevent further violations.

Deep Dive

The Norwegian Data Protection Authority’s (DPA) has uncovered troubling breaches of personal data laws across six websites. These sites, all of which shared personal data without proper consent, are now facing the consequences of their actions. The DPA’s findings reveal that in some cases, sensitive personal information, including that of vulnerable children, was sent to third parties without users’ knowledge, a clear violation of GDPR.

At the heart of this issue is tracking pixels, a tool widely used by websites to gather data on visitors, from their browsing habits to what they put in their shopping carts. When used improperly, tracking pixels can inadvertently reveal deeply personal information, such as health status or even religious beliefs, making this a matter of significant concern for privacy advocates.

Tobias Judin, Head of Section at the Norwegian DPA, explained the gravity of the situation: "All of the websites we inspected made personal data available to third parties without a legal basis. In several cases, this included sensitive data that should have been protected."

The DPA’s inspection targeted six websites that utilize tracking pixels, including:

• 116111.no – A vital service for vulnerable children, such as those experiencing abuse or violence, looking to connect with a safe adult.
• apotekfordeg.no – An online pharmacy.
• bibel.no – A Christian website selling Bibles and publishing religious texts.
• drdropin.no – A medical services platform.
• ifengsel.no – A chat service for children with incarcerated parents, run by the Church City Mission.
• nhi.no – A site offering health information about diseases and conditions.

While the websites varied in their purpose, they all had one thing in common, unwittingly sharing personal data with third parties. And in the case of 116111.no, a fine of USD 25,141.75 (NOK 250,000) was imposed due to the unlawful handling of children’s personal data.

The situation has raised concerns about the risks posed by tracking pixels. These small, often unnoticed pieces of code send detailed data about website visitors to external companies. While the technology itself isn't inherently bad, its misuse, such as sharing sensitive data without proper consent or knowledge, is where things go wrong. In this case, visitors' browsing history, alone or combined with data from other sources, could expose sensitive details about health, sexuality, religion, and even vulnerable life situations.

“The findings are serious. At the same time, many of the websites didn’t fully understand how the technology worked or intend to share such information. This is why raising awareness about tracking pixels is crucial,” said Judin.

The 116111.no website, a service designed to support vulnerable children, was hit hardest by the DPA’s findings. The fine, though substantial, was lower than initially expected due to the municipality’s swift cooperation and corrective actions. Kristiansand’s municipality, which operates the service, has since implemented safeguards to prevent such violations in the future, ensuring that visitors' data will be handled with care moving forward.

Despite the severity of the breaches, the DPA showed some leniency in its response. In the other cases, the agency chose to issue reprimands rather than impose fines, recognizing that this was the first inspection of its kind and that the goal was more about raising awareness than penalizing organizations. However, as future inspections ramp up, tougher sanctions could be on the horizon.

To address these concerns, the DPA has issued detailed guidance for website operators, providing a roadmap for complying with GDPR’s requirements around tracking tools. Janne Stang Dahl, the DPA's Communications Director, emphasized the importance of the new guidance, “We want this guidance to help websites exercise more caution when implementing tracking pixels and prevent future violations.”

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.