The Norwegian Data Protection Authority has carried out an inspection of six websites’ use of tracking pixels. All of the websites unlawfully shared personal data of website visitors with third parties, and in several of the cases, the personal data shared were of a sensitive nature. In one of the cases, we imposed a fine of NOK 250,000.
[…]
The Norwegian Data Protection Authority conducted an inspection of six websites that use tracking pixels:
- 116111.no – a public service for children who are in a vulnerable position, for example who have been subjected to violence or abuse, and who need to talk to a safe adult. The service is operated by the Municipality of Kristiansand.
- apotekfordeg.no – an online pharmacy.
- bibel.no – a Christian website that publishes Bible texts, sells Bibles and accepts donations to the Norwegian Bible Society.
- drdropin.no – a website that offers medical services.
- ifengsel.no – a chat service offered by the Church City Mission for children who have a parent in prison.
- nhi.no – a website that offers information about various diseases, conditions and diagnoses.
— Did not know that they shared information with third parties
A person’s browsing history, alone or through combination of data from various sources, often makes it possible to derive private or sensitive personal data. In the inspections, the Norwegian Data Protection Authority saw examples of websites sharing information that could indirectly say something about the website visitor’s health, sex life and religion. We also saw that several websites shared personal information about children in vulnerable situations.
– The findings are serious. At the same time, we see that many of the websites did not understand the technology or did not mean to share this type of information. It is therefore important for us to raise awareness of the risks associated with tracking pixels,” says Judin.
Administrative fine for children’s website
In the case of the website 116111.no, we have chosen to impose an administrative fine of NOK 250 000. The reason is that this is a public website that has processes children’s personal data unlawfully. Tracking pixels have automatically transmitted information about visitors to the website to a third party, without a legal basis and without providing information to website visitors. However, the fee is lower than originally envisaged, since the Municipality of Kristiansand has cooperated well and effectively, and implemented a number of measures to rectify the issue and prevent similar violations in the future.
The purpose of the inspections is primarily to increase awareness about the use of tracking pixels on websites, and we see that there is a need for guidance on this issue. This time, the corrective measures were mostly mild, and the Data Protection Authority only issued reprimands to the other websites. This is due to the fact that it is the first time we have carried out this type of inspection, and in light of the fact that the purpose of the inspections is awareness-raising. In the future, the sanctions may be much stricter.
The inspection cases uncovered a number of practices that are not in line with the GDPR:
- Website visitors were given incorrect information stating that they were anonymous when in fact they were not.
- Special categories of personal data about visitors were unlawfully made available to third parties.
- Personal information about children were unlawfully made available to third parties.
- Visitors were “nudged” to consent.
- Visitors were given information that was misleading, difficult to understand or that did not explain the consequences of giving consent.
Guidance about tracking tools on websites
We have issued guidance based on the experiences gained through our inspection. In the guidance you can read more about the findings we made, what requirements the law imposes on the use of tracking tools, and what we expect from websites in the future.
– There are many websites out there that have a job to do. We hope our guidance can contribute to greater caution in implementing tracking pixels and prevent further violations in the future, says Communications Director, Janne Stang Dahl.
Source: Datatilsynet.