The Ruling Against Avanza Bank, Apohem and Apoteket Regarding the Meta Pixel

2024-09-24

By: Johan Strand

Senior Digital Analyst

Feature image

Investigations that began in 2021-2022 were concluded this summer by the Swedish Data protection Authority, Integritetsskyddsmyndigheten (IMY). The ruling against Avanza Bank, Apoteket AB, and Apohem highlighted significant privacy violations due to their use of the Meta Pixel. A large amount of personal and sensitive data was shared with third parties without the companies’ knowledge, and with inadequate safety measures.

In this first post of a three-part series, we’ll take a closer look at what happened, why it occurred, and how we can protect ourselves from similar outcomes. In upcoming posts, we’ll dive deeper into our findings on the Meta Pixel’s functionality and its usage by companies.

What Does the Court Decisions Say?

In all three cases, a significant amount of personal data (PII) that can identify an individual was collected. Data points range from name, address and emails to social security numbers and bank account numbers. In the case of pharmacies, information about interactions with sensitive or prescription medications was also being sent. An aggravating factor is that the company was unaware that this data sharing was happening and how it occurred. It only came to light when customers reached out after observing in their browsers that large amounts of sensitive data were being shared with Meta.

This was not set up by the companies themselves and was not intentional, instead this was done by the hands of two functions in the Meta Pixel - Advanced Automatic Matching and Automatic Events.

  • Advanced Automatic Matching (AAM): This functionality allows the Meta pixel to automatically detect form fields containing personal data, like email addresses, names, or phone numbers. Once these fields are recognized, the pixel transmits this information to Meta’s servers, to help with identifying the user. While this seems like a great way to improve accuracy, the site owner is giving away the control of their customers’ data to a third party vendor.

Note, there is also a feature called Automatic Matching, but that requires you as a site owner to manually set up the collection of PII data in the tag.

The screenshot below is from Meta Business Manager, showing the AAM toggle that, according to the companies, was mistakenly enabled by all three.

  • Automatic Events (AE): This feature enables the pixel to automatically capture user interactions with the website—such as product purchases, add to cart or button clicks —without needing extra manual configurations.

While these might seem like a neat feature, allowing the collection of granular event data without the need for complex tag setups, the downside is that you’re giving up all control over your data collection. In the case of Avanza Bank, certain site elements were misinterpreted by the Meta Pixel as buttons. As a result, when users clicked these elements, sensitive information such as account numbers, balances, shareholdings, and social security numbers were inadvertently transferred, as the pixel mistakenly considered them part of a button.

The screenshot below provides an example where Automatic Events are automatically sending information found within a clicked element.

What is a Tracking Pixel?

Originally a 1x1 pixel, what we now refer to as a tracking pixel is actually a small snippet of JavaScript code embedded into a website to collect data on user interactions and behavior. Companies like Google Analytics & Ads, Meta, Snapchat, TikTok, Bing, and others commonly use tracking pixels. Typically, a website integrates these pixels via a tag manager, such as Google Tag Manager (GTM). When a user visits a page containing a tracking pixel, a request is made to the third party’s server to retrieve the latest version of the JavaScript code. This code then collects information on user behavior and identity, sending it back to the third-party server.

An example of a site using a tracking pixel added via GTM is when a call is made to retrieve the JavaScript code, which then initiates calls to log the tracked events.

Benefits of Using Tracking Pixels

  • Conversion Tracking: Pixels help businesses understand the effectiveness of their advertising by tracking important actions such as purchases, sign-ups, or add-to-cart events.
  • Audience Creation: Pixels enable the creation of custom audiences for advertising campaigns by identifying users who have previously interacted with the website, improving ad targeting.
  • Ease of Setup: Tracking pixels are typically easy to set up, offering businesses a simple way to integrate tracking without needing heavy technical expertise.

Risks of Tracking Pixels

However, the convenience comes with significant privacy risks:

  • Full Data Access: Pixels have access to all visible content on a site, including any data entered by users, like form fields containing personal information.
  • IP Address Collection: The user’s IP address, a very sticky identifier will always be shared when you communicate directly with an external server.
  • Low control of data: It´s difficult or even impossible to control what data is available to a pixel, and if it collects more data than intended.

Using Server-Side Google Tag Manager for Safer Tracking

To mitigate the risks associated with client-side tracking pixels, companies should implement Server-Side Google Tag Manager (GTM), which provides more control over the data being collected and shared.

What is Server-Side GTM?

Server-side GTM allows the tracking data to be processed on a company’s own server before it is shared with third parties like Meta. This ensures that the company has full control over what data is sent, reducing the risk of inadvertently sharing sensitive user information.

The picture below shows how Server-Side GTM act as a proxy to send tracking information to third parties.

Benefits of Server-Side GTM

  • Data Control: You can control exactly which pieces of data are sent to third parties, such as Meta, preventing unauthorized or excessive data sharing.
  • Privacy Compliance: Since the data is filtered through your server, you can ensure compliance with privacy regulations like GDPR by only sending data that the user has consented to share.
  • Security: By processing the data server-side, you avoid exposing user data to vulnerabilities in the user’s browser, where malicious scripts could intercept or misuse it.

Getting Started

Setting up Server-Side GTM requires some initial technical expertise, such as configuring server instances, but it can also be outsourced to a consultancy for a quick and safe start. Once set up, it provides a low-cost, scalable solution for managing tracking safely. Today Server-Side GTM can be set up on most cloud providers or on-prem servers, ensuring that the company maintains full control of the data processing.

Conclusion

As the IMY ruling on Avanza Bank, Apoteket AB, and Apohem demonstrates, neglecting the power of tracking technologies like the Meta pixel can lead to serious privacy violations. However, by understanding how these technologies work and implementing solutions like Server-Side GTM, businesses can continue to benefit from data tracking while ensuring compliance with privacy regulations and protecting user data.

If you have any questions, need to audit your site, or require assistance with setting up Server-side GTM, feel free to reach out to us at Ctrl Digital.

Checklist for Working with Tracking (Pixels)

Regardless if you continue working with in-browser tracking pixels or migrate to server-side setup, there are some general rules.

  • Consent: You need the user’s consent to collect personal information and set cookies, regardless of your technical setup.
  • Document: Document what you are collecting and how you are processing data. Make a log of all decisions your company’s take and who took part in the process.
  • Inform the user: Be transparent and inform the user on what is collected, why and how.
  • Make risk analysis: Compare the risk with the reward: is collecting the data worth it from a business perspective?
  • Restrict permissions: Have a routine for making changes, who should have the mandate. Restrict access to admin and publish features in tag managers and ad platforms.
  • Monitor & Audit: Monitor the data being sent and conduct regular audits of your site.