The Ruling Against Avanza Bank, Apohem and Apoteket Regarding the Meta Pixel - Part 2

2024-10-03

By: Johan Strand

Senior Digital Analyst

Feature image

Intro

After IMY´s verdict against Avanza Bank and its use of the Meta pixel, we received many questions regarding best practices and decided to dig deeper. You can read the first part of our blog series here.

We therefore decided to conduct an audit of 35 of Sweden’s largest banks and credit institutions, as well as companies that work with related financial services, such as handling transfers and accounting.

Our primary goal was to learn more about how they choose to work with the Meta pixel and how they have configured it to operate. Secondly, we aimed to understand the capabilities of the Meta pixel and how websites can and should configure it.

Method of the Audit

Questions to Answer

The first step was to establish our questions that we wanted to answer were:

  • Do they load the fbevent.js, the Meta-pixel’s Javascript file?
  • If they do, is the Meta-pixel configured to automatically collect and send data?

Technical Method

After selecting the companies to be reviewed, we visited their public websites. All of them had a cookie consent banner where we accepted all forms of tracking. Then, we opened the browser’s Network tab to see which requests were made and whether fbevent.js was loaded from facebook.com.

The next step was to determine how the script was configured and which functions were active. This was done using the console and the script’s object status. We will explain more about this in the next part of the blog series.

Companies Sampled

We selected Sweden’s biggest banks, credit card issuers, and large providers of financial services. In every case, the review was done on the public sections of their websites, since we couldn’t log in as customers on all of them. Therefore, there is a chance that they may have stricter controls in the logged-in sections where more sensitive information might be exposed.

The Audit

1. Is the fbevent.js, the Meta-pixel’s JavaScript File, Loaded on Site?

The first question to investigate is whether companies are actually loading fbevent.js, the Meta Pixel, on their site to execute in the user’s browser.

Many, slightly over one-third, are still loading the Meta-pixel, fbevent.js, directly from Meta’s server. An interesting follow-up question would be whether companies have reacted to IMY’s ruling and stopped using it, or if they never used it in the first place.

If they haven’t used it, is it because Meta’s channels are not relevant to their marketing, or due to data protection concerns?
Unfortunately, we do not have access to historical data to track developments over time.

2. Is the Meta-pixel Configured to Automatically Collect and Send Personal Data?

Loading the Meta-pixel directly into the browser isn’t necessarily problematic; it largely depends on how it is set up and configured.

After reading the ruling against Avanza Bank, Apoteket AB and Apohem it became clear that the features Automatic Events and Automatic Advanced Matching were causing the headache by collecting far more information than the companies intended to share.
It was not easy to determine if and when these features are active, so we had to take a detour and dive deep into both the pixel code and Meta’s documentation.

Automatic Advanced Matching

The first question was, how is AAM activated, and can you ensure it doesn’t get activated by mistake?
The first part was simple: AAM is activated in Meta Business Manager under the settings for the individual pixel. When the pixel is loaded into the browser, an additional request is made to retrieve its current configuration, which instructs the pixel whether it has permission to run AAM and scrape the page for personal identifiers.
At present, there is nothing you as a developer can do on the frontend to block this feature. We think it would be a desirable additional technical safeguard, but it is not possible today. One misclick in the settings can enable it.

The toggle in Meta Business Manager for Automatic Advanced Matching.

Automatic Events

When we tested a brand-new pixel, we were surprised: AE runs automatically and automatically collects information about interactions, such as button clicks. This happened even though we hadn’t activated anything, and the toggle for the feature in Meta Business Manager was off.
After digging into the documentation, we found that you need to manually modify the code that Meta provides to disable the feature. This can be tricky if you’re unaware the feature exists.

Example code for de-activating Automatic Events, also called AutoConfig (source link)

// Additonal line to de-activate Automatic Events mode.  
fbq('set', 'autoConfig', false, 'FB\_PIXEL\_ID'); 

//The original Facebook Pixel code below.   
fbq('init', 'FB\_PIXEL\_ID');   
fbq('track', 'PageView');

Back to the review: how did it look on the sites?

We see that in almost all cases, the companies that use the Meta-pixel have not actively configured the Meta-pixel to not automatically track user interactions. This means they are exposed to the data leak that affected Avanza Bank, where elements are interpreted as buttons by the script, potentially sending their sensitive content to Meta.

However, Automatic Advanced Matching is inactive on all but two sites. This may be because they never took the active step to enable it in Meta Business Manager, or they may have disabled it after the ruling. It would have been interesting to have access to historical data on the use of AAM by banks and financial institutes.

Conclusion

Our review shows that many banks and financial service providers still use the Meta pixel with configurations that may put them at risk. While third parties can offer valuable services, failing to recognize their capabilities and access to data can expose companies to significant compliance risks and data breaches.

There are several safeguards companies can implement to better protect sensitive data. First, audit the third-party scripts currently in use and assess how they are configured. Second, by migrating tracking when possible to a server-to-server setup, such as Server-side GTM, you can gain more control and reduce exposure to third-party tracker code. Once the audit and implementation are complete, a Content Security Policy (CSP) managed by your IT department should be in place to further safeguard your site’s data.

Are You Worried That Your Site Is At Risk?

Tracking users and sharing data with third parties can be a complex challenge when it comes to data security and compliance. At Ctrl Digital, we specialize in implementing customized tracking solutions for intricate business needs.

If you’re concerned that your site may be at risk, contact us at [email protected]. We’ll review your site and provide tailored recommendations for improvements.