The Norwegian Data Protection Authority has carried out an inspection of six websites’ use of tracking pixels. All of the websites unlawfully shared personal data of website visitors with third parties, and in several of the cases, the personal data shared were of a sensitive nature. In one of the cases, we imposed a fine of NOK 250 000.
- All of the websites inspected made personal data about visitors available to third parties without legal basis. We also found breaches of the duty to provide information, says Head of Section Tobias Judin.
Tracking pixels is a technology that automatically sends information about those who visit a website or app to a third party. This can be information about which subpages people visit, what actions they take on the website or what they put in their shopping cart.
- Everyone should be able to use the internet and find information, without fear of private information going astray. I am therefore pleased that the Norwegian Data Protection Authority is overseeing the use of tracking tools and what information is shared with the big technology companies, says Minister of Digitalisation and Public Governance Karianne Tung.
The Norwegian Data Protection Authority conducted an inspection of six websites that use tracking pixels:
A person’s browsing history, alone or through combination of data from various sources, often makes it possible to derive private or sensitive personal data. In the inspections, the Norwegian Data Protection Authority saw examples of websites sharing information that could indirectly say something about the website visitor’s health, sex life and religion. We also saw that several websites shared personal information about children in vulnerable situations.
- The findings are serious. At the same time, we see that many of the websites did not understand the technology or did not mean to share this type of information. It is therefore important for us to raise awareness of the risks associated with tracking pixels," says Judin.
In the case of the website 116111.no, we have chosen to impose an administrative fine of NOK 250 000. The reason is that this is a public website that has processes children’s personal data unlawfully. Tracking pixels have automatically transmitted information about visitors to the website to a third party, without a legal basis and without providing information to website visitors. However, the fee is lower than originally envisaged, since the Municipality of Kristiansand has cooperated well and effectively, and implemented a number of measures to rectify the issue and prevent similar violations in the future.
The purpose of the inspections is primarily to increase awareness about the use of tracking pixels on websites, and we see that there is a need for guidance on this issue. This time, the corrective measures were mostly mild, and the Data Protection Authority only issued reprimands to the other websites. This is due to the fact that it is the first time we have carried out this type of inspection, and in light of the fact that the purpose of the inspections is awareness-raising. In the future, the sanctions may be much stricter.
The inspection cases uncovered a number of practices that are not in line with the GDPR:
We have issued guidance based on the experiences gained through our inspection. In the guidance you can read more about the findings we made, what requirements the law imposes on the use of tracking tools, and what we expect from websites in the future.
- There are many websites out there that have a job to do. We hope our guidance can contribute to greater caution in implementing tracking pixels and prevent further violations in the future, says Communications Director, Janne Stang Dahl.