The Sanctions Board of the Finnish Office of the Data Protection Ombudsman has issued an administrative fine of EUR 1.1 million to Yliopiston Apteekki, the largest pharmacy chain in Finland, due to deficiencies in its cookie practices and the use of other tracking technologies on its online pharmacy website (case number TSV/108/2022). The case serves as a reminder that deploying cookies and other tracking technologies on a company’s website – without a proper understanding of which personal data may be disclosed to third parties, and without implementing appropriate safeguards – can result in significant administrative fines.
About the case – disclosing health data to providers of tracking technologies led to administrative fines
The data protection shortcomings related to Yliopiston Apteekki’s online pharmacy were initially brought to the attention of the Office of the Data Protection Ombudsman (ODPO) by a PhD researcher at the University of Turku. In the course of conducting research on web analytics, the researcher had identified certain data protection issues related to the use of tracking technologies on the websites of Finnish online pharmacies and certain other healthcare-adjacent entities. Currently, the ODPO is also investigating similar data protection shortcomings involving other Finnish online pharmacies.
Personal data related to visitors of the online pharmacy website of Yliopiston Apteekki, who had given their consent to the use of cookies, had been disclosed to certain service providers (Google, Meta and New Relic) employing tracking technologies as part of their service. The tracking technologies used on the website included, among others, Google Analytics, the “Facebook pixel” and a tool to monitor website performance. The data disclosed included details on which self-care and prescription medicines the website visitor had viewed on the site and which products the visitor had added to their shopping cart, as well as information on whether the visitor had proceeded to the order confirmation page. In addition, certain other unique identifiers, such as IP addresses, were shared with the service providers. By combining this data, as argued by the ODPO, third-party service providers had the ability to infer which specific medications an identifiable individual had viewed or ordered from the online pharmacy.
In its decision, the Sanctions Board of the Office of the Data Protection Ombudsman concluded that the data controller had failed to appropriately ensure that information contained in HTTP requests sent by the visitor’s browser during their interaction with the website was masked or otherwise rendered unidentifiable before being disclosed to the tracking tool service providers. Attention was also paid to the fact that some of the information relayed was not covered by ordinary mechanisms for protecting communications, such as encryption, thereby also creating the risk that the information could be disclosed to unknown intermediaries. According to the ODPO, disclosure of personal data was not necessarily limited to the tracking technology service providers used by the data controller, and it was possible that the personal data had also been disclosed to the service providers’ sub-processors.
The investigation of the ODPO covered the practices in place at Yliopiston Apteekki from May 2018 to September 2022. Yliopiston Apteekki has since updated its practices to prevent the disclosure of data to third parties.
The ODPO also issued guidance to Yliopiston Apteekki concerning its current cookie practices. The guidance stated, among other things, that if the tracking of visitors in connection with medicinal products is necessary, it must be done in a way ensuring that the controller retains actual control over the processing of the relevant personal data. The ODPO also emphasized the need to pay attention to the continuous evolution of technology and the emergence of new methods of accessing data. It was further mentioned that a situation where the content of the URL was linked to the content of the webpage associated with the URL (e.g., product name, product description or product code) should be avoided, and that URLs should not include data considered special category personal data, such as health or otherwise sensitive data, where said data is disclosed to third parties.
The decision is not yet final, and Yliopiston Apteekki has announced its intention to appeal to the Administrative Court.
Ensuring compliance: Reevaluate your company’s cookie and other tracking technology policies
The case serves as an important reminder that companies should have a clear understanding of how the personal data they process is shared with or otherwise disclosed to various service providers – and potentially to their sub-processors or even other unknown parties. It is also important to recognize that the potential occurrence of a personal data disclosure is not limited to cookies, but may also occur through other web-based tracking technologies. These include, for example, tracking pixels, web beacons as well as various tags, particularly where the technology involves loading an external resource of some kind (such as one loaded from a server controlled by a service provider).
When tracking technologies are used, the principle of data minimization should be followed. Only personal data that is necessary for the given processing purpose should be disclosed to service providers that employ tracking technologies.
Companies processing special category personal data, as defined in Article 9 of the General Data Protection Regulation (GDPR), or other sensitive personal data, should pay particular attention to ensuring that appropriate safeguards are in place to protect the data in the context of employing tools for user analytics on their websites and for email communications such as newsletters. Where tracking technologies are employed, one should be aware that processing of special category data may potentially occur, for example, in the context of any services or products related to individual health or medical devices.
Sonja Laamanen
- Press release of the Office of the Data Protection Ombudsman: Yliopiston Apteekki fined for online shop data protection shortcomings
- Link to the decisions of the Deputy Data Protection Ombudsman and the Sanctions Board: TSV/108/2022 (only in Finnish)
HH Partners offers a wide range of data protection services: we help our clients with compliance with data protection regulations, GDPR assessments, impact assessments, and other data protection documentation.
Author:
This article was written by our Associate Lawyer Sonja Laamanen who specialises in data protection, technology and intellectual property law. Her work covers all aspects of data protection law, for example, assisting clients with drafting data protection documentation, negotiating and drafting data processing agreements, as well as GDPR compliance questions. Sonja has assisted organizations across various industries with data protection matters, including technology, media, retail, consumer goods, and pharmaceutical sectors.
