Meta pixel on healthcare websites — what do IMY's decisions say?

What happened in IMY's pixel decisions?

IMY issued administrative fines against Apoteket AB (SEK 37 million) and Apohem (SEK 8 million) for their use of the Meta pixel. The pixel transferred data about what visitors did on the website — including data tied to purchases — to Meta, without adequate safeguards.

Important to be precise: IMY's legal ground in those decisions was the requirement for appropriate security measures (GDPR Article 32) together with the rules on transfers of personal data. It was not a ruling that the visit data constituted special-category health data under Article 9. That distinction is worth keeping apart — we frame this as a transfer without safeguards, not as an established health-data breach.

Why are advertising trackers especially sensitive on a healthcare site?

The fact that someone visited a care practice's website can in itself hint at something about that person — that they sought care. Sending that signal to an advertising platform is a transfer that needs safeguards, and the consequences of getting it wrong are greater on a healthcare site than on an ordinary business site.

That the visit would reveal health information is a reasonable risk consideration of one's own — but it is not the conclusion IMY's pixel decisions rest on. So we point to the risk of the transfer, not to a legal ruling about health data.

Before consent is the core

The problem arises when the advertising tracker fires before the visitor has consented — or keeps loading after the visitor has rejected. A correctly consent-gated advertising pixel, which does not load until the visitor has actively agreed, does not have this problem.

Two layers meet here: the consent requirement to place the tracker at all (ePrivacy / the Swedish Electronic Communications Act), and the requirement for safeguards and a lawful transfer once the data is sent on (Article 32 and the transfer rules).

Booking and contact pages are especially sensitive

An advertising tracker that fires on the very page where the patient books an appointment or contacts the practice ties the advertising platform to a concrete care-seeking action. That is why we particularly highlight trackers on booking and contact pages.

How CompliantHQ tests this

This is a cross-module check. During the cookie scan we measure which advertising trackers (Meta, Google Ads, TikTok, Snapchat, LinkedIn, Bing) load before consent, and combine that with the website belonging to a healthcare industry. Trackers observed on booking or contact pages are highlighted especially.

The tracker's presence is a deterministic measurement, but the conclusion about health-data risk is a judgement — so we frame the risk and do not pass a verdict. The finding is never an established breach; it describes that data may be sent to an advertising platform before the visitor has had a choice.

How to do it

• Make sure advertising trackers do not load before consent — especially not on booking and contact pages.
• Gate the trackers behind active consent in your cookie banner, so they only activate after the visitor has agreed.
• Don't need the advertising tracking at all? Then the simplest fix is to remove it.
• Check that a correctly configured consent platform (CMP) actually blocks the pixel before consent — the common mistake is not a missing banner, but one that doesn't block as it should.

Common questions

More deep dives

• Privacy policy contents
• The cookie policy
• Consent in forms
• The accessibility statement
• Right of withdrawal & the 2026 function
• Terms of purchase
• Encrypted forms
• The data protection officer
• Policy in Swedish
• Dental prices on the web