Updated 30.6.2025 (corrected the name of Meta Pixel and added earlier decisions involving the use of Google Analytics)
Negligent website analytics
In May 2025, the Finnish Data Protection Ombudsman imposed a penalty fine of EUR 1.1 million on the pharmacy chain Yliopiston Apteekki (YA) for violating the EU General Data Protection Regulation. It is one of the largest GDPR fine issued in Finland so far, which shows that the authority is taking the question very seriously. The decision is not yet final, and YA has announced that it will appeal to the administrative court.
The case concerned website analytics and other tracking done by Yliopiston Apteekki. Between 2018 and 2022, YA had used tools like Google Analytics, Google Tag Manager, Google Maps, Google Fonts and YouTube, and Meta Pixel (a tracking snippet provided by Facebook’s parent company) in its online pharmacy, all of which collect various data about website users. Through the use of those tools, information about the webstore’s users had been leaked to Google and Meta.
The case did not involve a “pure” data leak, where things like customers’ personal identification numbers, payment details or prescription information would have ended up in the wrong hands. Instead, it was mainly about information that Yliopiston Apteekki’s webstore automatically added to the URL addresses and HTTP requests of various pages. These contained parameters that revealed, among other things, the drugs that the user was browsing and ultimately purchasing.
In addition, the analytics and tracking tools collected a variety of device identifiers and technical data like the user’s operating system and browser, screen size, colour depth and so on. This data is commonly used to analyse visitor traffic on the website and to optimise the workings of the various tools. But, it is also used by the adtech companies to identify and track users across the internet for their own advertising needs.
When a user moved from one page to another in the webstore, information was transmitted to Google, Meta and others. The data allowed the companies to single out and identify YA’s users and to draw conclusions about their medicinal needs and, ultimately, state of health.
(The Data Protection Ombudsman also found that the issue is even clearer when the website user is signed in to Google, Facebook or other service, which allows these companies to identify the user directly by combining the analytics input with their account information. While this is a very important point, for simplicity I will not deal with it here.)
In using analytics tools, Yliopiston Apteekki had neglected to fulfil numerous obligations under data protection laws. According to the Data Protection Ombudsman, YA should first have taken into account the risks to users when their risk-sensitive personal data was shared with external parties.
Secondly, Yliopiston Apteekki had failed to ensure the proper protection of the data. According to the authority, the company had particularly failed to take into account that providers of tracking technologies are able to identify website users in numerous ways, either directly or by combining different types of analytical data.
“Providers of tracking technologies combine numerous data points, including information about the user’s device, browser settings and browsing preferences, in order to profile them and create a so-called digital fingerprint.”
Thirdly, Yliopiston Apteekki had neglected to take into account that it had no real possibility of controlling the purposes for which Google, Meta and other adtech companies use the personal data that they obtain from the website. The company had also failed to assess the use of alternative analytics tools that better protect users’ rights and freedoms, or to anonymise the data before disclosing it to third parties.
The article continues below the image
Using Google Analytics on a website gives rise to notable risks
Google will recognise your customers
In justifying its use of Google’s and Meta’s tracking technologies, Yliopiston Apteekki argued that these tools are intended solely for anonymous website analytics and that no personal data about website users has been transferred to these companies. According to YA, generally the only information transferred to external parties that could be considered personal data was the user’s IP address. Even then, Google or Meta would not have been able to identify the user, as linking an IP address to a specific person would require access to the internet operator’s customer data or the registers of public authorities.
The Data Protection Ombudsman did not accept the Yliopiston Apteekki’s arguments at all. The authority, which had thoroughly reviewed the operations of the YA webstore with the help of technical experts, found that the website was leaking various types of personal data to external service providers.
One significant conclusion reached by the Data Protection Ombudsman concerned the ability of Google, Meta and other analytics companies to identify website users from various types of data. The authority stated that an IP address is only one value used to identify a user, and even that is not essential to do that. Providers of tracking technologies combine numerous data points, including information about the user’s device, browser settings and browsing preferences, in order to profile them and create a so-called digital fingerprint for them.
A digital fingerprint is a collection of various device and behavioural data unique to each individual. The fingerprint follows the user everywhere on the internet and can be used to identify an individual with a high degree of accuracy. If you want to see what your browser fingerprint looks like, you can take a quick and free test at amiunique.org.
Google and other advertising technology companies that offer free analytics tools use the data collected by these tools primarily for their own purposes. Companies that install the tools on their websites have no control over how the data is used. In the field of information security, you often hear the saying: “If you’re not paying for the product, you are the product”. Free analytics tools are not really free; they are provided by advertising technology companies in exchange for your customers’ personal data.
“Tools from advertising technology companies are very common today and their use is perfectly legal. However, every company that uses them must recognise the ways personal data is transferred to the providers of these tools. The company must also understand the risks and obligations associated with the data sharing.”
The Data Protection Ombudsman’s decision now reveals for the first time in Finnish administrative practice in great detail what every data security professional already knows: Google will recognise you. Pretty much the entirety of the company’s business is based on its ability to track and identify people across the internet. Websites that have implemented Google’s free services or functions usually give the company access to its users’ device information, browsing preferences and other data that can be used to build a digital fingerprint.
The case is also significant because it shows how even seemingly insignificant data sharing can ultimately create enormous responsibilities for the data controller. Yliopiston Apteekki had not leaked confidential information about its webstore users to unauthorised parties, instead the data leak mainly concerned the names of medicines and other identifiers automatically shared by the website, which together with other analytics data could be used to draw conclusions about individual people’s drug purchases and to gain insights into their state of health.
For this reason, you should always ask yourself what personal data does your company process about its customers and other stakeholders, and what data does it disclose to external parties at any given time. When training companies on how to comply with data protection legislation, I always point out that once you take a good look at these questions, your answers to them might really surprise you. The case of Yliopiston Apteekki is a prime example of what I mean.
The article continues below the image
Google and Meta want to show your customers personalised ads
Every company has to understand the risks with website analytics
A great many companies use some Google services or tools on their websites. They are free and easy to use. Google Analytics is popular because it’s easy to get started with and doesn’t take much effort. Google Ads offers easy access to online advertising and conversion tracking without the need for extensive technical knowledge. Google Maps makes it a cakewalk to add a map on the company website showing the way to your offices. Google Fonts provides access to a huge number of free typefaces. Embedding YouTube videos on your website is easy and, above all, free.
In social media, Meta offers numerous free platforms that often find their way onto company websites in the form of various plugins and modules. Linking a Facebook page, displaying Instagram posts and adding a WhatsApp button are all easy to do. Tracking Facebook ad conversions is easy with the tracking pixel that they give you.
Tools from advertising technology companies are very common today and their use is perfectly legal. However, every company that uses them must recognise the ways personal data is transferred to the providers of these tools. The company must also understand the risks and obligations associated with the data sharing.
In the case in question, the response from Yliopiston Apteekki demonstrates an exceptional lack of knowledge about how tracking and user identification are carried out on the internet today. The claim that only an IP address could be used to identify a user was last true maybe in the 1990s.
Online tracking has developed enormously since the early days of popular internet, and today large advertising technology companies do everything they can to identify users everywhere. They are able to combine seemingly insignificant pieces of information, such as browser version numbers, language preferences, time zone selections and dozens, if not hundreds, of other types of data, until the user browsing the website is identified with a high degree of accuracy.
As a result, any company that grants the advertising technology companies access to the data of its website users must understand that it is sharing its users’ personal data with these companies and enabling them to profile its customers.
Finally, an important lesson from Yliopiston Apteekki’s case is that the Data Protection Ombudsman seems to take the question of online tracking very seriously. Even though the pharmacy chain is a major player in Finland, and the data leak involved information that could be used to make some conclusions about people’s state of health, a fine in the low EUR 100,000’s would have been enough to drive the point across. The fact that the authority decided to slap YA with one of the largest GDPR fines in Finland to date, gives a clear indication that leaking user data to the multinational adtech corporations will not be taken lightly.
Every company using Google’s and Meta’s tools and trackers should take very good care to ensure compliance, and should monitor closely any changes in the interpretation of the law. The case shows that failing to do so is not a minor infraction.
The Data Protection Ombudsman’s decision also is not the first time using Google Analytics has been ruled illegal. In 2022, the Austrian and French authorities ruled that allowing analytics data to be transferred by Google Analytics into the United States was by default prohibited by the GDPR because American laws do not provide sufficient protection for personal data.
The biggest concern was that American surveillance agencies like the NSA have an unrestricted real-time access to every European user’s personal data held by Google and other US-based companies, through the so-called PRISM program.
Since then, the so-called Data Privacy Framework (DPF) has been agreed on by the EU and the United States, which at least for now is meant to make such concerns unnecessary. However, the legality of the DPF has been challenged before the EU courts, which may in the end render the agreement invalid in the coming years (as happened to its predecessor, the EU–US Privacy Shield arrangement, in 2020).
In 2022, the Finnish Data Protection Ombudsman ordered the public libraries of Helsinki, Vantaa and Espoo (Helmet) to erase all data collected through Google Analytics because the data had been collected and transferred into the United States without the website user’s consent and with insufficient safeguards, and the users had not been informed about the tracking clearly enough. The official did impose a GDPR fine at that time because Finnish law prohibits issuing them to municipalities or public bodies.
In 2023, the Finnish Data Protection Ombudsman ordered the Finnish Meteorological Institute (FMI) to erase all data collected through Google Analytics and reCAPTCHA (also a Google product). Also then no GDPR fine was issued because the FMI is a public institute operating under the Finnish government.
In 2023, the Swedish Data Protection Ombudsman issued GDPR fines for 12 million kronor (about € 1 million) to the telecommunications giant Tele2, and 300 000 kronor (about € 27,000) to the online marketplace CDON because the companies had not taken sufficient measures to protect personal data collected by Google Analytics, when the data was transferred automatically into the United States.
This is how you make sure your website analytics are compliant
Although Yliopiston Apteekki’s case concerned a pharmacy business subject to specific confidentiality obligations and the leakage of risk-sensitive drug information to Google, Meta and other external parties, the Data Protection Ombudsman’s decision opened the door to a new line of interpretation in general. The decision means that every company that uses analytics tools provided especially by advertising technology companies must pay attention to the risks associated with using these tools.
If your company uses Google Analytics, Meta analytics pixels or any other tracking technologies on its website, it is a good idea to conduct a risk analysis. The analysis should take into account all relevant data protection requirements. Even if your company does not operate in the pharmacy sector or process particularly sensitive customer data, the use of analytics tools always entails risks and obligations.
The Data Protection Ombudsman’s decision means, above all, that every company that uses website analytics tools provided by advertising technology companies must understand that these tools automatically transfer numerous categories of personal data about users to external parties, and that those transfers have to comply with the relevant legal provisions.
You are solely responsible for ensuring that the technologies you use are lawful. Even if advertising technology companies provide you with the tools, you must make sure that their use is lawful in all respects. Google, Meta and others extract all the information they can from the website, so it is the responsibility of the company using the tools to limit the amount of data to what is permitted by law. (This is also stated in the terms of use of these companies, which place the responsibility solely on you.)
Before implementing website analytics tools, it is particularly important to consider the following questions:
- Do we know what is happening on our website? The law requires you to be aware at all times of who has access to the personal data of your website users. All kinds of external services and tools are often installed on websites without considering what this means in terms of the company’s responsibility. Google Analytics and Google Tag Manager are not the only tools that track website users. All Google tools, from Google Maps to hosted Google Fonts to YouTube embeds, are designed to collect as much information about your users as possible. The same is true for tracking tools from Meta, LinkedIn and other advertising companies.
In the case in question, Yliopiston Apteekki actually admitted that it had accidentally activated Meta’s tracking pixel on pages containing drug information, and it had stayed on for up to two years without anyone noticing. An oversight like that hardly meets the required level of care.
- Is analytics necessary to this extent, or can tracking be limited to a smaller segment? Yliopiston Apteekki made the mistake of allowing Google Analytics to access the drug information browsed by users, even though this was not considered necessary. Every company should consider whether analytics companies have access to information that is unnecessary for things like visitor tracking. Since Google, Meta and others collect all the information they can access, there is a clear risk that large amounts of unnecessary information will flow to these companies.
- If analytics is necessary, is Google Analytics the best option? Yliopiston Apteekki had neglected to assess whether it could have opted for other ways of doing analytics that would have given it better control over the purposes for which users’ personal data is used. In the case of Google and Meta, this option does not exist at all. Alternatives like the open source Matomo Analytics platform, which is favoured by government entities and high-trust operators, gives you exclusive control over your users’ data, and the data is not used for other purposes. Alternatively, analytics can be done in-house, or user data can be anonymised before it is transferred to third parties (however, these options require quite a lot of technical expertise).
Note that despite advertising claims, Google Analytics 4 is not a significantly more privacy-friendly option than its predecessors. The data collected by Google Analytics is not actually anonymised, even though you only see an aggregated summary. Detailed personal data remains available to Google in its entirety.
- If we use analytics tools provided by external companies, have we complied with data protection legislation? The law requires you to be aware at all times of what data your company discloses to external parties and to ensure that the data is secure. Transfers that result in the recipient using the data for their own purposes (such as profiling and creating digital fingerprints) are not compatible with your company’s normal activities and must be justified separately in accordance with the law’s requirements. Those purposes usually also require the user’s voluntary, specific, informed and unambiguous consent. Adequate descriptions of these matters must be provided to users of your website, for example in your privacy policy.
- If user data is transferred outside the European Union or the European Economic Area through the analytics tool we use, have we ensured the security of the transfers? Google Analytics, Meta, HubSpot and most other American or multinational tracking technology providers keep their servers in countries outside the EU/EEA. In such cases, data is transferred to these so-called third countries. Transfers are only permitted if users have been informed of this in a transparent manner and the protective measures required by law have been taken. In numerous cases across Europe, such transfers have been found to be unlawful and significant data protection fines have been imposed.
In my experience, small and medium-sized companies in particular often have great difficulty in identifying the risks and obligations arising from various website analytics services and other tools.
The same mistakes are also made by larger companies and sometimes even public authorities. Indeed, compliance requires up-to-date knowledge of legal requirements and a proper understanding of how information is collected on websites today.
For this reason, it is a good idea to ensure that your website’s various functions comply with the law by having them assessed from both a legal and technical perspective. We are happy to assist you and your tech team in this task. We offer both lightweight and comprehensive data protection services to help you meet your legal obligations.
Book a free consultation and we’ll go over your company’s threat vectors in relation to data protection regulation.
Follow us on LinkedIn. We’ll post updates on this and other topics that are useful for your business.