Datatilsynet (Norway) - 24/01059-9: Difference between revisions

Datatilsynet - 24/01059-9
Authority:	Datatilsynet (Norway)
Jurisdiction:	Norway
Relevant Law:	Article 6(1) GDPR Article 9(1) GDPR
Type:	Investigation
Outcome:	Violation Found
Started:	19.03.2023
Decided:	10.06.2025
Published:
Fine:	n/a
Parties:	Norsk Helseinformatikk AS
National Case Number/Name:	24/01059-9
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Norwegian
Original Source:	Datatilsynet (NO) (in NO)
Initial Contributor:	cci

The DPA reprimanded a company for sharing website visitors’ sensitive data via the Meta pixel without consent.

English Summary

Facts

Following media reports about online tracking, the DPA started several ex officio investigations over the use of tracking tools on websites. Among others, the DPA investigated www.nhi.no, a website providing information about medical topics. The website was published by the company Norsk Helseinformatikk AS (the controller).

The investigation found that the website presented visitors with a cookie banner provided by the cookie management platform Cookiebot. The banner offered visitors three options: “Only necessary cookies”, “Customize”, and “Allow all cookies”. The “Only necessary cookies” button was somewhat visible but featured less prominent colors than the others.

The investigation found that the website implemented the Meta pixel. is not a cookie and is not stored client-side. The pixel tracked information about actions taken by the user on the website and shared it with Meta. In addition, the pixel stored a tracking cookie (-fbp) on the users’ browser.

The website implemented the pixel on both the home page and subpages, which made it possible to track an individual user’s journey through the website. The website forwarded other information to Meta, including IP addresses, fingerprints for the user’s device, and the unique identifier from the _fbp cookie.

The investigation found that the controller implemented other trackers. However, the DPA decided to limit the scope of the proceedings to the use of the Meta pixel.

Holding

The DPA held that the controller unlawfully processed sensitive data via the Meta pixel, in violation of Articles 6 and 9 GDPR.

The DPA held that Norsk Helseinformatikk was only a data controller for the initial data processing via the pixel. So, the DPA did not examine the subsequent processing of these data after their disclosure to Meta.

The DPA issued a warning against the controller. The DPA clarified that an injunction to remove the pixel was not needed, as the controller already did so during the procedure. The DPA did, however, order the controller to collect explicit consent to the processing of sensitive data, should it implement the pixel again in the future.

Meta pixel processed personal data

The DPA held that the data forwarded by the Meta pixel could identify a data subject when combined with the other information forwarded to Meta by the website. For this reason, the DPA held that the controller processed personal data via the pixel. The controller did not challenge the conclusion.

Meta pixel processed sensitive data

The Meta pixel tracked visits to individual subpages. The DPA observed that this made it possible to infer information about the health status of individual users. On this basis, the DPA preliminarily held that the pixel processed sensitive data.

During the procedure the controller challenged this conclusion based on a restrictive reading of CJEU case law on sensitive data. The DPA rejected NHI’s arguments and stated that CJEU case law set a low threshold for what is to be considered sensitive data.

In particular, the DPA clarified that for data to be sensitive according to CJEU case law, there was no requirement:

• for information to be directly linked to a person’s health condition;
• for information to allow for accurate inferences (because inaccurate personal and sensitive data are nonetheless protected by the GDPR);
• for information to be linked with additional information, in order to more reliably infer sensitive data (which Meta could do but NHI could not).

For these reasons, the DPA concluded that the controller processed personal and sensitive data by implementing the Meta pixel on its website.

Explicit consent was required

The DPA clarified that the Meta pixel processed personal data exclusively for advertising purposes. The DPA also stated that the data subject’s consent was the only legal basis for processing sensitive data for advertising purposes. In this regard, the DPA clarified that legitimate interest would generally not be a valid legal ground, as data subjects’ rights to the protection of their sensitive data will typically outweigh a data controller’s interest in advertising^[1].

For these reasons, the DPA examined whether the controller collected valid consent from visitors in light of the requirements of the GDPR. In this regard, the DPA decided to limit its investigation to two specific requirements for valid consent under Article 4(11): “freely given” and “informed”. The DPA found that neither requirement was fulfilled and held that sensitive data were processed without consent.

Consent was not freely given

The DPA observed that the less prominent color of the “Only necessary cookies” button on the cookie banner, amounted to a dark pattern and nudged users towards accepting non-necessary cookies and trackers from the website. For this reason, the DPA held that the users’ consent was not freely given and, therefore, invalid.

Contrary to the controller’s arguments, it did not matter that all the buttons were clearly visible. In the DPA’s view, the more prominent color scheme of the “Accept all cookies” option was sufficient to nudge users towards accepting unnecessary trackers. In this regard, the DPA pointed out that there was no real reason to implement different levels of color contrast for different buttons, aside from manipulating user behavior.

Consent was not informed

The DPA considered that the website’s privacy policy explicitly stated that the website would not process sensitive data. The DPA pointed out that the statement was erroneous and, therefore, did not inform users that their sensitive data would be processed. For this reason, the DPA held that users’ consent was uninformed and invalid under the GDPR.

Comment

At the time of the investigation, the enforcement of the Electronic Communications Act fell within the competence of the National Communication Authority rather than the DPA’s. So, the DPA was not competent to assess whether the controller complied with the Act’s requirements for writing and reading cookies (which are similare to the ePrivacy Directive’s). Norwegian legislation has since changed and the DPA is currently competent to enforce the Electronic Communications Act.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Norsk Helseinformatikk AS

Sent by email

Your reference Our reference Date
24/01059-9 10.06.2025

Decision – Supervision of tracking tools – Norsk helseinformatikk AS (NHI)

1. Introduction

We refer to our notice of decision on reprimand and order against Norsk Helseinformatikk AS
(«NHI»), dated 20 February 2025, and Advokatfirmaet Arntzen AS’ comments on the notice on behalf of NHI dated 20 March 2025.

2. Decision on reprimand

The Norwegian Data Protection Authority hereby makes the following decision:

Pursuant to Article 58(2)(b) of the General Data Protection Regulation, Norsk Helseinformatikk is hereby reprimanded for

• Processing of personal data in violation of Article 6(1) and 9(1) of the General Data Protection Regulation, by using the tracking tool Meta Pixel on the website nhi.no.

The decision is based on the actual findings we made when the inspection of nhi.no (the “Website”) was carried out on 19 March 2024.

3. Factual background of the case

3.1. About NHI

NHI is a knowledge and technology company that is Norway’s largest provider of health information. In addition to publishing the Norwegian Electronic Medical Handbook, the company also operates

Postal address: Office address: Telephone: Corporate registration number: Website: 1
P.O. Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no

0105 OSLO 0191 OSLOpublikumsportalen www.nhi.no which delivers quality-assured health information to hundreds of thousands
1
of visitors every week.

On the Website, visitors can, among other things, read health-related news articles and take quizzes related to diseases and health. The Website also offers a symptom overview and a disease overview

containing 2187 physical and mental diseases.

3.2. About the supervision: background and scope

The decision concerns NHI's use of tracking tools on the Website. By tracking tools we mean

technology, including cookies and pixels, that are integrated into websites to

monitor visitors' behavior on the site. Tracking tools can be used to collect

information such as IP address, advertising ID, geographic location and technical information, for

example screen size and resolution. This information can be compiled by

the website operator or advertising companies and thus identify an individual via the visitor's communication device.

The Norwegian Data Protection Authority's task is to supervise compliance with the General Data Protection Regulation, cf. Article 57(1)(a) of the General Data Protection Regulation and Section 20 of the Personal Data Act. In this connection, the Norwegian Data Protection Authority has carried out a digital inspection of six websites to take a closer look at Norwegian websites' use of tracking tools. The website nhi.no is one of the websites selected for the inspection. The background to the inspection is recent media reports about websites sharing personal data with third parties using tracking tools. In several of the cases mentioned in the media, the information collected and shared with third parties may constitute sensitive personal data or special categories of personal data, cf. Article 9(1) of the General Data Protection Regulation. In recent years, we have encouraged businesses to review their websites to assess which tracking tools they use, and in December 2023 we announced that we would carry out an inspection of Norwegian websites' use of tracking tools. 3

We selected different categories of websites that process sensitive information about visitors, and selected six actors from the different categories that we chose to monitor. The purpose of this approach is to shed light on various issues related to the use of tracking tools and to ensure that our assessments can provide guidance to actors beyond those covered by this audit.

The overall purpose of the inspection is to review and verify whether the websites' use of tracking tools complies with the relevant requirements of the General Data Protection Regulation, including the legal basis, cf. Article 6(1) of the General Data Protection Regulation.

1https://norskhelseinformatikk.no/, last visited on 27 March 2025.

2See, for example, https://www.nrk.no/kultur/nettapotek-delte-med-facebook-at-du-sa-pa-klamydiatester-
1.16616494, published on 4 December 2023.

3See https://www.nrk.no/norge/datatilsynet-vasler-gransking-etter-nrk-avsloringer-1.16679124, published on 21 December 2023.

2The Norwegian Data Protection Authority conducted a digital inspection of the Website on 19 March 2024. On 20 March 2024, we sent a letter with our preliminary factual findings to NHI. In the letter, we attached screenshots of the Website as well as a technical report prepared by the Norwegian Data Protection Authority that registered which tracking tools were active on the Website. The purpose of sending the preliminary factual findings was to safeguard the right to contradiction pursuant to Section 17, second paragraph, of the Public Administration Act and to ensure that there was agreement on the factual basis before we carried out the legal assessments.

In a telephone conversation with NHI on April 15, 2024, it emerged that NHI had no comments on the factual findings presented in the letter. The factual findings presented were correct.

This audit only applies to certain selected aspects of the use of third-party tracking tools on the Website. We have not taken a position on other privacy law issues in this audit. The absence of comments on other privacy issues therefore does not mean that this is

approved by us.

3.3. Actual Findings on the Website

Below is a review of the actual findings we made on the Website at the time of the inspection.

3.3.1. Cookie Banner and Consent Statement

At the time of the inspection, a visitor to the Website was presented with a cookie banner that took up a large portion of the webpage. The visitor had to decide on the cookie banner before accessing the Website. The cookie banner is provided by Cookiebot. The first page of the cookie banner was a consent solution, where the visitor was presented with the following text:

“We and our 81 partners process your personal information, such as your IP number, by using technologies such as cookies to store and access information on your device, so that we can provide you with personalized ads and content, as well as ad and content measurement, audience statistics and product development.
You choose who uses your data and for what purposes.”

The consent solution gave the visitor three options:
• “Only necessary cookies” (black text on a white background)
• “Customize” (black text on a white background)
• “Allow all cookies” (white text on a blue background)

If the visitor clicked on “Customize”, they were taken to a new page where they had to

possibly turn off the pre-enabled cookie categories “Properties”,
“Statistics” and “Marketing”.

In addition to deciding on the cookie banner, the visitor was also presented with a question
whether they were a healthcare professional. The visitor had to click either “yes” or “no”,
and the question had to be answered before they could access the Website. By clicking on ‘Why

are we asking this?’, it was stated that the reason was that users should receive the most customized information possible on the Website.

3.3.2. Cookie Statement

The website has its own cookie statement, which was last
updated on 27 February 2024 by Cookiebot at the time of the audit.

The statement listed and reviewed the various cookies set on the site
with the following categorization:
• Necessary cookies (eleven)
• Feature cookies (two)

• Statistics cookies (eight)
• Marketing cookies (57)

One of the cookies in the marketing category was stated to be called “_fbp” from
the supplier Meta Platforms Inc. The cookie is of type “http Cookie” and
the expiration date is stated to be three months. The purpose of the cookie was stated as
the following:

”Used by Facebook to deliver a series of advertisement products such as real time
bidding from third party advertisers.”

3.3.3. Privacy Policy

The website has a Privacy Policy, which was last updated on the date of the inspection on 9 May 2018.

The following was stated under section 2 of the Privacy Policy:

"We do not process any sensitive personal data about our customers in principle."

3.3.4. Findings from technical tests

When the Norwegian Data Protection Authority carried out the digital inspection on 19 March 2024, we recorded that visitors
had 113 cookies placed in their browser when all cookies were allowed
on the Website.

A cookie is a text file that is placed in the visitor's browser or device when
the person concerned visits a website. Cookies can, among other things, be used to monitor
the visitor's actions on the website. This information is sent to the domain
that is linked to the cookie and is thus made available to
the website operator.

Several of the cookies belonged to parties other than NHI. We found cookies offered by both Google, Meta and Amazon. It is NHI as the website operator that determines which cookies are placed in the browser of those who visit the Website.

4The Website also used tracking pixels on the front page and on subpages, including the Meta Pixel
(hereinafter the “Meta-pixel(s)”). Tracking pixels are built into the website itself, and they are not stored on the visitors’ device like cookies. When a website has a tracking pixel, information is sent to the provider of the pixel about what actions the visitor takes on the website.

The meta-pixel records visitors' actions on websites and sends information to
«https://www.facebook.com/tr/…». This also makes the information available to
Meta Platforms Ireland Limited, which, among other things, operates the Facebook and Instagram services in
the EU/EEA countries. NHI is responsible for the coding of the Website.

The meta-pixel is loaded into the Website's HTML code when someone visits the Website. This causes
a _fbp cookie to be automatically stored in the visitor's browser unless the cookie already exists there. The meta-pixel stores a unique
web identifier in the _fbp cookie.

The pixel can be configured to track various actions that visitors take on
the websites on which the pixel is placed. In the audit, we have noted that the meta-pixel tracks which
web pages a visitor loads on his or her device, so-called "page load events". This information is sent from the Website to Meta, together with a unique user ID, IP address and a digital footprint with information about the browser, operating system, screen size, etc. This is information that makes it possible to identify the individual visitors.

3.4. Notice of decision

Based on the factual findings we made at the time of the inspection, we gave advance notice of a decision to issue a reprimand and an order to NHI on 20 February 2025.

The notice of reprimand concerned NHI's processing of personal data in violation of Article 6(1) and Article 9(1) of the GDPR, when using the tracking tool Meta Pixel on the website nhi.no.

The notice of order concerned NHI being required to cease the unlawful processing of personal data, i.e. to stop using Meta Pixel on the website nhi.no until a consent request has been prepared that meets the GDPR's requirements for voluntary participation and information, cf. GDPR Article 6(1)(a) and Article 9(2)(a), cf. Article 4(11) and Article 7(1).

3.5. NHI's comments on the notification of decision

The law firm Arntzen AS submitted comments on the notification of decision on behalf of NHI on 20 March 2025.

The comments initially state that NHI believes that the Meta-pixel was turned off on 8 April 2024. By mistake, the Meta-pixel was started again on 11 October 2024 due to an

5update of a container that automatically activated the Meta-pixel that was inactive/paused in this container. This was not discovered by NHI until 20 February 2025. NHI confirms that the Meta-pixel was permanently deleted on 20 February 2025, and therefore believes that the prior notice order to cease is no longer applicable.

The comments further state that NHI disagrees with the Norwegian Data Protection Authority's assessments in the prior notice, including on:

• NHI's role and responsibility for the various processing activities;

• NHI processes special categories of personal data;

• The Norwegian Data Protection Authority's assessment of the basis for processing.

The comments are reviewed in point 6 of the decision.

4. Legal background

“Personal data” is defined in Article 4(1) of the General Data Protection Regulation as:

any information relating to an identified or identifiable natural person (the “data subject”); an identifiable natural person is a person who can be identified directly or indirectly, in particular by means of an identifier, e.g. a name, an
identification number, location data, an online identifier or one or
more factors specific to the physical, physiological,
genetic, mental, economic, cultural or social identity of that natural person.

What constitutes processing of personal data is defined in Article 4(2):

any operation or set of operations which is performed upon personal data,
whether or not by automated means, such as collection, recording, organisation,
structuring, storage, adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise making available,
alignment or combination, restriction, erasure or destruction.

According to Article 4(7) of the GDPR, a “controller” is:

a natural or legal person, public authority, institution or any other
body which, alone or jointly with others, determines the purposes and means of the processing of
personal data (…).

Personal data shall be processed lawfully, fairly and transparently in relation to the data subject, see Article 5(1)(a) of the GDPR.

Personal data shall further be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes, see Article 5(1)(b) of the GDPR.

6It is the responsibility of the controller to demonstrate that the processing of personal data is carried out in accordance with the principles set out in Article 5(1). This accountability principle is enshrined in Article 5(2).

All processing of personal data must have a legal basis in Article 6(1) in order to be

lawful. The provision lists various legal bases, including:’

Processing is only lawful if and to the extent that at least one of the following conditions is
met:

(a) the data subject has consented to the processing of his or her personal data for one
or more specific purposes; (…)

(f) the processing is necessary for the purposes of the legitimate interests pursued by the
controller or by a third party, unless the interests or fundamental rights and freedoms of the
data subject are overridden and require the protection of personal data, in particular where the data subject is a child.

Consent means a “freely given, specific, informed and unambiguous indication of the
data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”, see Article 4(1) of the GDPR. 11 and recital 32.

According to recital 42, consent “shall not be considered freely given if the data subject does not have a genuine freedom of choice, or is unable to refuse or withdraw consent without detriment to the data subject”.

When consent is used as a legal basis, the data subject must have been informed of what he or she is consenting to, including which personal data will be processed and for what purposes. The data subject must be able to foresee the consequences of giving consent based on the information provided by the controller. This means that the controller must not obscure the facts, but must explain clearly and directly what data will be collected and what they will be used for. If consent is not informed, the data subject’s control over his or her personal data will be illusory and consent will not be a valid legal basis under Article 6(1). 1. 6

The European Data Protection Board (EDPB) has stated in its guidelines on consent that the
controller must consider the type of group of individuals the business processes
about. For example, if a service is directed at a group of individuals
that includes minors, the controller shall ensure that information is provided

4See “Privacy Regulation Legal Commentary” on Article 6, by Åste Marie Bergseng Skullerud, Cecilie
Rønnevik, Jørgen Skorstad and Marius Engh Pellerud, consulted on 19 June 2024 at juridika.no.
5See “Privacy Regulation Legal Commentary” on Article 7(2), by Åste Marie Bergseng Skullerud, Cecilie
Rønnevik, Jørgen Skorstad and Marius Engh Pellerud, consulted on 19 June 2024 at juridika.no.
6
See EDPB Guidelines 05/2020 on consent under Regulation 2016/679, paragraphs 62-63.

7 7
which is understandable to minors. In order to collect informed consent from a child,
the controller must therefore explain how the personal data will be processed in
8 a way that is clear and easy for children to understand.

The consent must be given for a specific purpose. This means that the purpose must be sufficiently

specific to enable an assessment of whether it is necessary to process the personal data in question and whether processing is in line with the GDPR. 9
The requirement that consent must be specific is intended to ensure a certain degree of user control and

transparency for the data subjects, and is closely linked to the requirements that consent must be
informed and free. To meet this requirement, the controller must ensure that
10 11
the purpose is specific in such a way that purpose drift is avoided. A controller
who requests consent for several different purposes should facilitate an opt-in solution for each
individual purpose. The controller should provide specific information related to each individual
12
consent request, so that the data subject is aware of the impact of the different choices.

Consent is presumed not to be freely given if it is not possible to give separate consent for
13
different processing activities, see point 43 of the preamble to the GDPR.
The Data Protection Board has stated that a service may include several processing activities for more

than one purpose. In such cases, data subjects should be able to choose which purpose they accept, and
not have to consent to several processing purposes at once (so-called “bundling”). Such 14
granularity is necessary for a consent to be valid.

The Data Protection Board has provided advice and recommendations on how to design user interfaces
15
without using manipulative design that violates the GDPR. Manipulative
design can influence users’ behavior by exploiting cognitive bias. It can prevent the data subject from being able to protect their personal data and make informed choices, for example by
16
not being able to give informed and voluntary consent. This can be done, for example,
with color choices in the user interface by different choices having different colors, and where an alternative is

7
See EDPB Guidelines 05/2020 on consent under Regulation 2016/679, sec. 70.
8See EDPB Guidelines 05/2020 on consent under Regulation 2016/679, para. 126.
9 See “Personvernorordningen Lovkommentar” by Åste Marie Bergseng Skullerud, Cecilie Rønnevik, Jørgen
Skorstad and Marius Engh Pellerud, consulted on 19 June 2024 at juridika.no. See also EDPB guidelines on
consent where reference is made to A29 WP Opinion 3/2013 on determination of purposes, in footnote 28 on p. 13 and

footnote 30 on p. 14. See Article 29 Data Protection Working Party Opinion 03/2013 on purpose limitation, pp. 15-
10.
See EDPB Guidelines 05/2020 on consent under Regulation 2016/679, p. 14.
11The Board’s predecessor, the Article 29 Working Party, has stated that a purpose that is vague or general, such as “marketing purposes”, will not, without further details, usually meet the requirement of being specific. The level of detail a purpose must be described in to be sufficiently specific depends on the context in which the data are collected and the personal data covered. See Article 29 Data Protection Working Party Opinion 03/2013 on purpose limitation, pp. 15-16.
13 See EDPB Guidelines 05/2020 on consent under Regulation 2016/679, pp. 14-15.
See also EDPB Guidelines 05/2020 on consent under Regulation 2016/679, p. 12.
14See EDPB Guidelines 05/2020 on consent under Regulation 2016/679, p. 12.
15See EDPB Guidelines 03/2022 on deceptive design patterns in social media platform interfaces: how to
recognise and avoid them.
16See EDPB Guidelines 03/2022 on deceptive design patterns in social media platform interfaces: how
recognise and avoid them, in section 3. See also the Consumer Council’s report “Deceived by design”,
https://www.forbrukerradet.no/manipulerende-design/.

8more conspicuous than the most privacy-friendly alternative.

The French data protection authority, CNIL, made a decision in December 2023 in which they concluded that “nudging” in the form of color, design and choice of text on the consent buttons meant that the requirement for voluntary consent was not met.7

Consent must be unambiguous, meaning that it must be given by an active act or statement from the data subject. It must be clear that the data subject has consented to the current processing. 18

It follows from Article 9(1) of the General Data Protection Regulation that the processing of special categories of personal data is prohibited in principle:

The processing of personal data revealing racial or ethnic origin, political opinions, religion, philosophical beliefs or trade union membership, as well as the processing of genetic data and biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sexual relations or sexual orientation, is prohibited.

The prohibition in Article 9(1) 1 shall not apply if any of the exemption conditions in Article 9
No. 2 are met:

No. 1 shall not apply if one of the following conditions is met:

(a) The data subject has given explicit consent to the processing of such
personal data for one or more specific purposes, unless it is provided for in
Union law or the national law of the Member State that the data subject cannot

lift the prohibition referred to in paragraph 1. (…)

“Health data” is defined in Article 4, No. 15 as:

personal data concerning the physical or mental health of a natural person, including

the provision of healthcare services, which provide information about the state of health of that person.

5. The Authority’s delimitation from the Electronic Communications Act

The Data Protection Authority shall enforce the regulations in the Personal Data Act, including

the General Data Protection Regulation. The regulations apply to all processing of personal data unless otherwise provided for in or pursuant to law, cf. § 2, first paragraph, of the Personal Data Act.

At the time of the inspection, the use of cookies was specifically regulated in ekomlo19n 2003 § 2-7 b,
which implements Article 5 no. 3 of the EU's communication protection directive.

17SAN-2023-025.
18 See EDPB Guidelines 05/2020 on consent under Regulation 2016/679, p. 18.
19
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the

9Today, the ekomloven 2003 § 2-7 b has been replaced by the ekomloven 2024 § 3-15. The biggest difference
between the old and new provision is that the new provision specifies that the consent shall
meet the requirements of the General Data Protection Regulation.

The Electronic Communications Act 2003, Section 2-7 b, first paragraph, states that:

“Storing information in a user’s communication equipment, or gaining access to such, is not permitted unless the user is informed of what information is being processed, the purpose of the processing, who is processing the information, and has consented to this.”

According to the wording, the provision first covers the storage of information on the data subject’s device (mobile phone, computer, tablet, etc.). The provision also covers accessing the information stored on the device. The preparatory work for the provision

clarifies that the rule 20 regulates the act itself – storing or retrieving the information. The purpose of the provision is to protect the user’s communication equipment, as this is part of private life, regardless of whether personal data is being processed, cf. the Data Protection Directive, paragraph 24.

At the time of the inspection, the National Communications Authority (Nkom) was the competent authority for

this provision in Norway. The specific requirements of the Electronic Communications Act were therefore not assessed in the inspection.

The processing of personal data beyond storing information in the device, or gaining access to it, falls outside the scope of the provision in the Electronic Communications Act. As the supervisory authority for the Personal Data Act, the Data Protection Authority always has the competence to assess
this processing.

The Personal Data Act also applies to processing that falls within the Electronic Communications Act 2003 § 2-
7 b and the Electronic Communications Act 2024 § 3-15 insofar as it concerns privacy aspects that are not regulated by the provision. This means, for example, that the principles for the processing of
personal data in Article 5 of the General Data Protection Regulation and the requirements for information security in Article 32 also apply when storing or gaining access to personal data in the device of the data subject. This is in line with Article 10 of the Data Protection Directive and Article 173 of the Data Protection Regulation, which states that the Data Protection Regulation applies to all aspects of the protection of fundamental rights and freedoms that are not specifically regulated in the Data Protection Directive, including the rights of the data subject and the obligations of the controller.

We have limited the supervision to the Website's use of tracking tools that fall under the competence of the Norwegian Data Protection Authority under the Personal Data Act and the Data Protection Regulation.

From 2025, the Norwegian Data Protection Authority is also the supervisory authority for the actual storage in communication equipment and access to the stored information under the Electronic Communications Act 2024 § 3-15,

processing of personal data and the protection of privacy in the electronic communications sector [ePrivacy
20rective].

Prop. 69 L (2012-2013), p. 102.

10together with Nkom. We therefore emphasize the importance of the website operator ensuring compliance with the requirements for consent in the new e-communications law as this may be subject to later supervision.

6. The Norwegian Data Protection Authority's assessment

6.1. Processing of personal data

The Norwegian Data Protection Authority has chosen to limit our assessment to NHI's processing of personal data for marketing purposes through the use of the tracking tool Meta-pixel. Our assessments will nevertheless be relevant to the use of other cookies, pixels and tracking tools in general.

When a visitor loads a web page on the Website, the embedded pixels are activated. The pixels then send information about the specific web page that has been loaded together with identifiers about the visitor.

The information shared therefore includes unique identifiers that identify the individual user and distinguish them from other visitors to the Website. Web identifiers are expressly mentioned in Article 4(1) of the General Data Protection Regulation as an example of personal data. In the preamble, paragraph 30, it is justified why such information is considered personal data:

“Natural persons can be linked to online identifiers via equipment, programs, tools

and protocols, such as IP addresses, cookies or other identifiers,
such as radio frequency identification tags. This can leave traces that, in particular in
combination with unique identifiers and other information received by the servers,
can be used to create profiles of natural persons and identify them.”

The preamble highlights the possibility of identifying 22rsons by compiling other information to which the recipient reasonably has access. In this case, the information is made available to Meta, which owns major social media platforms such as Facebook and Instagram.
Meta has access to large volumes of personal data, and many people have user profiles on the company's platforms. These user profiles usually contain directly

identifying information. Meta links the data it collects through the pixels to the user profiles. This is stated in its privacy policy:

"We collect and receive information from partners, measurement providers,
marketing providers and other third parties about various information about you and your activities on and off our products. Here are some examples of

information we receive about you: (…) Websites you visit and data from
cookies, e.g. through social plugins or the Meta pixel (…) We
use the information we collect to provide you with a personalized experience, including

21
22Regulation 2024-12-20-3413 on delegation of authority pursuant to the Electronic Communications Act, section 12.
See also recital 26 of the GDPR.

11 advertisements (if we show you advertisements in Meta products), together with the other
23
purposes that we explain in more detail below.”

Meta’s privacy policy clearly states that personal data is collected by the company
and combined with other information, and that this is used, among other things, for

marketing purposes.

This linking of information means that if a visitor to the Website also has
a profile on one of Meta’s platforms, Meta can link this information to
that person’s user profile. Thus, the information shared from the Website through
the Meta pixel is personal data pursuant to Article 4(1).

It is also clear that further processing of personal data occurs beyond storing or
reading information on the user’s device, for example through the processing of
personal data obtained using a tracking pixel and subsequent processing, cf.
Article 4(2) of the GDPR. This clearly falls within the scope of the GDPR.

NHI has no comments regarding whether personal data is processed and whether the GDPR applies.

6.2. Responsibility for processing

A controller is a legal entity responsible for processing

personal data in accordance with the rules of the GDPR. As mentioned in point 4,

“controller” is defined as the person who, alone or jointly with others, determines

the purposes of the processing of personal data and the means to be used, cf.

Article 4(7).

The Court of Justice of the European Union has also held that natural or legal persons who exercise influence over

the processing of personal data for their own purposes and who participate – as a result – in

determining the purposes and means of this processing may be considered a controller. When there is joint responsibility for processing among several actors for a

processing, it is not required that each actor has access to the personal data in question.

Joint responsibility does not, however, mean that different actors have the same responsibility for the processing of

personal data. The different actors may be responsible for different stages of the processing of personal data and to varying degrees, which means that each actor's responsibility must be assessed in light of all relevant aspects of the case.

23See Meta's Privacy Policy, https://www.facebook.com/privacy/policy/, last visited on 10 April 2025.
The Privacy Policy has now been updated somewhat, but the quote is taken from the version that was in force when the Website used the Meta pixel.
24C-25/17, Jehovan todistajat, paragraph 68.
25C-210/16, Wirtschaftsakademie Schleswig-Holstein, paragraph 38 and C-25/17, Jehovan todistajat, paragraph 69.

12 26
In the Fashion ID judgment, the CJEU ruled on the allocation of responsibility between the website operator and the provider of a tracking tool. The question was whether the website operator, by implementing a program code on the website, which transferred personal data to a third party, was a controller despite the fact that the website operator itself could not influence what happened to the data after it was retrieved by the third party. The CJEU concluded that the website operator had made it possible for third parties, in this case Facebook, to access personal data about the user. Furthermore, the CJEU found that the website operator, together with the third party, determined the purposes and means of collecting and sharing personal data from the website. The website operator was therefore a controller of the data that ended up with the third party despite the fact that they did not have access to the data themselves. The CJEU stressed that the website operator had accepted the collection and further disclosure to third parties by implementing tracking tools on the website in order to obtain commercial advantages in the form of marketing. NHI emphasizes in its comments that its responsibility is limited to the collection and data capture of personal data through the Meta pixel, and not Meta's further processing and use of it. In support of this argument, reference is made to the above-mentioned Fashion ID judgment, which states that an actor integrating third-party tracking tools may have joint processing responsibility for the initial collection of data, but not for the third-party's further processing. If Meta compiles the data so that health information emerges, NHI cannot be held liable for this. Against this background, NHI emphasizes that the issue must be limited to whether NHI processes special categories of personal data through its use of the Meta pixel on the Website. As stated in the notice of decision, the Data Protection Authority is also of the opinion that NHI is not responsible for all subsequent processing of personal data that Meta does with the data it receives from the Website. We also agree that the issue is whether NHI, through its use of the Meta-pixel, processes special categories of personal data that are then made available to Meta.

NHI has implemented the Meta-pixel on the Website and thus facilitated access by third parties to personal data about those who visit the Website. This also means that NHI has enabled the subsequent activities for marketing purposes. The subsequent processing for marketing purposes is also in NHI's interest, in order to reach relevant target groups in various channels. NHI has therefore exercised decisive influence over the purposes and means and is therefore responsible for the processing of personal data that occurs when using tracking tools on the Website, cf. Article 4, No. 7 of the General Data Protection Regulation.

6.3. Special categories of personal data

As mentioned, it follows from Article 9, No. 1 that “processing of (…) health data or data about a natural person’s sexual relations” falls within

26C-40/17, Fashion ID GmbH & Co. KG.

13the definition of special categories of personal data. Processing of such data is prohibited in principle, and the purpose of the provision is to provide special protection for sensitive data.

NHI processes information that an identifiable natural person is visiting the Website.

The main purpose of the Website is to provide health information to visitors. For example, the fact that a visitor often visits a sub-website that deals with epilepsy is not directly
health data, but it may indirectly provide information about the person’s health because it is

more likely that a person with symptoms of epilepsy is visiting this sub-website. Given the high number of visitors to the Website, it cannot be ruled out that many of the visitors visit sub-websites that concern their own illnesses.

From the comments it follows that NHI believes that their use of Meta-pixel on the Website does not

involve the processing of special categories of personal data pursuant to
Article 9(1) of the GDPR, as the information is neither directly related to a person's health condition, is collated with other data by NHI, nor is of such a nature that it

clearly reveals health information about specific natural persons.

6.3.1. C-184/20, OT v Vyriausioji tarnybinés etikos komisija

The EU Court of Justice concluded in the OT judgment that Article 9(1) on "special categories of

personal data" also covers information that can be indirectly derived from the information.

In the case, a Lithuanian administrative body had published lists of cohabitation and marriage,

and the question arose whether conclusions about sexual orientation could be drawn from this list.
The Court of Justice of the European Union answered the question in the affirmative and stated that a broad approach to the concept of
“special categories of personal data” is in line with the overall objective of
“ensuring a high level of protection of the fundamental rights and freedoms of natural persons, in particular the right to privacy.”

In its observations, NHI states that this judgment cannot be given significant weight for NHI’s
processing of personal data. NHI states that in Article 9(1) of the GDPR there is a difference in interpretation between information that is presumed to “reveal” special categories of
personal data, and information “concerning” special categories of personal data.

Health information is linked in the provision to “concern”, while the judgment deals with
information that can “reveal” sexual orientation. As clearer evidence is required to
be able to say that information “concerns” special categories of personal data than “reveal”,
the judgment has no transferable value.

NHI believes that this difference in interpretation is emphasized in the judgment and claims that in the judgment's

section 85 states that "The use of the verb 'reveal' is consistent with the taking into account of
processing that not only is of inherently sensitive data but indirectly enables disclosure
thereof following an intellectual exercise involving deduction or cross-referencing. That does
not apply, in my view, to the word 'concerning', which strikes a more direct and more


27
28C-184/20, OT v Vyriausioji tarnybinės etikos komisija.
See paragraphs 125- 126.

14immediate link between the processing and the data concerned, envisaged from an inherent
point of view.»

On this basis, NHI argues that a more direct link is required between the visits to the sub-website and the actual health status of the data subjects in order for it to be considered as health data pursuant to Article 9(1) of the General Data Protection Regulation. Natural persons' visits to the sub-websites may just as easily be for professional development or purely coincidental purposes.

The Data Protection Authority notes at the outset that the statement NHI shows t29 is not taken from the OT judgment, but from the Advocate General's opinion in the same case. On the contrary, the Advocate General's interpretation that Article 9(1) of the General Data Protection Regulation sets different thresholds for different types of special categories of personal data was expressly rejected by the Court of Justice of the European Union. The Court of Justice states the following in paragraph 124 of the Advocate General's opinion: “Such an

interpretation, which would result in a distinction being drawn according to the type of
sensitive data at issue, would not, however, be consistent with a contextual analysis of those
provisions (…).”

As previously mentioned, the Court of Justice of the European Union in this judgment assumes that a broad interpretation of

the concept of “special categories of personal data” is in line with the GDPR's
overarching objective of ensuring a high level of protection for personal data. The Court therefore confirmed that indirect information also falls within the concept of “special categories of personal data”, and precisely for this reason the judgment has transposition value to
the present case.

6.3.2. C-252/21, Bundeskartellamt

In the Bundeskartellamt judgment, the CJEU had to decide whether websites or apps for dating, health, political parties and the like with integrated tracking tools processed “special categories of personal data” by collecting and compiling information about users’ website visits. The CJEU concluded in paragraphs 69 and 73 that the use of tracking tools on such websites constituted the processing of “special categories of personal data”, regardless of whether the information was accurate. This means that the use of tracking tools on a website or app may constitute the processing of special categories of personal data if the website or app in question is related to the topics listed in Article 9(1) of the GDPR. 1.

In its observations, NHI states that in this judgment it was not only the collection by means of a
tracking tool that was decisive for whether the information was to be considered as special categories
of personal data, but the comparison with information provided by the individual

user. NHI refers to paragraph 73 of the judgment, where it is stated that «the processing of personal data
by the operator of that online social network, which entails the collection – by means of
integrated interfaces, cookies or similar storage technologies – of data from visits to those
sites and apps and of the information entered by the user, the linking of all those data with the

29
30Opinion of Advocate General Pikamäe in Case C-184/20, delivered on 9 December 2021.

C-252/21, Bundeskartellamt, paragraphs 66-73.

15user’s social network account and the use of those data by that operator, must be regarded as
‘processing of special categories of personal data’.”

As this case only concerns sub-website visits without this information being linked to additional information provided by the individual visitor, NHI believes that

the judgment cannot be given significant weight for NHI’s processing of personal data.

The Data Protection Authority interprets NHI’s comment as meaning that they believe that the EU Court’s use of “and of the information entered by the user” in paragraph 73 indicates that there must be both sub-website visits and other information provided by the data subject on the Website in order for it to be considered as processing of special categories of personal data. Looking at the judgment as a whole, it is clear that such an interpretation of cumulative conditions is not correct.

Firstly, the first part of paragraph 73 indicates that such an interpretation is not correct. Here the Court states “where the user of an online social network visits websites or apps to which one or more of the categories referred to in that provision relate and, as the case may be, enters information into them when registering or when placing online orders” (our emphasis).
The statement and use of “as the case may be” give a clear indication that it is not a condition that the data subject must provide further information, and that consequently a website visit in itself can constitute special categories of personal data.

Secondly, paragraph 72 of the judgment makes it clear that such an interpretation cannot be supported.
Here it states that “It should be made clear that it appears (…) that the processing of data relating to visits to the websites or apps in question may, in certain cases, reveal such information without it being necessary for those users to enter information into them when they register or place online orders” (our emphasis).

Following this, the Data Protection Authority cannot see that there is a requirement that there must be both a website visit and that the data subject provides additional information in order for it to be considered as processing of special categories of personal data. The data subject's visit to the website may in itself be enough to constitute special categories of personal data, as the Court of Justice of the European Union emphasizes. Since website visits and use of apps may in themselves constitute special categories of personal data, the judgment has great transfer value to the present case. The judgment is also important for the interpretation of the content of Article 9, as the Court of Justice of the European Union expressly states that the protection provided by the provision does not depend on whether the information is correct. 6.3.3. C-21/23, Lindenapotheke The Court of Justice of the European Union further clarifies that what constitutes "health data" must be interpreted broadly in the Lindenapotheke judgment. The judgment states that the sale of pharmacy products online can reveal

health information, even if it is not entirely certain that the customers are buying for themselves and even if the pharmacy products are not prescription-only. The judgment emphasized that it is sufficient that

31C-21/23, Lindenapotheke, paragraphs 83, 88 and 90.

16personal data can reveal information about the data subject's health status by means of an

intellectual operation involving compilation or deduction in order to be classified as

health information.

The comments state that NHI believes that this judgment also has no transfer value
to their processing of personal data. This is because the court's conclusion was made on

the basis that the processing included additional information provided by the individual user,

and required a more definitive and positive explicit source of information (purchase made), than

a visit to a sub-website on the Website.

NHI further writes that they process information about identifiable natural persons who are on the Website, including their behavior and posts on the Website. It is their opinion that the fact that a visitor visits a sub-website that actually deals with migraine does not provide any further information than that the person has visited this sub-website. NHI agrees to some extent with the Data Protection Authority's claim that repeated posts over a longer period of time may indicate a certain probability that the visitor actually suffers from migraine, but nevertheless believes that it would be speculative to indirectly diagnose the visitor with migraine on the basis of sub-website posts. The Data Protection Authority notes at the outset that what NHI refers to as a requirement for a "definitive and positive explicit source of information" is not a criterion or threshold under Article 9 of the GDPR, nor is it mentioned in the judgment. The judgment makes it clear in paragraph 81 that the term “health data” should be interpreted broadly in order to ensure the purpose of the GDPR. The judgment further emphasizes in paragraph 82 that even information that may indirectly reveal special categories of personal data is covered by the protection provided by Article 9. In paragraph 83, the Court makes it clear that it is sufficient that someone would be able to reveal health information through deduction or comparison for it to be considered health data. As the judgment says something about the threshold for what is required for something to be considered health data, it therefore has great transfer value to the present case. NHI believes that there is too weak a connection between a visitor’s sub-website visit and health data. In this regard, the Data Protection Authority refers again to paragraph 83 of the judgment, which states that it is sufficient that one – through an intellectual operation – can draw conclusions about a visitor’s health information based on their sub-website visits on the Website. In light of the purpose of the GDPR, the Court sets a low threshold for what is considered health information. The low threshold is further emphasized by the Court’s conclusion that non-prescription medicines are also considered health information. With regard to NHI’s argument that it would be “speculative” to indirectly diagnose visitors based on their sub-website visits, we emphasize that these “speculative” cases also enjoy protection under Article 9(1) of the GDPR. In light of the purpose of the provision, the data subjects also enjoy the protection provided by the provision in cases where the information is incorrect. The Court also explicitly states this in paragraph 87 of the Lindenapotheke judgment. A narrow interpretation of Article 9(1), whereby only information that is

17confirmed or confirmed is subject to the protection provided by the provision, would undermine the protection that the provision is intended to provide.

The Lindenapotheke judgment sets a low threshold for what can be considered
health data and has clear transfer value to the NHI's processing of personal data.

6.3.4. C-136/17, GC and Others

In its observations, NHI32 highlights what it considers to be a more comparable case from the Court of Justice of the European Union,
the GC and Others judgment. In this case, the Court of Justice considered whether a search engine operated by
Google was subject to the prohibition on the processing of special categories of personal data.

NHI argues that the Court concluded that the search engine's activity, which consists of indexing

and presenting search results, does not in itself constitute processing of special categories of personal data. Furthermore, NHI claims that the Court of Justice in paragraph 46 emphasizes that a literal application of the provision would lead to any processing of the information listed in the provision being prohibited, which the EU Court of Justice does not believe to be the correct approach.

Reference is also made to the following statement in paragraph 47: “In that regard, I note that none of the
parties that have submitted observations argues in favour of such a strict interpretation, and
they are quite correct not to do so.” NHI believes that the judgment illustrates the fact that information can potentially say something about a person’s health, but does not necessarily mean that it is to be considered a special category of personal data.

The Norwegian Data Protection Authority notes that neither the conclusions nor the quotes to which NHI refers are taken from the EU Court of Justice’s judgment, but from the Advocate General’s opinion in the case. The Advocate General’s interpretation was not followed up in the judgment, which was heard in the Grand Chamber. On the contrary, the Court concluded that “while (…) the specific features of the processing carried out by the operator of a search engine in connection with the activity of the search engine cannot justify the operator being exempted from compliance with Article 8(1) (…) those specific features may, however, have an effect on the extent of the operator’s responsibility and obligations under those provisions” (emphasis added).

The question in the case was whether search engines must comply with Articles 9 and 10. The Court of Justice of the European Union answered in the affirmative. It is therefore wrong that Article 9 does not apply to search engines, and this judgment is in any case irrelevant in the assessment of what constitutes special categories of personal data under Article 9(1). In addition, there are also major differences between website operators who publish content themselves and search engines that index content.

The Danish Data Protection Authority cannot therefore see that this judgment has transferable value to the case at hand.

6.3.5. Conclusion

32
33C-136/17, GC and Others (De-referencing of sensitive data).
Opinion of Advocate General Szpunar in Case C-136/17, delivered on 10 January 2019.

18The Danish Data Protection Authority, after reviewing the NHI's observations on the first three judgments, maintains that
the conclusions of the Court of Justice in these cases have transferable value to our case.

Although it is not possible to determine with certainty the physical or mental health of a
visitor to the Website based on which articles the person has visited, there is reason to assume that in any case a person's visits taken as a whole over time will provide a picture of the person's

health situation. The pixel provider then receives information that a specific person has visited the
Website and what actions the person has taken there, for example whether the person
reads articles about depression, ADHD or celiac disease.

Based on the low threshold set by the CJEU for what is to be considered as special categories of personal data in the above-mentioned judgments, it is – contrary to what NHI states – not a requirement that the information must be directly linked to a person’s health condition, that the information about website visits must be collated with other data by NHI, or that it must be of such a nature that it manifestly reveals health information about specific natural persons.

In addition, we note that certain health conditions can also say something about a person’s sexual relationships or sexual orientation.

Following this, we conclude that the personal data made available to third parties through NHI’s use of Meta-pixel are to be considered as “special categories of personal data”
pursuant to Article 9(1).

6.4. Lawful processing of special categories of personal data

The prohibition on processing special categories of personal data, including
data concerning health and data concerning sexual relations, is not absolute. If a
controller meets one of the exemptions set out in Article 9(2), such
processing will nevertheless be valid.

If websites that process special categories of personal data use
tracking tools for marketing purposes, Article 9(2)(a) on explicit

consent will in practice be the only relevant exemption. The requirements for explicit consent
are strict, and general information about the use of tracking tools in a
privacy statement or consent statement is not sufficient.

As mentioned above, there are many requirements in Article 4(11) for what constitutes valid
consent. Here we have chosen to focus on two of them, namely the requirements that consent must be
freely given and informed.

6.4.1. Voluntary

19As mentioned, voluntary consent presupposes that the data subject has a real freedom of choice. The design

of a website may prevent the data subject from being able to protect their personal data and make

conscious choices, for example by preventing the data subject from giving informed and voluntary consent. 35

In the cookie banner on the Website, the button for “Allow all cookies” had a color that was particularly highlighted and could thus consciously or subconsciously lead the data subject to

select this option regardless of the data subject’s privacy preferences. The “Allow all cookies” button had a bright blue color, while the options “Only necessary cookies” and “Customize” had a white color, similar to the background of the cookie banner.

The Norwegian Data Protection Authority considers that the design of the cookie banner was likely to push the 36
data subject to select the option "Allow all cookies" through cognitive bias,
especially when the data subject only wanted to proceed to access health information on the
Website.

The design of the cookie banner is a clear example of "dulting" or manipulative design
which involves inappropriate influence because it is likely to interfere with the visitor's voluntary
choice.

In this context, we also highlight recital 32, which states that electronic
requests for consent shall not interfere with the use of the service unnecessarily. Here, the cookie
banner makes it impossible to use the service without making a choice, and this is not in line with recital 32.

In the comments, NHI states that the consent must be considered to have been given voluntarily. NHI emphasizes that the GDPR does not prohibit the design of different options in different colors, and that such a prohibition is not based on guidance from the Norwegian Data Protection Council or the practice of various supervisory authorities. Reference is also made to the Norwegian Data Protection Council's "Cookie Banner Taskforce Report" section 17, which states that "a general banner standard concerning color and/or contrast cannot be imposed on data controllers". NHI further claims that the report emphasizes that the decisive factor is whether "the contrast between the text and the button background is so minimal that the text is unreadable to virtually any user", i.e. whether the banner makes certain choices invisible or illegible. The Data Protection Authority agrees that there is no general prohibition against designing consent statements in different colors, and that consent is not automatically invalid as a result of the use of color in itself. Nevertheless, the use of colors and contrasts is a key factor in assessing whether consent is voluntary and thus valid.

We disagree with NHI that the decisive factor in the assessment is whether the banner makes certain

choices invisible or illegible. In the above-mentioned “Cookie Banner Taskforce” of the Norwegian Data Protection Council

34See point 42 in the preamble to the General Data Protection Regulation.
35See EDPB Guidelines 03/2022 on deceptive design patterns in social media platform interfaces: how to
recognise and avoid them, in section 3. See also the Consumer Council’s report “Deceived by design”,
https://www.forbrukerradet.no/manipulerende-design/.
36
See p. 8.

20Report” section 18, it is that the text is invisible or illegible highlighted as a practice that is
clearly misleading, which is something different from what is at issue here. Incidentally, this is not
the only design that is considered illegal.

The different options in NHI’s consent declaration were all legible and accessible. As mentioned above, this does not automatically mean that the design was lawful. As mentioned, the use of color in the case in question is likely to encourage users to press the “Allow all” button, as this button stands out and is more conspicuous than the other options. The use of color has probably led to some visitors unconsciously pressing “Allow all” without necessarily wanting or intending to give consent. In addition, there is reason to believe that the “Allow all” button would not have been designed with such color if it was not assumed that it would lead to more visitors, either intentionally or unintentionally, pressing this button. NHI also claims that the Data Protection Authority in the notification of decision refers to the Norwegian Data Protection Authority’s Guidelines 03/2022, section 60, which concerns the use of pre-filled choices or passive consent, which is not relevant in this case. The Danish Data Protection Authority notes that we cannot see that we have referred to this section anywhere in the notification of decision, and otherwise agrees that this topic is not relevant in this case.

Following this, the Danish Data Protection Authority finds that the design of the cookie banner is a clear example of "dulting" or manipulative design that involves inappropriate influence because it is capable of interfering with the visitor's voluntary choice. Consent is therefore not voluntary.

6.4.2. Informed

In this case, the cookie banner did not provide information that the personal data being processed may include health data. This is particularly serious when NHI's

privacy policy states that sensitive personal data will not be processed in principle.
All the while NHI does not ask for consent to process health data, it is obvious that they have not received such consent either.

There is also no information in the consent policy that enables the data subject to
understand the consequences of consent to the processing of health data, including that
health data will be shared with third parties such as Meta, who may use this information

for their own purposes.

Consent is therefore not informed.

6.4.3. NHI's comments

In NHI's comments on this point, it is claimed that the Norwegian Data Protection Authority has not considered the requirements for

consent under Article 6(1)(a) of the GDPR, cf. Article 4, paragraph 11, is
fulfilled. Given the difference in the threshold for what is considered a valid consent
under Article 6, paragraph 1, letter a and Article 9, paragraph 2, letter a, NHI is curious about how
the Norwegian Data Protection Authority assesses the design and information of the cookie banner in light of a possible changed

21conclusion that NHI's use of the Meta-pixel involves the processing of special categories of
personal data.

The Norwegian Data Protection Authority notes that in section 6.5 of the notification of the decision we assessed whether the requirements for consent
under Article 6, paragraph 1, letter a, cf. Article 4, paragraph 11 were fulfilled. In the notification, our preliminary
conclusion was that the consent was not valid according to Article 6, paragraph 1, letter a because the consent was not
freely or informed.

We still maintain that NHI has processed special categories of personal data, and that you therefore had to obtain explicit consent from the data subjects, cf.
Article 9(2)(a) of the General Data Protection Regulation.

An explicit consent pursuant to Article 9(2)(a) must be even clearer and more explicit
than an ordinary consent pursuant to Article 6(1)(a). However, the difference in the threshold between

the two different consents is not of such a degree that it would have made a difference if NHI did not
process special categories of personal data in the present case. A consent that is not
given voluntarily or informed will never be considered as valid consent pursuant to Article 6(1)(a), cf.

Article 4(11).

6.4.4. Conclusion

The consent is not valid. This means that NHI, through the use of Meta-pixel on the Website, has
processed special categories of personal data in violation of Article 9 of the General Data Protection Regulation.

6.5. Legal basis

As mentioned above, the processing of personal data must have a legal basis in one of the
alternatives in Article 6(1)(a). 1. In particular, consent pursuant to letter a and a balancing of interests
according to letter f may constitute the processing basis for the processing of personal data
for marketing activities.

We note that from 1 January 2025, a requirement for valid consent applies for the placement of
cookies, but this requirement did not apply at the time of the inspection.

In the case of NHI, the information is considered to be sensitive because
information about health and sexual relations can be derived from the data. Therefore, the individual's
privacy will weigh heavily in the balancing of interests. Marketing interests will generally not weigh more heavily than the individual's privacy when it comes to this type of personal data.

In practice, Article 6(1)(a) on consent will then remain as the

current processing basis. As mentioned above, the consent was not valid pursuant to Article 9(2)(a) due to lack of voluntariness and information. For the same reasons, the consent is also not valid under Article 6(1)(a), cf. Article 4(11).

22We cannot see that any of the other processing grounds in Article 6(1) of the GDPR apply to the processing. The processing took place without a processing ground, and we thus find a violation of Article 6(1) of the GDPR.

7. Choice of corrective measures

According to Article 58(2) of the GDPR, the Norwegian Data Protection Authority has the authority to decide on corrective measures.

Personal data about those who visited the Website while the Meta-pixel was activated was processed unlawfully, including being made available to third parties, in violation of Articles 6 and 9 of the GDPR. NHI had no control over what happened to the personal data after it ended up with a third party. In our assessment, the processing of personal data posed a clear risk to those affected.

The Norwegian Data Protection Authority has not found it necessary to impose a fine in this case. We consider that a reprimand will be sufficient to ensure NHI's compliance with the regulations. Our basis for imposing a reprimand is Article 58(2)(b) of the General Data Protection Regulation. A reprimand is an administrative reaction intended to highlight criticism of the violations of the rules in question. Imposing a reprimand may be considered in a possible later assessment of imposing a fine if there is a corresponding violation of the regulations, cf. Article 83(2)(i) of the General Data Protection Regulation. As NHI has now removed the Meta-pixel from the Website, the prior notice that NHI must stop using the Meta-pixel until a consent request has been prepared that meets the General Data Protection Regulation's requirements for voluntary and informative use, cf. Article 6(1) of the General Data Protection Regulation. 1 letter a and Article 9 no. 2 letter a, cf. Article 4 no. 11 and Article 7 no. 1.

We nevertheless emphasize the importance of having a consent request that meets the GDPR's requirements for voluntary consent and information. This applies in particular if you use other tracking tools that function in a similar or equivalent way to the Meta-

pixel.

8. Recommendations for follow-up

As explained above, we have chosen not to look at the special requirements under the Electronic Communications Act in this inspection. However, the Norwegian Data Protection Authority has now been granted supervisory competence under Section 3-15 of the Electronic Communications Act. This means that in the future we will also supervise this provision, including the requirement for valid consent to the placement of cookies.

In any case, we believe that it is necessary for you to review all cookies for marketing that are placed on the Website, as well as to review the consent solution to ensure that website visitors are able to exercise a free choice and are given sufficient information before consent is given. Since the consent requirements have been tightened in the new e-communications law and the Norwegian Data Protection Authority has been given expanded supervisory competence, you must expect that we can fully supervise the consent declaration also with regard to cookies. We clarify that the Norwegian Data Protection Authority may impose stricter sanctions in the event of repeated violations. When consent was not valid for the processing of personal data in the context of tracking pixels, it will probably not be valid for the use of cookies either. Regarding the information provided, it is important, for example, that visitors to the Website are informed if consent to the use of tracking tools means that third parties can use personal data about health and sexual relations for their own purposes, including commercial purposes such as marketing. Visitors should also be informed that
they can still use the website if they do not give consent.

9. Right to appeal

This is an individual decision that can be appealed under the rules of the Public Administration Act, cf.
the Public Administration Act Section 28. The deadline for appealing is three weeks after this letter is received.

The Privacy Board is the appeals body, but any appeal should be sent to the Norwegian Data Protection Authority.

10. Access and publicity

As a party to the case, you have the right to access the documents in the case, cf.
the Public Administration Act Section 18.

We would also like to inform you that all documents are in principle public, cf.
the Public Access Act Section 3. If you believe that there are grounds for excluding all or part of
the document from public access, we ask you to justify this.

If you have any questions about the case, you can contact us by e-mail at
[email protected].

Kind regards

Tobias Judin
Head of Section
Trine Smedbold
Senior Legal Advisor

The document has been electronically approved and therefore has no handwritten signatures

Recipient(s): ADVOKATIFIRMAET ARNTZEN AS, Trine Hammervold
ADVOKATIFIRMAET ARNTZEN AS, Tommy Dahlen
NORSK HELSEINFORMATIKK AS

2425