Datatilsynet (Norway) - NO - DPA - 24/01055-10
From GDPRhub
| Datatilsynet - NO - DPA - 24/01055-10 | |
|---|---|
 | |
| Authority: | Datatilsynet (Norway) |
| Jurisdiction: | Norway |
| Relevant Law: | Article 6(1)(e) GDPR Article 12(1) GDPR Article 13(1) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 14.03.2024 |
| Decided: | 26.03.2025 |
| Published: | 10.06.2025 |
| Fine: | 250,000 NOK |
| Parties: | Kristiansand Municipality |
| National Case Number/Name: | NO - DPA - 24/01055-10 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Norwegian |
| Original Source: | Norwegian Data Protection Authority (in NO) |
| Initial Contributor: | Harkirt Singh Anand |
The Norwegian DPA imposed a fine of 250,000 NOK (€21,600) against the municipality of Kristiansand for unlawfully processing children's personal data via the Snap and Meta pixels on the website for its child abuse help line.
English Summary
Facts
Following media reports about the use of invasive tracking tools on website, DPA investigated www.116111.no. The website is a help line for abused minors operated by the Kristiansand Municipality (the controller).
The investigation found 17 cookies on the website along with Meta and Snap pixels. A pixel is a tracking tool attached to the website that directly sends user’s data to its operator. The DPA decided to limit its investigation to the use of the pixels.
At the time of the investigation, the controller’s privacy policy did not mention the cookies and the pixels. The privacy policy was later amended to list cookies and tracking pixels more completely. However, the new privacy policy still failed to specify the legal basis for processing personal data, and the categories of data processed via the trackers.
Holding
The DPA fined the controller 250,000 NOK (€21,600) for processing personal data via the Snap and Meta pixels without a lawful basis. The DPA clarified that it did not issue an injunction to remove the trackers because the controller already did so at the time of the decision.
The municipality was the data controller
The DPA fist established that the municipality was a data controller for the pixels as per Article 4(7) GDPR as it operated the website, integrated the tracking tools and determined the purpose of processing (i.e.: to measure the reach of its media campaign).
In this regard, the DPA clarified that it was not relevant that the municipality had no access to the data processed via the pixels. On this point, the DPA referred to the Fashion ID ruling of the CJEU[1].
Processing without a lawful basis
Third party pixel collected personal information including unique user IDs, IP addresses, and device fingerprints which could be used as identifiers by Meta and Snap. For this reasons, the DPA held the pixels collected personal data, contrary to what the controller’s privacy policy stated.
The DPA then assess whether the controller could rely on a legal basis for processing personal data. Specifically, the DPA held that:
- The controller could not rely on consent, because its website did not collect consent;
- Commercial tracking is not a public interest covered by Article 6(1)(e) GDPR;
- Legitimate interest was not a valid legal basis, because the stated objective of examining the marketing campaign did not outweigh the rights and freedoms of children.
With regards to legitimate interest, the DPA further stated that in the case at hand, the controller processed information of a "very private nature" which was close to constituting sensitive data under the GDPR. Sharing these data with third parties had significant privacy implications and could lead to a loss of control over personal data. These considerations were crucial to the DPA’s conclusion that the controller did not correctly balance its interest with those of the data subject.
The privacy policy
The controller’s privacy policy did not inform data subjects that the pixels processed their data. In fact, the policy stated that the website only processed anonymous data. For this reason, the DPA held that the controller failed to provide information about the processing of personal data, in breach of Articles 12(1) and 13 GDPR. The controller also noted that the information provided in the policy was not understandable for children.
The amount of the fine
The DPA issued a fine 250,000 NOK (€21,600). The DPA considered that the controller acted negligently and shared personal data of children, even though it did not intend to do so. On the other hand, the DPA also considered that the controller cooperated during the procedure and eventually removed the pixels before the decision.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
KRISTIANSAND MUNICIPALITY P.O. Box 4 4685 NODELAND Sent by e-mail to [email protected] Your reference Our reference Date 24/01055-10 10.06.2025 Decision on violation fee - Supervision of tracking tools - Alarmtelefonen for children and young people (116111.no) 1. Introduction We refer to our notification of decision on 26 March 2025 to Kristiansand Municipality regarding the Alarmtelefonen for children and young people (the "Alarmtelefonen"). The Norwegian Data Protection Authority notified that it was considering imposing a violation fee for violating the General Data Protection Regulation in connection with the Alarmtelefonen website 116111.no (the "Website"). We also refer to previous correspondence in connection with the supervision. 2. Decision on infringement fine The Data Protection Authority makes the following decision: Pursuant to Article 58(2)(i) of the General Data Protection Regulation and Article 83, cf. the Personal Data Act, Section 26, second paragraph, the Municipality of Kristiansand is ordered to • pay an infringement fine of NOK 250,000 – two hundred and fifty thousand Norwegian kroner – to the Treasury for processing personal data about children in violation of Article 6(1) of the General Data Protection Regulation, by using the tracking tools Meta Pixel and Snap Pixel on the website 116111.no, and for breaching the obligation to provide information pursuant to Article 12(1) and 13 of the General Data Protection Regulation. 3. Factual background of the case 3.1. About the Alarmphone The case concerns the use of tracking tools on the websites of the Alarmphone for children and young people service operated by the Municipality of Kristiansand. Postal address: Office address: Telephone: Company registration number: Website: P.O. Box 458 SentrumTrelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1 0105 OSLO 0191 OSLO The Alarm Telephone is a free help service for those up to 18 years of age who are exposed to violence, abuse or other neglect. The service was established in 2009 to introduce the common European helpline number 116 111. The service is open 24 hours a day and available to children throughout the country. They can contact the Alarm Telephone by telephone, chat, SMS and email, and the inquiries can be forwarded to the appropriate authority in the relevant municipality for follow-up. The website contains information on how to contact the service, as well as videos and articles with advice for children and young people in difficult situations. The service is run by the child welfare service in Kristiansand Municipality, but it is financed through earmarked grants from the Directorate for Children, Youth and Family Affairs (Bufdir). In a letter dated 30 April 2025, the municipality stated that the service began as a purely telephone service. The website was created in connection with a new assignment from Bufdir in 2020 that the municipality should also offer a chat service on the internet. The award letter from Bufdir dated 1 April 2020 stated that the Alarm Telephone would reach out to children and young people with information about the service on social media platforms. The inspection is directed at Kristiansand Municipality. The municipality runs the service and is the operator of the Website. The municipality is therefore responsible for the processing of personal data on the Website. We have not carried out an inspection of the municipality's other websites. 3.2. About the inspection: procedure and scope 3.2.1. Background to the inspection The decision concerns the processing of personal data in connection with Alarmtelefonen's use of tracking tools on the Website. By tracking tools we mean technology, including cookies and pixels, that is integrated into websites to monitor visitors' behavior on the site. Tracking tools can be used to collect information such as IP address, advertising ID, geographical location and technical information, such as screen size and resolution. This information can be compiled by the website operator or advertising companies and thus identify an individual via the user's communication device. The Norwegian Data Protection Authority's task is to supervise compliance with the General Data Protection Regulation, cf. Article 57(1)(a) of the General Data Protection Regulation and Section 20 of the Personal Data Act. The Norwegian Data Protection Authority has conducted a digital inspection of six websites to examine their use of tracking tools. The website 116111.no is one of the websites selected for the inspection. The background for the inspection is media reports about websites that share personal data with third parties using tracking tools. In several of the cases mentioned in the media, the information that has been collected and shared with third parties may constitute personal data of 1 See, for example, Nettapotek shared with Facebook that you watched chlamydia tests – NRK Kultur og underværning, published on 4 December 2023. 2sensitive nature or special categories of personal data, cf. Article 9(1) of the General Data Protection Regulation. In recent years, the Norwegian Data Protection Authority has encouraged businesses to review their websites to assess which tracking tools they use, and in December 2023 we announced that we would conduct an inspection of Norwegian websites' use of tracking tools. 2 We selected different categories of websites that process information that is worthy of protection about those who visit the pages and selected six actors from the different categories that we inspected. The purpose of conducting these inspections is to be able to shed light on various issues in connection with the use of tracking tools. Furthermore, we have had as an important goal that our assessments should be able to provide guidance to actors beyond those covered by this inspection. In the inspections, we have reviewed and checked whether the websites' use of tracking tools is in compliance with the relevant requirements of the General Data Protection Regulation, including the legal basis, cf. Article 6(1) of the General Data Protection Regulation. 3.2.2. Initial case processing We conducted a digital inspection of the Website on March 14, 2024. We visited the websites and documented the content on it, including the privacy policy. We also conducted a technical investigation that showed which tracking tools were integrated into the Website. We sent a letter on March 19, 2024 with documentation of our actual findings on the Website. The letter contained screenshots of the Website as well as a technical report prepared by the Norwegian Data Protection Authority that recorded which tracking tools were active on the Website. We invited the municipality to send us comments on the findings, if they had any. In a letter dated 30 April 2025, the municipality wrote that it found it “strange” that the Authority was not “notified in advance by a formal inquiry” and that it was “regrettable that initial assessments of the findings made on (the Website) have not been communicated”. The letter dated 19 March 2024 was not intended to be a notice of inspection or a request to make changes to the Website. The Norwegian Data Protection Authority wanted to obtain a common understanding of the factual circumstances of the case before we went into more detail about the legal assessments. The purpose of the letter was to obtain any comments on the documentation we had collected. In the letter, the Norwegian Data Protection Authority clarified that we had not made any legal assessments of the findings at that time. On April 23, 2024, our case manager spoke by phone with the website developer of Alarmtelefonen, Tress Design AS. In the conversation, we clarified what the purpose of the inspection was, that we had not made any legal assessments yet, and that we were sending the letter in case the municipality wanted to comment on our actual findings. The website developer then said that Alarmtelefonen did not share personal information with third parties and that the tracking tools on the Website were standard to use. We took note of this. 2 See Datatilsynet announces investigation after NRK revelations – NRK Norway – Overview of news from various parts of the country, published on 21 December 2023. 3The head of the Alarmphone, Margrethe Østerhus, subsequently confirmed that the municipality had no further comments on the actual findings in an email on 24 April 2024. On 13 June 2024, the Datatilsynet asked the Alarmphone to provide information on how many visitors they have on their websites. The Alarmtelefonen presented excerpts from its annual reports 2021-2023 with this information on June 19, 2024. The Norwegian Data Protection Authority sent a notification of decision to the municipality on March 26, 2025. In the notification, the Norwegian Data Protection Authority wrote that we were considering imposing a violation fine of NOK 300,000, as well as issuing an order to remove the tracking tools Snap Pixel and Meta Pixel from the Website. 3.2.3. The municipality's letter with comments on the notification of decision and the notification of non-compliance from the municipality We received the municipality's comments on the notification on April 30, 2025. The municipality had no objections to the central conclusions in the notification, but asked the Norwegian Data Protection Authority to reconsider the level of the violation fine in light of the municipality's measures to stop the processing. We were also informed that the municipality had removed all tracking technologies on the Website that were not necessary for the Website to function. The Norwegian Data Protection Authority also received a notification of non-compliance from the municipality on 1 April 2025. The municipality wrote that the Website used several tracking technologies, such as Google Analytics, which potentially made personal data available to third parties. In addition, the municipality wrote that it had discovered several possible violations of the GDPR, including the obligations of the controller under Article 24 and the lack of a record of processing activities under Article 30. Non-compliance notifications to the Norwegian Data Protection Authority are used to report breaches of personal data security, cf. Article 33 of the GDPR. The Norwegian Data Protection Authority closed the non-compliance case since it did not concern such a security breach, but we are taking into account the information we received in this case. 3.2.4. Scope of the audit In connection with the audit, we visited the Website several times after the initial survey on 14 March 2024. The last visit took place on 25 March 2025. This audit only concerns selected aspects of the use of third-party tracking tools on websites. We have not taken a position on other privacy issues in this audit. The absence of comments on other privacy issues therefore does not mean that this has been approved by us. 3The municipality also originally wrote that there had been a transfer of personal data to a third country without sufficient transfer grounds, in violation of Article 45. In an email dialogue with the municipality on 15 May, we were able to clarify that the notification of a lack of transfer grounds was due to a misunderstanding. The Norwegian Data Protection Authority has not taken a position on whether the municipality had a transfer ground under Article 44 of the Regulation. 4The Norwegian Data Protection Authority has chosen to limit our assessment to Alarmtelefonen's processing of personal data for marketing purposes through the use of the tracking tools MetaPixel and Snap Pixel in light of the rules of the General Data Protection Regulation. Our assessments are nevertheless relevant to the use of other cookies, pixels and other tracking tools. In this context, we note that the municipality removed other tracking tools that fall outside the scope of this inspection after receiving the notification on 26 March 2025. The inspection is also limited to compliance with the rules in the General Data Protection Regulation. We do not take a position on compliance with the Electronic Communications Act.4 3.3. Description of the actual findings of the inspection During the digital inspection on 14 March 2024, the Norwegian Data Protection Authority registered that visitors to the front page of the Website had 17 cookies placed in their browser. A cookie is a text file that is placed in the user's browser or device when the person concerned visits a website. Cookies can, among other things, be used to monitor the visitor's activities on the website. This information is sent to the domain associated with the cookie and is thus made available to the website operator. Several of the cookies were first-party cookies. That is, they were owned by the website itself. We also found cookies belonging to Google, Meta and Snap. Although these are provided by third parties, it is the website operator, in this case the municipality, who determines which cookies are placed in the browser when someone visits the Website. The website also used the Snap Pixel and Meta Pixel tracking pixels on the front page and on the subpages. These belonged respectively to Snap Inc., which operates the Snapchat service, and Meta Platforms Ireland Limited, which operates, among other things, the Facebook and Instagram services in the EU/EEA countries. Tracking pixels are built into the website itself by the operator, and they are not stored on the user's device like cookies. When a website has a tracking pixel, information is sent to the pixel provider about the actions the user takes on the website. The Meta Pixel records the actions of visitors on websites and sends information to «connect.facebook.net/en_US/fbevents.js». This also makes the information available to Meta Platforms Ireland Limited, which, among other things, operates the Facebook and Instagram services in the EU/EEA countries. The pixel is loaded into the website's HTML code when someone visits the website. This causes a _fbp cookie to be automatically stored in the visitor's browser, unless 4See otherwise section 5 of the notice. 5the cookie is already there. It stores a unique web identifier in the _fbp cookie. The pixel can be configured to track various actions that users take on the website on which the pixel is placed. In the audit, we have registered that the Meta Pixel tracks which websites a user loads on their device, so-called "page load events". The Data Protection Authority sees that when the pixel is loaded, a tracking script (/tr-script) is also activated that handles the collection and provision of data to Meta, including information about the "c-user" variable. Our investigations show that if a user is logged in to Facebook in the same browser that the Website is loaded on, this variable will display the unique ID associated with the person's Facebook profile. Meta thus receives directly identifying information when someone who is logged in to Facebook loads the Website. If the user is not logged in to Facebook, the Website will still send information about "page load events" to Meta, along with a unique user ID, IP address and digital footprint with information about browser, operating system, screen size, etc. This is information that makes it possible to identify the different users. Snap Pixel (_scid, __scid_r) works in a similar way. When we conducted the audit on March 14, 2024, it was stated in the privacy statement of Alarmtelefonen that they use cookies to “analyze the general usage pattern”. It was further stated that the information is “completely anonymized and is used for statistics and analysis, as well as advertising”. It was also stated that the cookies “register IP address and how long visitors are on the page, what they click on and which device they use, and give us an overview of how many visitors the page has.” No information was provided about the tracking pixels, nor about the sharing with Snap or Meta. The privacy statement did not contain any information about the basis for the processing. After the factual findings were presented by the Data Protection Authority on 19 March 2024, the Alarmtelefonen has made changes to its privacy policy so that it mentioned the use of the pixels. The changes are explained in section 6.4 of the decision. The municipality removed Meta Pixel and Snap Pixel from the Website after it received the notification of the decision. In the letter of 30 April 2025, the municipality also stated that it had removed other tracking tools from Google, including those associated with Google Analytics and YouTube. Our investigations confirm that these have been removed from the Website. The Website now only uses cookies that are necessary for the websites to function. The municipality has also updated the privacy policy on the Website. 4. Legal background “Personal data” is defined in Article 4(1) of the GDPR as: 6 any information about an identified or identifiable natural person (“the data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Online identifiers are expressly mentioned in Article 4(1) of the GDPR as an example of personal data. Recital 30 explains why such data is considered personal data: “Natural persons can be linked to online identifiers through equipment, programs, tools and protocols, such as IP addresses, cookies or other identifiers, such as radio frequency identification tags. This may leave traces which, in particular in combination with unique identifiers and other information received by the servers, can be used to create profiles of natural persons and to identify them.” The preamble highlights the possibility of identifying individuals by combining them with other information to which the recipient reasonably has access. 5 What constitutes processing of personal data is defined in Article 4(2): Any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. According to Article 4(7) of the GDPR, a “controller” is: a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (…). Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject, see Article 5(1)(a) of the GDPR. Personal data shall furthermore be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes, see Article 5(1)(b) of the GDPR. 5 See also recital 26 of the GDPR. 7It is the responsibility of the controller to demonstrate that the processing of personal data is carried out in accordance with the principles set out in Article 5(1). This accountability principle is enshrined in Article 5(2). All processing of personal data must have a legal basis in Article 6(1) in order to be lawful. The provision lists various legal bases, including: Processing is only lawful if and to the extent that at least one of the following conditions is met: (a) the data subject has consented to the processing of his or her personal data for one or more specific purposes, (…) (e) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, (…) (f) the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless the interests or fundamental rights and freedoms of the data subject override those interests and require the protection of personal data, in particular where the data subject is a child. Article 6(3) states that processing on the basis of letter e) must be based on a legal basis. In other words, it is not sufficient that the processing is carried out for the performance of a task carried out in the public interest or in the exercise of official authority. The purpose for which the processing is necessary must be specified in Norwegian law. Consent means a “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”, see Article 4(11) of the GDPR and recital 32. According to recital 42, consent “shall not be considered to be freely given if the data subject does not have a genuine freedom of choice or is not able to refuse or withdraw consent without detriment to the data subject”. When consent is used as a legal basis, the data subject must have been informed about what he or she is consenting to, including which personal data will be processed and what the purpose of the processing is. The data subject must be able to foresee the consequences of giving consent based on the information provided by the controller. This means that the controller must not obscure the facts, but must explain clearly and directly what data will be collected and what it will be used for. If consent is not informed, the data subject’s control over his or her personal data will be illusory, and consent will not be a valid legal basis under Article 6(1). 6 See “Personvernordning Lovkommentar” on Article 6, by Åste Marie Bergseng Skullerud, Cecilie Rønnevik, Jørgen Skorstad and Marius Engh Pellerud, consulted on 19 June 2024 at juridika.no. 7See “Personvernordningen Lovkommentar” on Article 7(2), by Åste Marie Bergseng Skullerud, Cecilie Rønnevik, Jørgen Skorstad and Marius Engh Pellerud, consulted on 19 June 2024 at juridika.no. 8See EDPB Guidelines 05/2020 on consent under Regulation 2016/679, paragraphs 62-63. 8The European Data Protection Board (EDPB) has stated in its guidelines on consent that the controller must consider the type of group of individuals the business processes about. For example, if a service is aimed at a group of individuals that includes minors, the controller must ensure that information is provided that is understandable to minors. In order to collect informed consent from a child, the controller must explain how the personal data will be processed in a way that is clear and easy for children to understand. 10 Consent must be given for a specific purpose. This means that the purpose must be sufficiently specific to enable an assessment of whether it is necessary to process the personal data in question and whether the processing is in accordance with the GDPR. The requirement that consent be specific is intended to ensure user control and transparency for the data subject, and is closely linked to the requirements that consent be informed and voluntary. To meet this requirement, the controller must ensure that the purpose is specific in such a way that purpose drift is avoided. 12 13A controller requesting consent for several different purposes should provide for an opt-in solution for each individual purpose. The controller should provide specific information related to each individual consent request, so that the data subject is aware of the impact of the different choices. 14 A consent is presumed not to be freely given if it is not possible to give separate consent for different processing activities, see point 43 of the preamble to the GDPR. 15 The EDPB has stated that a service may include several processing activities for more than one purpose. In such cases, data subjects should be able to choose which purpose they accept, and should not have to consent to several processing purposes at once (so-called “bundling”). Such 16 granularity is necessary for consent to be valid. The EDPB has provided advice and recommendations on how to design user interfaces 17 without using manipulative design that violates the GDPR. Manipulative design can influence users’ behaviour by exploiting people’s biological tendencies to 9 10e EDPB Guidelines 05/2020 on consent under Regulation 2016/679, sec. 70. 11See EDPB Guidelines 05/2020 on consent under Regulation 2016/679, para. 126. See “Personvernorordningen Lovkommentar” by Åste Marie Bergseng Skullerud, Cecilie Rønnevik, Jørgen Skorstad and Marius Engh Pellerud, consulted on 19 June 2024 at juridika.no. See also EDPB guidelines on consent where reference is made to A29 WP Opinion 3/2013 on determination of purposes, in footnote 28 on p. 13 and footnote 30 on p. 14. See Article 29 Data Protection Working Party Opinion 03/2013 on purpose limitation, pp. 15- 16. 12See EDPB Guidelines 05/2020 on consent under Regulation 2016/679, p. 14. 13 The predecessor of the Board, the Article 29 Working Party, has stated that a purpose that is vague or general, such as for example "marketing purposes", will, without further details, usually not meet the requirement of being specific. The degree of detail a purpose must be described in order to be sufficiently specific depends on the context in which the data are collected and the personal data covered. See Article 29 Data Protection Working Party Opinion 03/2013 on purpose limitation, pp. 15-16. 14 See EDPB Guidelines 05/2020 on consent under Regulation 2016/679, pp. 14-15. 15 See also EDPB Guidelines 05/2020 on consent under Regulation 2016/679, p. 12. 16 17See EDPB Guidelines 05/2020 on consent under Regulation 2016/679, p. 12. See EDPB Guidelines 03/2022 on deceptive design patterns in social media platform interfaces: how to recognise and avoid them. 9make incorrect conclusions, so-called cognitive bias. This can, for example, lead to the data subject not making their own conscious choices18 and instead choosing the easiest option, without considering the possible effects of the choice. This can, for example, be done with color choices in the user interface by making different choices have different colors, and where one option is more conspicuous than the most privacy-friendly option. The French data protection authority, CNIL, issued a decision in December 2023 in which they concluded that “nudging” in the form of color, design and choice of text on the consent buttons meant that the requirement of voluntary consent was not met.19 Consent must be unambiguous, meaning that it must be given by an active act or statement by the data subject. It must be clear that the data subject has consented to the processing in question. 20 In paragraph 38 of the preamble to the GDPR, it is stated that: “Children’s personal data deserve particular protection, as children may be less aware of the risks, consequences and safeguards involved and of the rights they have in relation to the processing of personal data. Such special protection should apply in particular to the use of children’s personal data for marketing purposes or to create personality or user profiles, as well as to the collection of personal data about children when they use services offered directly to children. The consent of the holder of parental responsibility should not be required for prevention or counselling services provided directly to children.” As children deserve special protection, all information and communication, where the processing concerns a child, should be formulated in clear and plain language which the child can easily understand, see point 58 of the preamble to the GDPR. In extension of the principle of transparency, several rules on transparency and information on the processing apply in Chapter III of the Regulation. Article 13 requires the data subject to be provided with the information by the controller when personal data concerning him or her are collected, including the basis on which the processing is based and with whom the data are shared. The controller shall provide the data subject with information about the processing at the time of the collection of the personal data. Article 12(1)(a) 1 states that the information provided to data subjects shall be “concise, open, intelligible and easily accessible and in clear and plain language, in particular where it concerns information specifically addressed to a child”. In other words, the information must be adapted to the relevant group of data subjects. 18See EDPB Guidelines 03/2022 on deceptive design patterns in social media platform interfaces: how to recognise and avoid them, in section 3. See also the Consumer Council’s report “Deceived by design”, Manipulerende design – Forbrukerrådet. 19SAN-2023-025 Data brokers: TAGADAMEDIA fined €75,000 | CNIL 20 See EDPB Guidelines 05/2020 on consent under Regulation 2016/679, p. 18. 10Article 24 no. 1 requires the controller to implement appropriate measures to ensure and demonstrate that the processing is carried out in accordance with the Regulation. 5. The Authority's delimitation from the Electronic Communications Act The Data Protection Authority shall enforce the regulations in the Personal Data Act, including the General Data Protection Regulation. The regulations apply to all processing of personal data unless otherwise provided for in or pursuant to law, cf. the Personal Data Act, section 2, first paragraph. At the time of the inspection, the use of cookies was specifically regulated in the Electronic Communications Act 2003 § 2-7 b, which implements Article 5(3) of the EU's Data Protection Directive. 21 Today, the Electronic Communications Act 2003 § 2-7 b has been replaced by the Electronic Communications Act 2024 § 3-15. The biggest difference between the old and new provision is that the new provision specifies that the consent shall meet the requirements of the General Data Protection Regulation. The Electronic Communications Act 2003 § 2-7 b, first paragraph, states that: "Storing information in the user's communication equipment, or gaining access to such, is not permitted unless the user is informed of what information is being processed, the purpose of the processing, who is processing the information, and has consented to this." According to the wording, the provision first covers the storage of information on the data subject's device (mobile phone, computer, tablet, etc.). The provision also covers accessing the information stored on the device. In the preparatory work for the provision, it is specified that the rule regulates the action itself – storing or retrieving the information. The purpose of the provision is to protect the user's communication equipment as this is part of private life, regardless of whether personal data is processed, cf. recital 24 of the Data Protection Directive. During the majority of the supervision period, the National Communications Authority (Nkom) was the competent authority for this provision in Norway. The special requirements of the Electronic Communications Act were therefore not assessed by the supervision. The processing of personal data beyond storing information on the device or gaining access to it falls outside the scope of the provision in the Electronic Communications Act. As the supervisory authority for the Personal Data Act, the Data Protection Authority always has the competence to assess this processing. The Personal Data Act also applies to processing that falls within the Electronic Communications Act 2003 § 2- 7 b and the Electronic Communications Act 2024 § 3-15 insofar as it concerns personal data aspects that are not 21 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector [ePrivacy 22rective]. Prop. 69 L (2012-2013), p. 102. 11regulated by the provision. This means that, for example, the principles for the processing of personal data in Article 5 of the General Data Protection Regulation and the requirements for information security in Article 32 also apply when storing or accessing personal data in the data subject's device. This is in line with Article 10 of the Data Protection Directive and Article 173 of the Data Protection Regulation, which states that the Data Protection Regulation applies to all sites for the protection of fundamental rights and freedoms that are not specifically regulated in the Data Protection Directive, including the rights of the data subject and the obligations of the controller. The supervision is limited to the use of tracking tools on the Website that fall under the competence of the Norwegian Data Protection Authority under the Personal Data Act and the Data Protection Regulation. From 2025, the Norwegian Data Protection Authority will also be the supervisory authority for the actual storage in communication equipment and access to the stored information under Section 3-15 of the Electronic Communications Act 2024, together with Nkom. We therefore emphasize the importance of the website operator ensuring that it complies with the requirements for consent in the new Electronic Communications Act, as this may be subject to later supervision. 6. The Norwegian Data Protection Authority's assessment 6.1. Processing of personal data When a visitor loads a web page on the Website, the embedded pixels are activated. The pixels then send information about the specific web page that was loaded along with identifiers about the visitor. The information shared thus includes unique identifiers that identify the individual and distinguish them from other visitors to the Website. In this case, the personal data was made available to Snap and Meta, which are operators of large social media platforms. Their platforms, such as Snapchat and Instagram, have many users, including children and young people. The user profiles usually contain directly identifying information that can be linked to the personal data collected through the pixels. The purpose of the pixels is linked to the companies' business model, which is to collect data about their users in order to sell personalized advertising. This is stated in their privacy statements. We therefore assume that this has also happened here. Meta writes in its privacy policy: “We collect and receive information from partners, measurement providers, marketing providers and other third parties about various information about you and your activities on and off our products. Here are some examples of information we receive about you: (…) Websites you visit and data from cookies, e.g. 23Regulation 2024-12-20-3413 on delegation of authority pursuant to the Electronic Communications Act, section 12. 12 through social plug-ins or the Meta pixel (…) We use the information we collect to provide you with a personalized experience, including ads (if we show you ads in Meta products), along with the other purposes we explain in more detail below.” 24 In its privacy policy, Snap writes: “For example, we process your information to provide you with a more personalized experience, including to show you content and information that is most relevant to your experience, as well as more relevant ads. By understanding your interests and preferences, we can provide you with a better product experience. (…) The final category of data we collect is information about you that we may receive from others, such as other users, our affiliates, and third parties. This includes linked third-party service data (information we get when you connect your Snapchat account to another service), advertiser data (information from advertisers, app developers, publishers, and other third parties to help 25 target or measure the performance of ads) (…).” The Snap Pixel’s role in collecting personal information is described in Snap’s Ad Sales Policy: “Advertisers and our partners provide us with data from their own apps, websites, and platforms, which we use to personalize the ads we show. (…) We collect this information in a few different ways, including through the Snap Pixel and Snap’s Conversion API. In both cases, a small piece of code is embedded in third-party platforms (such as websites and apps) that collects information about limited activities on those platforms. We also use this information to provide advertisers with reports on how effective their ads are.” 26 Both statements make it clear that personal information was collected by the companies and combined with other information to “personalize” the user’s experience on their platform. It is unclear to what extent the companies use personal information collected about children to customize ads, but in many cases they will not know whether a user is a minor (for example, where someone has provided an incorrect date of birth). In any case, it is clear that the Website shared and made the data available to the companies between March 14, 2024 and March 25, 2025. 24Meta Privacy Statement, Meta Privacy Policy – How Meta Collects and Uses User Data | Privacy Center | Manage your privacy on Facebook, Instagram and Messenger | Facebook Privacy Policy, last visited November 25, 2024. 25Snap's Privacy Policy, values.snap.com/privacy/privacy-policy?lang=nb-NO, last visited January 28, 2025. 26Snap's Privacy and Advertising Guidelines, Snapchat Ads Transparency | Snapchat Privacy Policy, last visited January 28, 2025. 13The linking of information enabled Snap or Meta to be able to link information that someone had visited Alarmtelefonen's websites with their profile on their platforms. The data made available through the pixels was therefore personal data pursuant to Article 4(1) of the GDPR. 1. It is also clear that further processing of personal data takes place beyond storing or reading information on the user's device, for example through the processing of personal data obtained using a tracking pixel and subsequent processing, cf. GDPR Article 4(2). This clearly falls within the scope of the GDPR. 6.2. Controller The controller is a legal entity responsible for processing the personal data in accordance with the provisions of the GDPR. As mentioned in section Error! Reference source not found. "controller" is defined as the person who alone or jointly with others determines the purposes of the processing of personal data and the means to be used, cf. Article 4(2). 7. The Court of Justice of the European Union has also held that natural or legal persons who exercise influence over the processing of personal data for their own purposes and who participate – as a result – in the determination of the purposes and means of that processing may be considered to be a 27 controller. Where there is joint responsibility for a processing operation among several actors, it is not necessary for each actor to have access to the personal data in question. However, joint responsibility does not mean that different actors have the same responsibility for a processing operation. The different actors may be responsible for the processing of personal data at different stages and to varying degrees, which means that the responsibility of each actor must be assessed in the light of all relevant aspects of the case. In the Fashion ID judgment, the CJEU ruled on the allocation of responsibility between a website operator and the provider of a tracking tool. The question was whether the website operator was a controller by implementing a program code on the website that transferred personal data to a third party, despite the fact that the website operator could not itself influence what happened to the data after it was retrieved by the third party. The CJEU concluded that the website operator had made it possible for third parties, in this case Facebook, to gain access to personal data about the user. Furthermore, the CJEU found that the website operator, together with the third party, determined the purposes and means of collecting and sharing personal data from the website. The website operator was therefore a controller for the data that ended up with the third party, despite the fact that they did not have access to the data themselves. The CJEU underlined that the website operator had accepted the collection and the further disclosure to third parties by implementing tracking tools on the website in order to obtain commercial advantages in the form of marketing. 27 28C-25/17, Jehovan todistajat, paragraph 68. 29C-210/16, Wirtschaftsakademie Schleswig-Holstein, paragraph 38 and C-25/17, Jehovan todistajat, paragraph 69. C-40/17, Fashion ID GmbH & Co. KG. 14Based on the privacy policy on the Website, as it appeared on 13 May 2024, it appears that the purpose of using the pixels was to measure the effect of advertising campaigns on social media. The municipality confirmed that this was the purpose in the letter of 30 April 2025. The municipality is the one who decided to integrate the pixels on the Website. Pixels can also be configured to track specific types of "events" on the websites. In this way, the website operator determines which personal data is made available to the pixel provider. The municipality has incorporated the pixels on the Website and thus facilitated access by third parties to personal data about those visiting the Website. This also means that the municipality has enabled the subsequent activities for marketing purposes. The subsequent processing for marketing purposes also takes place in the interests of the municipality. The municipality has therefore exercised decisive influence over the purposes and means and is therefore responsible for the processing of personal data that occurs when using the tracking tools on the Website, cf. Article 4, paragraph 7 of the General Data Protection Regulation. 6.3. Legal basis The processing of personal data has a legal basis in one of the options in Article 6, paragraph 1. In particular, consent pursuant to letter a) and a balancing of interests pursuant to letter f) may constitute a processing basis for the processing of personal data for marketing activities. We note that from 1 January 2025, a requirement for valid consent applies for the placement of cookies, but this requirement did not apply at the time of the inspection. The municipality has not stated which processing basis they use to share personal data with Snap and Meta. The Data Protection Authority cannot see that the municipality can rely on the processing basis in Article 6(1)(e) since there is no relevant legislation that makes this processing necessary for the municipality to carry out. Since a municipality is the controller, a balancing of interests should not, as a general rule, be used as a processing basis, cf. Article 6(1), last sentence. The Data Protection Authority assumes that the municipality's interest in the processing is to measure the effect of its marketing campaigns. Regardless of whether the processing is necessary to achieve that purpose, the Norwegian Data Protection Authority's assessment is that a balancing of interests does not justify the provision in this case. 30 The Norwegian Data Protection Authority assumes that this was also the purpose when we carried out the inspection on 14 March 2024, before the change in the privacy policy. 15The website is aimed at children, and it is primarily personal data about children that is processed for marketing purposes. Article 38 of the General Data Protection Regulation states that children have the right to special protection in such contexts. The Norwegian Data Protection Authority also considers that it can say a lot about a person that the person has visited the Website, especially when it happens repeatedly and over time. Even though the Website is aimed at many different types of problems and the various sub-pages are not aimed at, for example, diagnoses, it can be indirectly inferred that the person in question is having a difficult time, which in itself is very private. If the person has also read one of the guidance articles, it can be inferred that the person has, for example, heartbreak, negative thoughts or sleep problems. This is an issue that is close to the definition of special categories of personal data in Article 9 of the General Data Protection Regulation, without the Norwegian Data Protection Authority having concluded on this point. The availability of this information has clear privacy consequences for the data subjects. The processing concerns information of a very private nature, and it is put in the context of other information that can be used by third-party actors for commercial purposes. It is otherwise unclear how the personal data is further processed by Snap and Meta. Many of those affected are children, and they are people who do not necessarily understand that their activities on a website are being tracked or who are able to safeguard their rights. We cannot see that the interest in the processing can be justified, compared to the impact of the processing on the data subjects' privacy and rights. The current processing cannot be based on a balancing of interests pursuant to Article 6(1)(f). The Data Protection Authority cannot see that the sharing is necessary to fulfill an agreement or a legal obligation for the municipality, nor to protect the vital interests of individuals. Consent pursuant to Article 6(1)(a) therefore remains the only possible legal basis. The website has not established solutions to obtain consent to the processing of personal data from those visiting the site. Our conclusion is therefore that the processing does not meet the requirements for a legal basis, and consequently is in breach of Article 6(1) of the General Data Protection Regulation. 6.4. Information about the processing The website stated that inquiries to the Alarmtelefonen were anonymous throughout the entire supervision period. This was evident from the front page of the Website and in the pop-up button that sends users to the Alarmtelefonen chat service. This button is visible on all pages of the Website. These promises of anonymity must be assumed to apply to direct inquiries by telephone or on the chat service, but they also create an expectation of confidentiality between the Alarm Telephone and the user of the offer. Since the Website is a way to provide information about the Alarm Telephone's offers and guidance, the expectation of confidentiality will naturally also apply to the processing of personal data in connection with visits to the Website. 16In the letter of 30 April, the municipality wrote: "The municipality does not recognise that an expectation of confidentiality is being created that extends beyond direct inquiries, as it is explicitly stated that it concerns inquiries. However, we take note of the Data Protection Authority's understanding and will comply with it in the future. The understanding of confidentiality that is based on the Alarmtelefonen website is taken from a child welfare framework, which is based on the text from the website “You choose what you want to tell, and whether you want to tell who you are or not.” In this understanding, it is the relationship between “client” and “therapist” that is anonymous, and the “client” does not need to identify himself. We see that this is not sufficient in the context of this inspection, and that it is particularly problematic as identifying information is left to a third party.” The Data Protection Authority does not perceive that the municipality directly disagrees with our assessment that users of the Website have a legitimate expectation of confidentiality. The Data Protection Authority nevertheless clarifies that the promises of anonymity in connection with the inquiries are only part of the context surrounding the Website that creates an expectation of confidentiality. Those who wish to use the chat service must visit the Website to access it, and it is reasonable to expect that visits to the Website will not be shared with third parties for commercial purposes. In addition, the content of the Website is aimed at children and young people who are unlikely to want to talk to their parents, friends or other trusted persons. They do not expect their visit to the Website to be shared with social media platforms such as Snapchat or Instagram. The Privacy Policy also stated that the processing of personal data on the Website was anonymous. On March 14, 2024, the Privacy Policy discussed the use of cookies at a general level: “In order for our website to function optimally, we use cookies to analyze the general user pattern. This information is completely anonymized and is used for statistics and analysis of the website, as well as advertising. Cookies are small text files that are stored on your device when you visit our website. These register the IP address and how long visitors are on the page, what they click on and which device they use, and give us an overview of how many visitors the page has.” It was stated that the data was anonymous. At the same time, it was stated that information such as IP address and which device the registrant uses to access the site was recorded. These are unique identifiers that were thus made available to third parties. In other words, it was not true that the information was anonymous. The information on the website was therefore both incomplete, incorrect and misleading. 17The privacy policy did not mention the use of the pixels, nor that the personal data was made available to Snap or Meta. It was also not explained which processing basis the Alarmtelefonen based on for the processing. The information was also not adapted to the target group for the Alarmtelefonen website, children between 7 and 18 years of age. The information was technical and gave a misleading impression of what the processing entailed. We assume that children, especially young children, in many cases did not have the prerequisites to understand it. After the notice of inspection was sent on 19 March 2024, the municipality made changes to the privacy policy. The change mainly consisted of making the list of cookies and tracking pixels more complete. On May 13, 2024, the Privacy Policy stated the use of Snap Pixel and Meta Pixel respectively: «_scid Cookie associated with Snapchat. Sets a unique ID for the visitor, which allows third-party advertisers to target the visitor with relevant advertising. This matching service is provided by third-party ad hubs, which facilitates real-time bidding for advertisers. Removed after 1 year and 1 month. _scid_r Sets a unique ID for the visitor, which allows third-party advertisers to target the visitor with relevant advertising. This matching service is provided by third-party ad hubs, which facilitates real-time bidding for advertisers. Removed after 1 year and 1 month. (…) _fbp The _fbp cookie, or Facebook Pixel, is used to track and measure Facebook advertising campaigns. It collects user interaction data, and helps advertisers optimize ads and audiences. This first-party cookie does not contain any personally identifiable information, but works in conjunction with other Facebook cookies to create unique user identifiers. Removed after 3 months.” 31 These changes are insufficient to address the information gaps we identified when we conducted our audit in March. The incorrect claim about anonymity was still in the privacy statement, and the statement of the basis for processing was still missing. The information about the pixels is highly technical and is not suitable for giving children any real understanding of who their personal information was made available to or what it was used for. 31The privacy policy had the same wording when the Norwegian Data Protection Authority last inspected it on 25 March 2025. 18At the time of the inspection, the municipality stated that it did not process personal data in the context of the tracking tools, which is incorrect, and visitors therefore did not receive the information they are entitled to under Article 13 in relation to these processing operations. The municipality has therefore violated Article 13 of the General Data Protection Regulation. To the extent that information has been provided about the tracking tools, the information was difficult to understand and unclear, and in any case it was not adapted to children. This constitutes a violation of Article 12 No. 1. The municipality stated in its letter of 30 April 2025 that it has changed the privacy policy since it received the notification, and that it is working to make the privacy policy better adapted to the website's target group. The Norwegian Data Protection Authority has not made any assessments of these changes, but notes that it is positive that the municipality has initiated this work. 7. Choice of reaction 7.1. Suspension order The Norwegian Data Protection Authority notified an order to suspend the use of Meta Pixel and Snap Pixel on March 26, 2025. Since the municipality has removed the tracking tools from the Website, the need for an order has ceased to exist. The Norwegian Data Protection Authority does not impose a suspension order. 7.2. Imposition of a violation fee 7.2.1. About the conditions for imposing a violation fee A violation fee is a means to ensure effective compliance and enforcement of the personal data regulations. In accordance with the Supreme Court's case law, cf. Rt-2012-1556, we assume that a violation fee is to be considered a penalty under Article 6 of the European Convention on Human Rights (ECHR). Therefore, a clear preponderance of the probability of a violation is required in order to impose a fee. Section 46, first paragraph, of the Administrative Procedure Act specifies that a fault requirement applies for imposing administrative sanctions. Unless otherwise specified, the fault requirement is negligence. Article 83 of the GDPR contains the conditions for imposing a fine. The wording of the provision does not explicitly state a fault requirement, but the Court of Justice of the European Union has established that the undertaking must have shown negligence with regard to the infringements in order to be able to impose a fine. However, it is not necessary that an identified individual in the undertaking has acted negligently. It is sufficient that the undertaking as a whole should have been able to avoid the infringement. This means that so-called anonymous or cumulative errors can lead to the fault requirement being met. 7.2.2. The Norwegian Data Protection Authority's competence to impose fines According to the Personal Data Act, Section 26, second paragraph, the Norwegian Data Protection Authority may impose fines against public authorities and bodies for violations of the General Data Protection Regulation, in accordance with Article 83 of the General Data Protection Regulation. Fine fines shall be effective, proportionate and dissuasive. Article 83, no. 2 lists a number of factors to be taken into account when imposing a fine: a) the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing concerned, the number of data subjects concerned and the extent of the damage suffered by them, b) whether the infringement was committed intentionally or negligently, c) any measures taken by the controller or processor to limit the damage suffered by data subjects, d) the degree of responsibility of the controller or processor, taking into account the technical and organisational measures implemented by them in accordance with Articles 25 and 32, e) any relevant previous infringements committed by the controller or processor, f) the degree of cooperation with the supervisory authority to remedy the infringement and mitigate its possible negative effects, g) the categories of personal data affected by the breach, h) the manner in which the supervisory authority became aware of the breach, in particular whether and where applicable to what extent the controller or processor has notified the breach, i) where measures referred to in Article 58(2) have previously been taken against the controller or processor concerned in relation to the same subject matter, that those measures are being complied with, j) compliance with approved standards of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42 and 33 C-807/21 (Deutsche Wohnen), judgment, paragraph 1. 20 k) any other aggravating or mitigating factors in the case, e.g. economic benefits gained, or losses avoided, directly or indirectly, as a result of the infringement In this case, the maximum fine is EUR 20,000,000, cf. Article 83, paragraphs 3 and 5 7.2.3. Assessment of whether an infringement fine should be imposed The Danish Data Protection Authority has concluded that Kristiansand Municipality violated Articles 6, 12 and 13 of the GDPR by using Snap Pixel and Meta Pixel on the Website. Below we review the elements that we consider relevant for the assessment of whether a violation fee should be imposed: a) the nature, severity and duration of the violation, taking into account the nature, scope or purpose of the processing concerned, as well as the number of data subjects affected, and the extent of the damage they have suffered As regards the nature of the violation, it is a matter of lack of lawfulness and transparency, i.e. very basic privacy standards. The other rules on the processing of personal data assume that the controller has a lawful basis for the processing. Without transparency, the data subject cannot safeguard his or her rights. As regards the severity, the Norwegian Data Protection Authority takes these violations seriously. The website has facilitated the collection of private and sensitive personal data about children, and the processing of this has significant privacy consequences. The information has been made available to commercial actors who are not very open about what they will use the personal data for or how long they will process them. The specific privacy consequence for the data subjects is a loss of control over personal data that one can rightly expect to be kept private. In addition, it is difficult for the Norwegian Data Protection Authority to map the potential risk of other breaches due to the commercial actors' lack of transparency. This is very aggravating. Children and young people are also entitled to special protection of their personal data since they are particularly vulnerable and less able to assess the possible consequences of others' processing of their personal data. This special protection applies in particular in situations where their personal data is collected in connection with services aimed at children. The emergency telephone number’s websites are directly targeted at children, and there is reason to believe that most of the visitors to the site are children. In this case, personal data about their visits to the websites has been made available to Snap and Meta. These companies were able to match the data with their profiles on the companies’ platforms, without the children’s knowledge or any opportunity for them to 34 See the preamble to the GDPR, paragraph 38. 21to prevent sharing. It is not clear what Snap or Meta used the personal data for, and their privacy statements did not provide a clear framework for how it could be used. The breaches have led to a significant risk of children and young people in potentially very vulnerable situations being identified by commercial actors. This was in direct contradiction to the claims of anonymity on the Website. Regarding the nature, scope and purpose of the processing, it is worth noting that there is talk about the processing of personal data for marketing purposes using commercial tools. When this type of tracking tool is put into use, you effectively lose control of the data as soon as it is transferred to third parties such as Snap and Meta. They can combine it with other personal data and use it for their own purposes. Therefore, controllers who use commercial tracking tools must map and understand how the tool will process personal data, as well as what consequences the processing may have for the data subjects. In this case, it seems as if the municipality's making the personal data available is an unintended consequence of the use of the pixels on the Website. It is remarkable and aggravating that a public body uses such tools as the Alarmtelefonen has done here – without having investigated and assessed the consequences it has for the users' privacy. This is an aggravating factor. The Norwegian Data Protection Authority points out that the websites had around 73,800 visits in 2023, and that there were a total of around 11,000 views of the pages "Children 7-12 years" and "Youth 13-18 years". This is stated in the Alarm Telephone's annual report for 2023. The report also shows that the visitors are located all over Norway. It is aggravating that there is a high number of registered persons affected by the processing. The Norwegian Data Protection Authority does not have information about specific damage suffered by the registered persons. This may be related to the fact that the municipality has shared the children's personal data with non-transparent commercial actors. We find the points under Article 83, paragraph 2, letter a) to be aggravating. b) Whether the violation was committed intentionally or negligently Negligence is defined as follows in Section 23 of the Penal Code: “Anyone who acts in violation of the requirement for responsible conduct in an area, and who, based on his/her personal circumstances, can be blamed, is negligent. Negligence is gross if the action is highly reprehensible and there is grounds for strong blame.” According to the requirement for responsible conduct, businesses and responsible persons acting on their behalf must examine the legal requirements that apply to their field and implement them. Otherwise, the business can be considered to have acted negligently with regard to this error. In the letter of 30 April 2025, the municipality acknowledged that it had not made assessments about the use of the tracking tools: 22 “The tracking tools have not been used by the municipality, that is, a target group has not been built that receives advertising adapted to the use of these tools. We have nevertheless become aware that these have provided information to Meta and Snap. The municipality has not sufficiently understood the consequences of the tracking tools that were active on this website. The municipality has also not actively taken a position on whether these tools should be used, or for what purpose. However, it has trusted the supplier's assurances that the website's users are anonymous. The municipality has never intended that personal data should be shared with third parties. The Norwegian Data Protection Authority understands that the municipality did not intend to share personal data about visitors to the Website with third parties or to track the activities of individuals who visited the Website. The controller has a responsibility to ensure that the consequences of the processing are understood. As we mentioned above, children are entitled to special protection of their personal data. Therefore, a strict requirement of diligence regarding the lawfulness of the processing applies. Both Snap and Meta are companies that have been in the media spotlight for several years due to how they handle personal data. Online tracking and the risks it entails have also been frequently discussed. The fact that these companies offered tracking tools that could be integrated into the Website free of charge should have given special reason to examine how they worked extra carefully. It was clear from both Snap and Meta's privacy statements that their pixels were used to collect personal data from the websites on which they were integrated. Although the municipality's supplier assured that the tracking tools were anonymous, the purpose of using them was to track traffic from social media to the Website. It is difficult to do if the data were anonymous, and this was a claim that should have been examined closer. Given that the Website is run by the public sector to help children under the condition of anonymity, the municipality had a clear call to familiarize itself with how these tools work and only implement tools that were appropriate to use on this type of website. Here it is clear that the municipality should have done more. The Data Protection Authority believes that the municipality has acted negligently. c) any measures taken by the controller or processor to limit the damage suffered by the data subjects This point does not apply in this case. 23 d) the degree of responsibility of the controller or processor, taking into account the technical and organizational measures they have implemented in accordance with Articles 25 and 32 This point does not apply in this case. e) any relevant previous infringements committed by the controller or processor This point does not apply in this case. f) the degree of cooperation with the supervisory authority to remedy the infringement and mitigate the possible negative effects of it The municipality has cooperated with the Norwegian Data Protection Authority by providing us with answers to the questions, but not beyond what was required of them. The Alarmtelefonen made changes to the privacy policy after the Norwegian Data Protection Authority notified that it was conducting an inspection of the use of tracking tools on the Website on 19 March 2024. The privacy policy was amended to include information about the use of the Snap and Meta pixels, but the Alarmtelefonen did not stop their use. In the opinion of the Norwegian Data Protection Authority, the changes were not sufficient to meet the requirements of Articles 12 and 13 of the General Data Protection Regulation, nor did they stop the unlawful processing. This is therefore not considered in a mitigating circumstance. On the other hand, there is reason to highlight the municipality's positive and trust-inspiring conduct after the decision was notified. It is a sign of good cooperation that the municipality, on its own initiative, reported a violation of the Privacy Regulation through the non-compliance report of 1 April 2025. Furthermore, it is clear from the municipality's letter of 30 April 2025 that it takes the matter very seriously. In the letter, the municipality explains that it has stopped the use of all tracking tools on the Website that are not necessary for the websites to function. This also applies to tracking tools other than Meta Pixel and Snap Pixel. The municipality has therefore gone further than the notified order to stop required. The municipality also published information about what had happened on the Website and on the municipality's websites. The municipality is continuing to work on creating a new privacy statement on the Website that adapts the information to the relevant target group. The letter also states that the responsibility for operating the Website has been moved internally within the municipality: "Following notification of the decision, the municipality has changed its understanding of the role of controller of websites. The website is now part of the portfolio of the team that works with, among other things, professional systems and privacy, instead of this being managed 24 locally at Alarmtelefonen. This is done to ensure that personnel with privacy expertise make the assessments that deal with privacy in collaboration with personnel from Alarmtelefonen, who in turn are responsible for the professional content.” The Norwegian Data Protection Authority considers this to be a positive development that can help prevent similar violations in the future. We find these circumstances mitigating. g) the categories of personal data affected by the violation The personal data collected and shared are of a private and protected nature. They reveal children who contact a service that is intended for people who are in difficulty, and who have guidance related to various vulnerable life situations. We find this element aggravating. h) the manner in which the supervisory authority became aware of the infringement, in particular whether and, if applicable, to what extent the controller or processor notified the infringement The Danish Data Protection Authority discovered the matter when we carried out an inspection on our own initiative. We find this point to be neither aggravating nor mitigating. i) if measures referred to in Article 58(2) have previously been taken against the controller or processor concerned in respect of the same subject matter, that the said measures are complied with This point does not apply in this case. j) compliance with approved standards of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42 This point does not apply in this case. k) any other aggravating or mitigating factor in the case, e.g. financial benefits obtained, or losses avoided, directly or indirectly, as a result of the infringement It appears from the letter of 30 April 2025 that the municipality used the tracking tools to measure the effect of measures to reach the Website's target group on social media. It did this in order to report on the effect to Bufdir. The Danish Data Protection Agency has not established that the Alarmtelefonen has had financial benefits, or avoided direct or indirect losses, as a result of the infringements. The Danish Data Protection Agency finds this point neither aggravating nor mitigating. 25 Overall assessment The Alarmtelefonen for children and young people is a public service that addresses minors in vulnerable situations directly. In light of the nature of the service, the target audience of the Website and the content of the personal data shared, we consider the violation to be very serious. Those who visit the Website have a legitimate expectation of protection of their personal data, especially when the Website states that inquiries to the Alarmtelefonen are anonymous. It is positive that the municipality took the matter seriously by initiating several measures to stop the violation after it received the notification of the decision. After an overall assessment, the Norwegian Data Protection Authority has nevertheless concluded that Kristiansand Municipality, as the controller of the Alarmtelefonen service, must be imposed a violation fee. 7.2.4. Amount of the fee In the preparatory work for the new Personal Data Act (Prop. 56 LS (2017-2018 p. 141), the Ministry states that: “as a starting point, the same rules for infringement fees shall apply to public bodies as to private ones, as this is the arrangement under the current Personal Data Act.” The aforementioned elements in Article 83 govern the determination of the infringement fee. The Ministry assumes that the Data Protection Authority can exercise considerable discretion with regard to the amount of the fee. It also states that “[t]he limits in Article 83 of the Regulation specify maximum limits for the determination of administrative fees, while no minimum limits have been set.” The fee should nevertheless be set so high that it also has an effect beyond the specific individual case. The Data Protection Authority has determined that the sharing of personal data in this case constitutes a violation of Articles 6, 12 and 13 of the General Data Protection Regulation. The violations are serious and affect many persons. Considerable emphasis is placed on the fact that the affected parties in this case are largely children and that the personal data is very sensitive. When information about visits to the Website has been made available to Snap and Meta, the affected parties have lost control over their information. We do not know how information about their visits to the Website may be used in the future. The making available therefore entailed major privacy consequences for the affected parties. Those who visited the Website had a legitimate expectation of confidentiality. In this context, we also emphasize that it was claimed that visits to the Website were anonymous, which was not true. The Data Protection Authority further emphasizes that the municipality has much to blame for when it introduced the tracking tools on this type of website. In light of the public attention around 26tracking on the Internet, that the Website is aimed at children and the sensitive themes of the Website, the processing should not have found place. The Danish Data Protection Authority also emphasizes general preventive considerations. It is important that public services that want to reach out to the population do so in a way that safeguards the population's privacy. Public bodies that process information about vulnerable persons in particular must be aware of their responsibilities. Everyone must be able to seek information from, and receive help from, public bodies without fear of privacy violations. The imposition of a violation fee must be effective, proportionate and dissuasive. The violations are serious, and the fee must therefore be of a certain size to be effective. There are many websites that use the same tracking tools that the Website has used. It is therefore important to set an example in this case, which indicates that the fee must be set high to function as an effective deterrent for other data controllers. At the same time, the municipality has recognized the seriousness of the case, and it has initiated several measures to stop the processing and to prevent similar incidents in the future, such as explained above. In the notification of non-compliance on 1 April 2025, the municipality wrote that it discovered several matters that were not directly related to the inspection that it is now working to rectify. The municipality has also stated that it has reviewed other websites that it operates that are not covered by this inspection. This should be emphasized in a mitigating direction. The proportionality assessment is based on the seriousness and nature of the violation. At the same time, we have placed great emphasis on the fact that this is an important service that is intended to help vulnerable children, which indicates that the fee must not be set too high. We have also placed considerable emphasis on the municipality's pressed finances in the assessment. Furthermore, we have also placed particular emphasis on the municipality's measures to clean up and prevent similar violations from occurring again. After an overall assessment, we have concluded that the municipality should be imposed a violation fee of 250,000 NOK. 8. Recommendations for follow-up In the letter On 30 April 2025, the municipality requested guidance on how it can obtain consent from minors. As of 1 January 2025, there is a requirement to obtain consent for storing or reading information on users' devices. This follows from the first paragraph of Section 3-15 of the Electronic Communications Act. The provision specifies that the conditions for valid consent are the same as those set out in the GDPR. Other sections of the provision also state that the requirement for 27consent does not apply to storing or accessing information on the device that is “strictly necessary” for the website to function. 35 According to Section 5 of the Personal Data Act, cf. Article 8 (1) of the GDPR, children under the age of 13 cannot consent to the processing of their personal data in connection with the use of services on the internet, without the consent of their guardians. Article 8 (2) states that if a controller bases the processing on consent, the person concerned must reasonable measures to verify that consent has been given by the guardian. Since an important part of the Website's target group are children and young people who do not want to talk about difficult topics with their guardians, it seems difficult to create a consent solution where guardians consent on behalf of children under 13 years of age. In addition, such a solution would require the use of tools that distinguish between children over and under 13 years of age. The use of such tools is a new processing purpose that will require new assessments from the municipality. In principle, there are no legal obstacles to the municipality being able to use tracking tools that require36 consent under Section 3-15 of the Electronic Communications Act, as long as the conditions for valid consent are met. At the same time, it seems impractical to obtain consent for a website that provides a low-threshold help service like the Alarmtelefonen. Tracking technologies that do not require the storage or reading of information on the user's device fall outside the scope of Section 3-15 of the Electronic Communications Act. The use of such technologies, for example to distinguish between users in order to measure traffic on the Website, therefore do not require consent under this provision. The processing of personal data must nevertheless have a processing basis pursuant to Article 6 of the General Data Protection Regulation, and it must comply with the other rules of the Regulation. Such processing can in principle be based on a balancing of interests pursuant to Article 6(1)(f). In that case, the municipality must assess which information is necessary to collect for the purpose of the processing. This assessment must be made in light of the data minimization principle and the storage limitation in Article 5(1)(c) and (e) of the Regulation. The municipality must also assess whether the processing is compatible with the interests and rights of the data subjects. In this regard, the municipality must take into account in particular that most visitors to the Website will be children struggling with various difficult situations. The municipality may, for example, assess whether there are measures that reduce possible privacy consequences such as de-identification of the data or pseudonymisation of personal data. It will also be necessary to provide information about the processing pursuant to Article 13. The information must be easily accessible in a language understandable to the target group of the Website. In the letter of 30 April 2025, the municipality wrote that it has removed all tracking technologies from the Website that were not necessary for it to function. Nevertheless, there is a “cookie- 35 The Norwegian Communications Authority (NKOM) is responsible for assessing whether the placement is "strictly necessary" pursuant to Section 3-15 (2) letter b). See Regulation of 20 December 2024 No. 3413 on the delegation of 36powers pursuant to the Electronic Communications Act (Ekomloven), Section 12, letter b). The Norwegian Data Protection Authority has created a guide to obtaining valid consent when using cookies and other tracking technologies: Use of cookies and other tracking technologies | Norwegian Data Protection Authority. 28banner” on the front page that asks visitors to consent to the processing of personal data for the following purposes: “features”, “statistics” and “marketing”. Since the Website apparently does not use tracking tools that require consent under the Electronic Communications Act or processes personal data on the basis of consent, the information in the “cookie banner” is imprecise. The Data Protection Authority recommends that the municipality remove it until it has clarified for what purposes the personal data will be processed and what the basis for the processing is. In the non-compliance report on 1 April 2025, the municipality wrote that it had discovered shortcomings in the processing in light of Articles 24 and 30 of the General Data Protection Regulation. We understand the municipality to have initiated measures to rectify this, and the Norwegian Data Protection Authority will not conduct further investigations into these matters in connection with this inspection. Otherwise, we refer to the guidance on our website, including in the category "Business obligations", which may contain relevant information for the municipality. 9. Right of appeal Kristiansand Municipality may appeal the decision on a violation fee. Any appeal must be sent to the Norwegian Data Protection Authority within three weeks of receiving this letter, cf. Sections 28 and 29 of the Public Administration Act. If we maintain our decision, we will forward the case to the Norwegian Data Protection Board for appeals. The deadline for compliance with a decision on a violation fee is four weeks from the date the decision is final. 10. Access and public access We would also like to inform you that all documents are in principle public, cf. the Norwegian Access to Information Act § 3. If you believe there are grounds for excluding all or part of the document from public access, we ask you to justify this. If you have any questions about the matter, you can contact us by e-mail, [email protected]. Kind regards Tobias Judin Section Manager Svein Gjørtz Senior Legal Advisor The document has been electronically approved and therefore has no handwritten signatures 29
