Finnish Pharmacy Fined €1.1 Million for Sharing Customer Data with Google and Meta

The Finnish Data Protection Ombudsman has fined pharmacy chain Yliopiston Apteekki €1.1 million for illegally sharing sensitive customer information with tech giants Google and Meta.

The investigation found that the pharmacy’s website used tracking tools that passed on details about customers’ medicine purchases—both prescription and non-prescription—to the tech companies. These tools, including cookies and other embedded technologies, were active on Yliopiston Apteekki’s online store between May 2018 and September 2022.

The data shared included what medicines users added to their cart or tried to purchase. In some cases, the data also included IP addresses and other digital identifiers, which could be used to link the activity to real people—especially if they were logged into Google or Facebook at the time.

The privacy breach came to light after a doctoral researcher from the University of Turku raised concerns with authorities. Following this tip, the Ombudsman launched a full investigation.

Yliopiston Apteekki, which is owned by the University of Helsinki, says it stopped using Google and Meta tracking tools in September 2022. While the company accepts the timeline of events, it disagrees with the final conclusions and plans to appeal the fine in administrative court.

For now, the €1.1 million penalty is not final and will undergo judicial review.