Meta’s done worse: https://www.hipaajournal.com/meta-facing-scrutiny-over-use-of-meta-pixel-tracking-code-on-hospital-websites/

Meta Pixel is a snippet of JavaScript code that can be used by website owners for tracking user activity through the use of cookies.

The problem is the data collected via this code snippet may be sent to Meta, and may include patients’ protected health information. Meta is not a business associate of HIPAA-covered entities, and under HIPAA compliance rules, any data transmitted to Meta would require patient consent to be a HIPAA compliant website.

Criminal and civil judgements are dwarfed by the huge profits generated by the violation of privacy laws. Shareholders and C-Suites don’t care where the money is coming from as long as it keeps coming.