Alexander Hanff warned Elkjøp’s data protection officer back in 2021. Membership in the retailer’s customer club could not lawfully require customers to accept marketing. Five years later, Norway’s data protection authority agreed. On June 1, 2026, Datatilsynet imposed a 20 million Norwegian kroner fine — roughly €1.8 million — on Elkjøp Nordic AS and Elkjøp Norge AS.
The penalty covers four distinct violations tied to the electronics chain’s loyalty program. More than six million club members across Norway, Sweden, Iceland, Finland and Denmark felt the effects. The case, now public in a detailed decision, offers retailers and marketers across the EEA a clear view of where consent mechanisms break down.
Hanff, writing on his blog at thatprivacyguy.com, described the original issue in stark terms. “Forcing me to surrender my membership and the benefits that come with it, just to exercise a right I already hold, is the textbook example of consent that is not freely given.” He had tried to stop receiving marketing emails. The company told him he would need to cancel his club membership entirely. Their position, in writing, was that receiving offers required club membership.
That exchange set the complaint in motion. Hanff filed with Sweden’s Integritetsskyddsmyndigheten, which transferred the matter to Norway under the GDPR’s one-stop-shop rules. The investigation expanded. What began as one individual’s objection grew into scrutiny of the entire loyalty program’s design.
At its core, the authority found Elkjøp’s consent invalid. Customers faced an all-or-nothing choice. Signing up for the club bundled acceptance of marketing, profiling, analytics, newsletters and discounts into a single agreement. Datatilsynet ruled this consent was neither specific nor freely given nor adequately informed, breaching Article 6(1)(a) in conjunction with the definition in Article 4(11). “Marketing” proved too vague a purpose. The program also processed data of children aged 15 to 17 without proper safeguards against profiling for marketing.
Legal experts at Nordia Law noted the decision echoes European Data Protection Board guidance. Separate, granular consent is required for each distinct purpose. A single checkbox or implied agreement during signup does not suffice. Companies cannot condition core benefits on acceptance of unrelated processing. Yet many loyalty schemes still operate this way. Discounts, points and personalized offers often mask the data exchange.
But the violations did not stop at signup. Elkjøp took data originally collected under consent and fed it into audience-matching tools. These systems upload customer emails or phone numbers to advertising platforms such as Google or Meta to match against their user bases for more precise targeting. The retailer lacked any compatibility assessment under Article 6(4) before shifting to this new purpose. Nor could it fall back on legitimate interests under Article 6(1)(f). Customers could not reasonably expect their club data to enable such third-party matching.
A third breach concerned “offline conversions.” This practice shares purchase data back to digital ad platforms to measure how online campaigns drive in-store sales. Elkjøp attempted to rely on legitimate interests here too. Its assessment, however, was undocumented and incomplete. It failed to weigh the volume of data involved, the impact on individuals including children, reasonable expectations, or the risks of sharing with large platforms. Accountability obligations under Articles 5(2) and 5(1)(a) went unmet.
Finally, the company repeatedly missed deadlines for handling data subject requests. Simple rectification demands, such as correcting an email address, sat unanswered beyond the one-month limit in Article 12(3). Extensions were applied automatically with claims of complexity even when the tasks were straightforward. Technical issues were cited. The authority rejected those excuses. Organizations must maintain systems capable of upholding individual rights without systematic delay.
The fine’s size reflects the scale. Elkjøp belongs to Currys plc, whose worldwide turnover formed the basis for calculations under EDPB fine methodology. Initial estimates ranged from 0.4 to 0.8 percent of group revenue — hundreds of millions of kroner. Mitigating factors including cooperation brought the final amount down sharply to 20 million. Still, the penalty sends a signal. Loyalty programs that treat consent as a formality now carry measurable financial risk.
Recent coverage reinforces the point. DataGuidance reported the authority opened its probe in June 2022 after receiving breach notifications, complaints and tips specifically about the customer club. Elkjøp had openly stated the club’s purpose was marketing products and services, with consent as the chosen lawful basis. The decision, available as a PDF from Datatilsynet, runs more than 100 pages and dissects each element.
Similar themes appear in broader enforcement trends. For years, privacy advocates have challenged “pay-or-consent” and forced bundling models. Early GDPR complaints targeted Facebook, Google and WhatsApp for making service use conditional on broad data permissions. Courts and regulators have grown less tolerant. The Elkjøp ruling stands out because it concerns a mainstream retailer, not a social media giant. Its practices mirror those found in countless retail apps and websites.
Analysts at PPC Land highlighted the decision’s utility for marketers. It clarifies that repurposing consent-collected data for advertising tools demands fresh legal analysis. Switching bases midstream rarely works. Documentation must exist before processing begins. Gut feelings or industry norms offer no defense.
Hanff himself expressed frustration beyond the fine. He noted that supervisory authorities hold a legal duty under Article 77(2) to keep complainants informed of progress and outcomes. Communication lapsed for years. Only when the penalty became public did he learn the full resolution. “Five years and a seven figure fine later, that point is now sitting in a published decision for anyone to read,” he wrote.
The case carries practical implications for compliance teams. Loyalty programs must map every processing purpose at the point of collection. Consent interfaces should present granular choices with clear explanations of profiling and data sharing. Legitimate interest assessments need to be written records that explicitly balance the organization’s aims against individuals’ rights and risks. Response processes for access, rectification and objection requests require tested operational capacity.
Children’s data adds another layer. Any program allowing underage signups must incorporate age verification and heightened protections. Profiling minors for commercial ends triggered additional scrutiny here.
Retailers operating across the Nordic region took notice. The Swedish, Finnish, Danish and Icelandic authorities acted as concerned supervisory bodies and had input into the final decision. Harmonized expectations are emerging in a market where cross-border club programs are common.
Yet the ruling also reveals enforcement gaps. Hanff first raised the issue in 2021. The inspection occurred in 2022. The fine arrived in 2026. Such timelines test the patience of both complainants and companies seeking certainty. They also allow non-compliant practices to persist, affecting millions in the interim.
Elkjøp has the right to appeal to Oslo District Court. Whether it will remains unclear. The decision’s publication already serves as precedent. Other chains running similar clubs may now review their signup flows, data flows to ad platforms, and legitimate interest documentation.
In the end, the penalty underscores a basic principle. Consent must reflect genuine choice. When membership benefits become the price of refusing marketing, that choice disappears. Regulators have drawn the line. Businesses that continue to blur it do so with open eyes — and growing exposure to fines that reach well into seven figures. The Elkjøp case makes the calculation concrete.
Discover more from Web and IT News
Subscribe to get the latest posts sent to your email.