What is bundled consent in loyalty programs?
Bundled consent occurs when companies require customers to agree to multiple unrelated data processing activities—such as profiling, marketing, and analytics—as a single all-or-nothing condition of joining a loyalty program. Under the General Data Protection Regulation (GDPR), consent must be freely given, specific, informed, and unambiguous, and bundling violates the requirement that customers can choose which purposes they accept.
On June 1, 2026, Norway's Data Protection Authority (Datatilsynet) fined Elkjøp Nordic AS and Elkjøp Norge AS NOK 20 million (approximately €1.85 million) following a four-year investigation that began with an on-site inspection in June 2022. The retailer's loyalty club, serving more than six million members across the Nordic region, forced customers into a single consent mechanism covering newsletters, SMS marketing, profiling, personalization, and analytics. You either accepted everything or got nothing.
Datatilsynet didn't mince words: the consent was neither specific, informed, nor freely given. Worse, Elkjøp's internal documents from February 2022 showed the company knew a regulator could find the mechanism invalid and kept it anyway. The authority classified the violations as intentional, a factor that normally drives fines into the stratosphere.
How much could Elkjøp have been fined?
The theoretical maximum fine under Article 83(5) of the GDPR is €20 million or 4% of worldwide annual turnover, whichever is higher. Because Elkjøp is owned by Currys plc (with ~€10 billion in global revenue), 4% would have meant approximately €402 million.
EDPB guidelines suggest a starting point of 0.4–0.8% of turnover for moderate-severity infringements by large undertakings—roughly NOK 434–868 million in this case. The final fine of NOK 20 million is 95% lower than that range, reflecting Elkjøp's cooperation, improvements after the inspection, and the nearly four-year delay in reaching a decision.
Still, NOK 20 million for a consent design that was "a deliberate commercial choice" sends a clear message: if you're treating customer data as the price of admission to your loyalty club, budget for enforcement.
What did Elkjøp do wrong?
Datatilsynet identified four separate violations, but the consent design was the smoking gun. Customers joining the club had to accept a bundled package: discounts in exchange for profiling, personalization, newsletter delivery, SMS campaigns, and analytics—all presented as inseparable. GDPR Article 7(4) explicitly warns against bundling consent with service terms when the processing isn't necessary for that service.
The authority found the consent was:
- Not specific: Customers couldn't opt in to discounts while declining profiling or SMS.
- Not informed: Information focused on perks (discounts, benefits), not consequences (being profiled, analyzed, targeted). Much of it was delivered orally by shop staff, creating inconsistent and incomplete disclosures.
- Not freely given: Join and hand over everything, or don't join at all. Datatilsynet rejected Elkjøp's argument that this was a reasonable "value exchange."
Elkjøp also planned to use loyalty club data for Google Customer Match without obtaining separate, specific consent for that purpose. And the retailer processed children's data (members as young as 15) without real age verification or adequate safeguards—a factor Datatilsynet cited as aggravating.
Why does GDPR prohibit bundled consent?
Diagram comparing bundled consent vs valid GDPR consent structure
Article 7(4) of the GDPR establishes a presumption: if you tie consent to a contract or service and the processing isn't necessary for that service, the consent is presumed invalid. The EDPB's 2020 consent guidelines are explicit: "bundling consent with acceptance of terms or conditions… is considered highly undesirable."
The rationale is simple: genuine consent requires genuine choice. If saying "no" means you can't access the service, you're being coerced. Data isn't a commodity you can demand as payment.
For loyalty programs, this creates a hard line. You can process purchase history and contact details to calculate points and send account updates—that's necessary for the contract. But profiling for personalized ads? Sharing data with ad platforms? Those require separate, granular opt-ins. If the customer declines, they still get their loyalty card.
What should loyalty programs do now?
If your loyalty program collects customer data beyond what's strictly necessary to award points and communicate account activity, audit your consent flow before Datatilsynet (or the Irish DPC, or the CNIL) comes knocking. Here's the survival checklist:
- Unbundle everything: Separate consent for newsletters, profiling, SMS, analytics, and third-party sharing. Each gets its own checkbox. Scan your site free to identify where consent mechanisms fall short.
- Make "no" viable: Customers must be able to decline individual purposes without losing core loyalty benefits.
- Rewrite your disclosures: Stop leading with "exclusive offers!" and start explaining what profiling means, who sees the data, and what happens if they say no.
- Don't rely on shop staff: Oral consent disclosures are a liability. Make it written, specific, and logged.
- Verify age properly: If you're letting under-18s join, you need real age verification and extra safeguards—or you need to stop.
- Document intent: Datatilsynet pulled Elkjøp's internal emails showing they knew the risk. If your compliance team flags a consent issue, fix it or prepare to explain why you didn't.
The Elkjøp decision also clarified that loyalty club consent doesn't automatically cover new tools like Customer Match or Offline Conversions. If you're uploading customer emails to Google Ads or Meta, that's a separate purpose requiring separate consent—even if the underlying data came from a valid loyalty signup.
Norway isn't an outlier. In October 2025, a Norwegian court upheld a €6.5 million fine against Grindr for sharing user data with ad partners without valid consent. Datatilsynet has also raised concerns about Schibsted's "pay or consent" model, which charges users who decline tracking. The pattern is consistent: if consent isn't genuinely optional, it's not consent.
Six million loyalty club members just learned their "discounts" came with surveillance they never meaningfully agreed to. The fine is 95% smaller than it could have been. Next time, the DPA might not be so generous.
Frequently Asked Questions
What is bundled consent under GDPR? Bundled consent occurs when a company requires users to agree to multiple unrelated data processing purposes as a single all-or-nothing condition, violating GDPR's requirement that consent be specific and freely given for each distinct purpose.
Can loyalty programs require consent to join? Yes, but only for data processing that is strictly necessary to deliver the loyalty service (e.g., calculating points, sending account updates). Profiling, marketing, and analytics require separate, optional consent.
What happens if I withdraw consent from a loyalty program? Under GDPR Article 7(3), you can withdraw consent at any time, and it must be as easy as giving it. The company must stop processing your data for that purpose, though you should still receive core loyalty benefits if the processing wasn't necessary for the service.
How can companies avoid Elkjøp-style GDPR fines? Unbundle consent requests so customers can opt in to individual purposes separately, ensure "no" doesn't block core service access, provide clear written disclosures about profiling and data sharing, and document compliance decisions.
Does loyalty program consent cover using customer data in Google Ads? No. Uploading customer emails to Google Customer Match or similar ad platforms is a separate processing purpose requiring its own specific consent, even if the email was collected as part of a valid loyalty program signup.
Why was Elkjøp's fine so much lower than the maximum? Datatilsynet reduced the fine by ~95% due to Elkjøp's cooperation, improvements made after the inspection, and the four-year investigation timeline, though the authority still classified the violations as intentional.