Norway's electronics retailer Elkjop Nordic AS just learned an expensive lesson about loyalty program consent. Datatilsynet, the Norwegian Data Protection Authority (DPA), imposed a NOK 20 million fine (approximately €1.85 million) on June 1, 2026, after a four-year investigation. The decision affects more than six million customer club members and targets violations disturbingly common in retail: bundled consent, invalid Customer Match use, and inadequate documentation.
The investigation began with an on-site inspection in June 2022, but the problems went deeper than regulators expected.
What Did Elkjop Do Wrong?
Bundled vs granular consent comparison diagram
The consent mechanism was described internally as "all or nothing" and a "package." Customers who joined Elkjop's loyalty club had to accept every form of data processing in a single step: profiling, personalization, newsletter distribution, analytics, and SMS marketing. No granularity. No choice. Just a binary yes or no to membership.
Under the General Data Protection Regulation (GDPR), valid consent must be freely given, specific, informed, and unambiguous. Elkjop's approach failed all four tests. The consent was not specific because different purposes were bundled together. It was not freely given because customers could not become members without accepting profiling. And it was not informed — customers heard about discounts and benefits from store staff, not about being analyzed or the consequences of that processing.
Datatilsynet found this violated the GDPR's requirement that consent be granular and separable for distinct purposes. Worse, Elkjop had been warned in May 2022 — one month before the inspection — that supervisory authorities could find its consent mechanism invalid, having received a similar finding in a prior "Christmas calendar case." The authority concluded the violations were intentional commercial choices.
Why Did the Fine Land at NOK 20M?
The fine could have been catastrophic. Elkjop is owned by Currys plc, the British electronics retailer. For fine calculation purposes, Datatilsynet applied the entire Currys group's worldwide turnover — approximately €10 billion — as required by European Court of Justice case law.
Under Article 83(5) of the GDPR, the maximum fine is €20 million or 4% of worldwide annual turnover, whichever is higher. At 4% of Currys' turnover, the theoretical ceiling would have been approximately €402 million. EDPB guidelines recommend a starting point of 0.4 to 0.8% of turnover for moderate-severity infringements — roughly NOK 434–868 million in this case.
The final NOK 20 million is a steep discount, reflecting Elkjop's cooperation, a long processing time (four years), and positive privacy improvements made after the inspection. But intention was an aggravating factor, and the case was handled as a cross-border matter under the GDPR's one-stop-shop mechanism, involving authorities in Sweden, Iceland, Finland, and Denmark.
How Does This Compare to Other Loyalty Program Fines?
Elkjop is not an outlier. In December 2025, France's CNIL imposed a €3.5 million fine on a retailer for transferring loyalty program data to a social network without valid consent. The violations mirrored Elkjop's: no information on the loyalty form about data transfer for targeted advertising, insufficient information in the privacy policy, and a complex process to access documentation.
The pattern is consistent: regulators are scrutinizing how loyalty programs collect consent at signup, not just how they use data downstream. A 2019 investigation in Lithuania found GDPR violations in 11 out of 12 loyalty program providers, with issues including excessive data collection, unclear opt-out options, and unreasonably long or nonexistent retention periods.
If you're running a loyalty program in Europe and treating "marketing" as a single purpose, you're exposed.
What Does "Invalid Consent" Mean for Customer Match and Offline Conversions?
The second and third violations in the Elkjop case are more technical but just as relevant. Elkjop planned to use Customer Match — a Google Ads feature that uploads customer email addresses for targeted advertising — relying on the loyalty club consent as its legal basis. Datatilsynet rejected this, finding that upstream consent for the loyalty program did not extend to new advertising uses like Customer Match.
The fourth violation involved inadequate documentation for Google's Offline Conversions feature, which links in-store purchases to online ad campaigns. These are standard tools in the martech stack. The GDPR requirements that Elkjop failed apply to how data is collected and used — not which API carries it.
If your consent flow says "marketing" and you're uploading customer lists to advertising platforms, you need separate, specific consent for audience targeting. Describing it broadly as "improving our services" or "personalizing your experience" will not survive regulatory scrutiny. Scan your site with a cookie scanner to see what's actually firing before consent — many loyalty programs inadvertently load tracking pixels that share data with ad networks on the membership signup page itself.
Frequently Asked Questions
What is bundled consent in a GDPR context? Bundled consent occurs when users must agree to multiple distinct data processing purposes in a single all-or-nothing action, such as accepting profiling, analytics, and marketing together to join a loyalty program. Under GDPR, consent must be specific and granular for each purpose, so bundling invalidates it.
Can I use loyalty program consent as a legal basis for Google Customer Match? No. Datatilsynet explicitly found that consent collected for a loyalty program does not automatically extend to new advertising uses like Customer Match. You need separate, informed consent that clearly describes audience targeting on third-party platforms.
How long do I have to respond to a GDPR data subject access request? You must respond within one month of receiving the request. Elkjop's delays were noted in the decision: a customer requested email rectification in April 2020, but the correction was not made until November 2020, and data subject requests from early 2021 remained unresolved at the time of the June 2022 inspection.
What's the maximum GDPR fine for invalid consent in a loyalty program? GDPR Article 83(5) allows fines up to €20 million or 4% of worldwide annual turnover, whichever is higher. For groups with significant revenue, the 4% ceiling applies, meaning potential fines in the hundreds of millions for large retailers.
Are loyalty programs required to appoint a Data Protection Officer under GDPR? Yes, in most cases. Loyalty programs involve regular and systematic monitoring of data subjects on a large scale, which triggers the DPO appointment requirement under GDPR Article 37. The DPO role cannot have conflicts of interest with commercial objectives.
What should I change about my loyalty program consent flow after the Elkjop ruling? Separate consent checkboxes for each distinct purpose: general newsletters, profiling for personalization, SMS marketing, data sharing with partners, and audience targeting on advertising platforms. Make each checkbox un-ticked by default. Clearly explain what each processing activity means and who will access the data. Record the consent state for each purpose and the timestamp.