The Norwegian Data Protection Authority has imposed a 20 million NOK (approximately €1.8 million) fine on 4th June 2026 on electronics retailer Elkjøp after finding that its customer loyalty programme failed to comply with key GDPR requirements:
1. Customers were required to 'consent' to a broad package of data processing activities, including personalised marketing and profiling in order to participate in the loyalty programme to receive discounts. The authority concluded that consent was not freely given, and customers were not informed of the profiling that would take place.
2. Children's personal data was processed with no control mechanism in place.
3. Elkjøp was sharing data with Google and Facebook without proper legitimate interest assessments. Failure to demonstrate lawfulness was a big factor in issuing the fine.
4. This decision serves as a reminder that GDPR compliance is a key legislation when considering consent, marketing practices and customer profiling activities. Loyalty programmes should not only benefit the customer with discounts, but should respect individual data rights.
