Pierre KasparianAI & Data freelancer
← Back to category
GDPRconsentGDPR-compliant AIcomplianceAI GDPR SMB Europe

Elkjop: €1.8M GDPR Fine for Forced Consent

June 19, 2026 · 6 min read · Articles

Pierre Kasparian

AI Engineer — UTT 4th year · LLM, RAG & GDPR compliance specialist · 15+ client projects

On 1 June 2026, Datatilsynet, Norway's data protection authority, fined Elkjop Nordic AS NOK 20 million (approximately €1.8 million). The reason: tying membership in their customer club to acceptance of marketing communications. Consent you cannot refuse is not consent.

Direct answer: GDPR requires consent to be "freely given" under Article 4(11). If refusing consent means losing access to a service or benefit, the consent is invalid. This ruling confirms it with a seven-figure penalty, and applies directly to any chatbot or AI system that conditions features on acceptance of terms.

What happened at Elkjop

Elkjop is the largest consumer electronics retailer in the Nordics. Their customer club (Elgiganten Kundklubb in Sweden) offers discounts and benefits in exchange for membership. The problem: the only way to opt out of marketing emails was to cancel the membership entirely.

Alexander Hanff, a privacy law expert and one of the architects of GDPR, flagged the issue to Elkjop's DPO in July 2021 with precise legal arguments. Elkjop's written response essentially put the violation on the record: "receiving marketing is a condition of being a club member."

That single sentence formed the core of the case. Hanff filed a complaint with Sweden's IMY (reference DI-2021-6660), which transferred it to Norway's Datatilsynet as the competent authority for Elkjop's main establishment. The decision came four years later.

The violations found

The ruling covers several GDPR articles.

Article 4(11) and Article 7: consent not freely given. Consent must be refusable without negative consequence. Conditioning club benefits on accepting marketing directly violates this requirement. This is the "pay-or-consent" model, unlawful since GDPR came into force.

Article 5(1)(a): lawfulness and transparency. Members were not clearly informed of the actual legal basis for processing.

Article 6(4): purpose compatibility. Elkjop reused data collected for club membership for advertising targeting and conversion tracking, without performing the compatibility assessment Article 6(4) requires before any purpose repurposing.

Article 5(2): accountability. Elkjop could not demonstrate compliance with its processing activities, which is itself a violation of the accountability principle.

Why this matters for companies deploying AI

This case goes far beyond a Nordic retailer. The "accept everything or don't use the service" model is ubiquitous in digital products, and increasingly so in enterprise AI deployments.

Chatbots that collect data. A conversational AI assistant that records exchanges to "improve the service" or "personalize responses" needs a valid legal basis. If that basis is consent (Article 6(1)(a)), the consent must be freely given, specific, and revocable without loss of core functionality.

Personalization systems. An LLM that adapts its responses based on a user profile creates personal data processing. If that profile was built from interactions where consent was conditional, the entire chain is tainted.

Multi-tenant knowledge bases. In multi-user RAG architectures, each user must consent separately and be able to withdraw consent without losing access to the core service.

The Elkjop case shows that DPAs are willing to pursue these models over long investigation timelines and deliver fines that, in the end, match the revenue at stake.

Consent vs legitimate interest: a common mistake

A frequent confusion in technical teams: you cannot "replace" consent with legitimate interest (Article 6(1)(f)) to work around this constraint.

Legitimate interest requires a balancing test between the company's interest and the data subject's rights. For targeted marketing, the CNIL and EDPB have clearly stated that legitimate interest cannot serve as a legal basis when the person objects to processing. And under the ePrivacy Directive, commercial email communications require explicit consent, full stop.

The clean alternative: use contract (Article 6(1)(b)) only for processing strictly necessary to deliver the ordered service, and collect optional, granular, revocable consent for any additional processing.

What "freely given" means in practice

For consent to be valid under GDPR:

  • It must be decoupled: refusing must not result in loss of the core service
  • It must be granular: separate consent for each purpose (email marketing, advertising targeting, profiling...)
  • It must be revocable at any time, as easily as it was given
  • It must be informed: the user must understand what they are accepting, for how long, and who accesses the data

A consent widget pre-ticked by default, or where the "refuse" buttons are deliberately less visible, falls into the same category as Elkjop's practice.

The sovereign AI angle

The Elkjop ruling reinforces the case for an AI architecture where data does not leave the consented perimeter. If your AI agent does not send exchanges to third-party APIs, if data stays in your infrastructure (or in a EU infrastructure you control), the GDPR risk surface shrinks considerably.

This is not just marketing positioning: sovereign hosting structurally eliminates certain classes of possible violations. No cross-border transfer without safeguards (Article 44), no US sub-processors subject to the CLOUD Act, no data feeding third-party models without explicit consent.

The CNIL published specific AI recommendations in 2024 pointing in this direction. They recommend carrying out a DPIA (Data Protection Impact Assessment) for any AI system processing personal data at scale.

TL;DR

Elkjop paid €1.8M for conditioning customer club benefits on marketing acceptance. GDPR is clear: consent you cannot refuse without loss is not consent (Articles 4(11) and 7). For AI deployments, this translates into an obligation to decouple core functionality from optional data collection, and to treat each purpose separately.

If you are integrating AI into your company and want to secure GDPR compliance from the design stage, get in touch.

About the author

Pierre Kasparian

4th-year engineering student at UTT (University of Technology of Troyes) and AI integration freelancer. He deploys LLMs, RAG pipelines, and AI agents for French and European companies, with strong expertise in GDPR compliance and European hosting. 15+ client projects, including Pretto and LiveSession.