Loyalty club consent: lessons from the Elkjøp fine

Last updated 8 June 2026

Valid loyalty club consent is one of the most overlooked requirements in consumer marketing — and Datatilsynet’s Elkjøp decision of 1 June 2026 shows why taking it lightly is a commercial risk. The authority struck down Elkjøp’s consent solution, objected to customer data being reused for new marketing, and imposed a fine of NOK 20 million. Below we go through the four findings and what any business with a loyalty club or data-driven marketing should learn from them. Although the case is Norwegian, the lessons apply across the EEA — and in the Nordics in particular.

What was the Elkjøp case about?

Datatilsynet carried out an on-site inspection at Elkjøp Nordic AS and Elkjøp Norge AS in June 2022, following breach notifications, complaints and tip-offs about the loyalty club. The decision came on 1 June 2026 and establishes four separate breaches of the GDPR. More than six million loyalty club members in the Nordics were affected.

The case was handled as a cross-border case, with Datatilsynet as lead supervisory authority and the authorities in Sweden, Iceland, Finland and Denmark as concerned authorities. The decision cannot therefore be appealed to the Norwegian Privacy Appeals Board (Personvernnemnda), but can be brought before Oslo District Court. Elkjøp has apologised to its customers and says it changed its routines after the inspection; the company has not decided whether to challenge the decision in court.

When is loyalty club consent valid?

Consent is valid only if it is freely given, specific, informed and unambiguous (Article 4(11) GDPR). The conditions are cumulative — if one fails, there is no valid consent, and therefore no lawful basis for the processing.

“… any freely given, specific, informed and unambiguous indication of the data subject’s wishes …” (Article 4(11) GDPR)

Elkjøp’s consent was not specific. “Marketing” is not a sufficiently precise purpose, and Elkjøp had merged several different purposes into one: sending newsletters, profiling for personalisation, and analytics are, in the authority’s view, separate purposes. The customer must be able to consent to each of them separately. This mirrors the EDPB Guidelines 05/2020 on consent, which require a separate opt-in for each purpose.

Nor was the consent freely given. Elkjøp itself described it as “all or nothing” and as a “package”: you could not become a member without also accepting profiling and analytics. When different purposes are bundled together in this way, the consent is not regarded as freely given (Recital 43 GDPR). Elkjøp’s view that this was a reasonable “value exchange” — data for discounts — does not change the assessment; the controller cannot force the customer to share data as consideration.

Finally, the consent was not informed. The information customers received was about discounts and benefits, not about being profiled and analysed, or the consequences of that. Much of it was, moreover, conveyed orally by individual shop staff. The risk that information then becomes haphazard and incomplete falls on the business — not the customer.

That children’s data was also processed aggravates the breach. The age limit was 15 (later raised to 18), but Elkjøp had no real age verification. Datatilsynet is clear that children — including those aged 15 to 17 — should not be profiled for marketing purposes, regardless of legal basis.

The lesson: a loyalty club cannot rest on consent that forces the customer to accept everything. Give separate, active choices per purpose, and explain profiling and analytics in plain language before the customer agrees. Datatilsynet’s guidance on loyalty clubs (in Norwegian) says the same, and has done so for years.

Can data collected on the basis of consent be reused for new marketing?

As a rule, not without a new basis. Elkjøp adopted an audience-matching tool (of the “Customer Match” type), where customers’ email addresses and phone numbers are matched against advertising platforms for more precise marketing. The data had originally been collected for the loyalty club on the basis of consent.

This triggered two errors. First, this is processing for a new purpose, which requires a compatibility assessment under Article 6(4) GDPR — an assessment Elkjøp had not carried out, because it wrongly assumed the purpose was the same. Second, Elkjøp tried to use legitimate interest (Article 6(1)(f)) as the basis. Datatilsynet did not accept this: further processing of data collected on the basis of consent is normally ruled out on this ground, because it would undermine the consent itself. Customers could not reasonably expect their data to be shared with third parties.

The lesson: you cannot switch legal basis to “rescue” a reuse that consent does not cover. Map all purposes before collection. If the data is to be used for a new purpose later — a new advertising tool, a new analysis — fresh consent is, as a rule, required.

What does a legitimate interests assessment require?

Legitimate interest under Article 6(1)(f) GDPR requires three things at once: a legitimate interest, that the processing is necessary, and that the customer’s interests and rights do not override it. In addition, the business must be able to demonstrate that the processing is lawful (the accountability principle, Article 5(2)). The EDPB Guidelines 1/2024 on legitimate interest set out this three-part test in detail.

Elkjøp used an “offline conversions” tool to measure the effect of digital advertising on in-store sales, by sending purchase data to Google and Facebook. The legitimate interests assessment was, however, too thin: it lacked the number of customers affected, which data was processed, the processing of children’s data, customers’ reasonable expectations, and the possible consequences of sharing data with third parties. Without mapping the consequences for customers, there is in practice no balancing test.

Datatilsynet did not conclude that legitimate interest was an unlawful basis here — the breach was that Elkjøp could not demonstrate that the processing was lawful. That the processing was, in Elkjøp’s view, “low risk” and “industry standard” does not remove the requirement for a genuine, documented assessment.

The lesson: a legitimate interests assessment is a document, not a gut feeling. It must explicitly weigh the customer’s side, and it must exist before the processing begins.

What deadlines apply to data subject requests?

When a customer asks for access, rectification or erasure, the business must respond without undue delay and at the latest within one month (Article 12(3) GDPR). The deadline can be extended by up to two further months, but only where necessary and after a concrete assessment of the number and complexity of the requests.

Elkjøp had made extension the default: requests to correct an email address were automatically labelled “complex”, which triggered an extension. That is not permitted — correcting an email address is not normally complex. Worse, a number of requests were not answered at all within the extended deadline, with unanswered cases dating right back to 2021.

Elkjøp pointed to technical problems. That is no excuse. The business has an independent duty to facilitate the exercise of data subject rights (Article 12(2)); a system that makes it impossible to correct data is precisely the problem — not the excuse. Asking the customer to create a new account and delete the old one is not good enough either.

The lesson: have both the procedures and the technical ability to respond within the deadline. “Complex” must be assessed case by case, never set as the default.

How large can the fine be — and what determines its size?

The upper ceiling under Article 83(5) GDPR is EUR 20 million or 4% of total worldwide annual turnover — whichever is higher. The point that matters for business: turnover is measured at the level of the undertaking, that is, the whole group. Elkjøp is owned by Currys plc, so the fine is calculated on Currys’ worldwide turnover of around GBP 8.7 billion.

For a medium-severity breach by an undertaking with turnover above EUR 500 million, the starting point in the EDPB Guidelines 04/2022 on the calculation of fines is 0.4–0.8% of turnover — here in the order of NOK 430–870 million. The NOK 20 million fine is thus heavily reduced, partly because of Elkjøp’s cooperation, a long processing time, and a positive privacy development in the company.

Datatilsynet nonetheless considered the breaches intentional. The consent solution was a deliberate commercial choice, and Elkjøp had internally acknowledged the risk that it was unlawful. An important point for management: intent attaches to the act itself, not to whether you knew it was unlawful. “We thought it was fine” is not a defence — and the minimum threshold is in any event negligence, where the standard of care is strict for large commercial operators (see the CJEU in Deutsche Wohnen, C-807/21, and the Borgarting Court of Appeal in the Grindr case, LB-2024-154313).

Two arguments did not succeed, and both are instructive. That “everyone in the industry does the same” is not mitigating — on the contrary, it strengthens the need for a dissuasive fine (the Grindr case). And improvements made after being caught do not change the fact that there was a breach at the time of the inspection; bringing an unlawful situation to an end is not in itself mitigating. Genuine maturing of the privacy work, and good cooperation, can on the other hand reduce the fine — as they did here.

What is happening elsewhere in the Nordics?

Elkjøp is not an isolated case. The same questions — consent quality, profiling on a legitimate-interest basis, and the right to object to direct marketing — recur across the Nordic authorities, and the Elkjøp decision itself was a joint Nordic effort.

In Sweden, the authority (IMY) fined H&M for failing to stop direct marketing after customers had objected, and for lacking adequate systems for the right to object (Articles 12 and 21). In an earlier decision concerning Bonnier News, IMY scrutinised the use of legitimate interest as a basis for profiling customers for tailored advertising across affiliated companies. IMY has also pursued a series of decisions on consent quality and “dark patterns” in cookie banners.

In Denmark, the authority (Datatilsynet) examined SmartResponse, a provider of online competitions and questionnaires, addressing both the validity of consent to share data with business partners and the limits of legitimate interest for marketing.

In Finland, the Office of the Data Protection Ombudsman has set out clear guidance on direct marketing: where there is an existing customer relationship, similar products may be marketed without consent, but the data subject always has the right to object; outside such a relationship, consent is required.

The common thread is unmistakable. Across the Nordics, bundled “all or nothing” consent, undocumented legitimate-interest reasoning, and weak handling of objections and rights requests are all live enforcement risks — not theoretical ones.

What should your business do now?

1. Map and document the lawful basis for your loyalty club and marketing. Consent is not always the right basis; where it is used, it must be genuine.
2. Split consent by purpose. Give the customer separate, active choices for newsletters, profiling and analytics — not “all or nothing”.
3. Inform before the customer agrees. Explain in writing that membership involves profiling and analytics, and what that means — do not leave it to individual staff.
4. Do not reuse customer data for new purposes without a new basis. Before adopting a new tool, assess the purpose against the original — and, as a rule, obtain fresh consent.
5. Write a genuine legitimate interests assessment where that basis is used. It must weigh the customer’s interests and the consequences, including sharing with third parties, and exist before processing starts.
6. Avoid directing the loyalty club at children, or introduce real age verification. Children should not be profiled for marketing, whatever the basis.
7. Make sure you can answer data subject requests within one month — both organisationally and technically. “Complex” must be assessed concretely.
8. Anchor this at management level. Datatilsynet treated the errors as intentional, commercial choices; responsibility lies with the business, not the marketing department alone.

Sources: Datatilsynet’s decision against Elkjøp, 1 June 2026 (in Norwegian); Datatilsynet’s guidance on loyalty clubs and privacy (in Norwegian); GDPR (Regulation (EU) 2016/679); EDPB Guidelines 05/2020 on consent; EDPB Guidelines 1/2024 on legitimate interest; EDPB Guidelines 04/2022 on the calculation of administrative fines; CJEU C-807/21 (Deutsche Wohnen); Borgarting Court of Appeal LB-2024-154313 (Grindr); IMY (Sweden) v H&M; IMY (Sweden) – Bonnier News; Datatilsynet (Denmark) – SmartResponse; Finnish Data Protection Ombudsman – direct marketing.