I told them forced consent was unlawful. 5 years later it cost Elkjop €1.8M

Original Article ↗ Hacker News Discussion ↗

Regulator action and outcome

  • Commenters are impressed that the Norwegian DPA actually issued a €1.8M fine and forced changes to Elkjøp’s loyalty club, but note it took ~5 years.
  • Some highlight that the fine is just a first step: it enables representative (class‑like) actions that could be 100–1000x more costly and may trigger shareholder action.
  • Others ask how the fine compares to the profit from unlawful marketing; some argue fines should reflect illicit gains, others prefer revenue‑based graduated fines for simplicity and deterrence.

Forced consent and marketing under GDPR

  • Core issue: membership in the loyalty club was conditional on accepting marketing; the only way to stop marketing was to leave the club.
  • Several participants clarify this violates GDPR: consent must be “freely given” and unbundled; people have an absolute right to object to direct marketing (GDPR Art. 21, ePrivacy rules).
  • After investigation, Elkjøp reportedly changed flows so you can have an account without marketing, though some “soft opt‑in” questions remain.

Debates on fines, incentives, and enforcement

  • Long subthread on how to structure penalties:
    • Profit‑based vs revenue‑based fines.
    • Graduated fines (like GDPR’s up to 4% turnover) vs one‑off hits.
    • Some want personal liability or jail for repeat offenders; others see that as disproportionate for marketing offenses.
  • There’s concern that low enforcement probability undermines even large fines.

Experiences with privacy abuses

  • Many share similar “forced consent” stories: loyalty clubs, ISPs, public Wi‑Fi, landlords, gyms, medical offices, and hiring platforms demanding broad data rights as a condition of service.
  • Several stress that individual complaints do work, but only if people actually file them; one notes mundane issues (potholes, broken equipment) also get fixed quickly when reported.

US vs EU / UK context

  • US‑based commenters envy GDPR‑style rights; others argue US privacy laws are weak, fragmented, and chilled by surveillance practices.
  • Some point to a growing set of US state privacy laws, but still see the EU/EEA (and UK, mostly aligned) as far stronger.

Critiques of GDPR and regulators

  • Some call GDPR a “nightmare” or bureaucratic theater, especially for small firms.
  • Others counter it’s straightforward if you don’t try to “spy” on users and only collect what you truly need.
  • Cookie banners are widely criticized as malicious or cargo‑cult compliance; several explain the underlying cookie law predates GDPR and that industry behavior made UX worse.
  • Swedish and UK regulators are singled out as relatively weak or slow; Norwegian DPA is praised as user‑oriented but capacity‑limited.