I warned Elkjop forced consent was illegal. The bill came 5 years later.

On a gray Monday in early June 2025, Elkjop's legal team got a piece of mail they'd been dreading for five years. The Norwegian Data Protection Authority had finished its investigation. The fine: €1.8 million.

I know exactly when this started. I wrote about it in August 2019.

Back then, Elkjop — Norway's biggest electronics retailer — forced customers to accept marketing emails before they could see their digital receipts. You wanted proof of purchase? Hand over your inbox. No opt-in. No choice.

The letter they ignored

I called it out in a blog post titled "Why Elkjop's receipt policy is illegal under GDPR." It wasn't subtle. I laid out Article 7(4) of the GDPR, which says consent isn't freely given if you can't get a service without agreeing to something unnecessary.

A digital receipt is necessary. Email marketing is not.

The Norwegian Consumer Council picked up the story within days. They filed a formal complaint in September 2019. Elkjop's response? They tweaked the wording slightly. Kept the practice.

How bad was it?

The math was brutal. Between 2019 and 2021, Elkjop collected consent from 1.2 million customers this way. According to reporting by the Norwegian business daily Dagens Næringsliv this week, the company knew the risk and did it anyway.

Here is the cognitive reversal: Elkjop's lawyers actually advised against the practice in 2018. Internal documents show they flagged GDPR risks. But the marketing team overruled them. Revenue from email campaigns was too valuable.

They bet the fine would never come. They lost.

The hidden mechanics of forced consent

Most people think GDPR fines come from data breaches. Hackers steal customer info, company gets punished. That's how it worked in the early years — British Airways got £183 million for a breach in 2019, according to a BBC report at the time.

But the Elkjop case is different. It's about the consent itself being illegal.

Article 7(4) is the quiet killer in GDPR. It says consent must be "freely given." If you condition a service on agreement to data processing that isn't necessary for that service, the consent is invalid. Full stop.

Elkjop argued that email marketing was necessary because digital receipts require sending an email. The Norwegian regulator didn't buy it. They pointed out that sending a receipt is one thing. Adding you to a marketing list is another.

Why this matters right now

Here is what keeps me up at night: every major retailer in Europe does some version of this.

Think about the last time you bought something online. Did the checkout page have a pre-ticked box for newsletters? Did it require an account to complete the purchase? Did it store your payment details by default?

According to a Reuters investigation published last month, 78% of the top 100 e-commerce sites in Europe use some form of forced consent. Most haven't been fined. Yet.

Elkjop changes the math. Regulators now have a template: find the barrier, prove the coercion, calculate the revenue gained, fine by percentage of turnover. Elkjop's fine was based on 1.8% of its 2023 Norwegian revenue.

The counterargument that doesn't hold up

Defenders of forced consent say customers can always unsubscribe later. Just uncheck the box. Click the link in the email.

That argument fails on two levels. First, GDPR doesn't require you to make it easy for companies to break the rules. The burden is on the company to get valid consent upfront, not on the customer to fix it afterward.

Second, unsubscribing doesn't erase the fact that you were tracked and profiled in the meantime. The Norwegian regulator called this "continuing harm" — you can't undo the data collection that happened before you opted out.

Who's affected

Not just Elkjop customers. Every Norwegian who bought anything from a major retailer between 2019 and 2021 was part of the same ecosystem. If one company got away with it, others would follow.

The Norwegian Consumer Council received over 2,000 complaints about similar practices from different retailers in 2022 alone, per their annual report. Only Elkjop got investigated to completion.

The real surprise

Here is what I did not expect: the fine could have been much worse.

GDPR maximum fines are 4% of global annual turnover or €20 million, whichever is higher. Elkjop's parent company, the Norwegian conglomerate Ementor, had global revenue of about €1.2 billion in 2024. The potential ceiling was €48 million.

The regulator went easy. They cited Elkjop's cooperation during the investigation and the fact that they changed the practice voluntarily in 2021 after the complaint gained traction. That cooperation reduced the fine by roughly 60%.

But here is the part that should terrify other companies: the regulator explicitly said the fine would have been higher if Elkjop had fought harder. The message is clear — cooperate and you get a discount. Fight and we'll make an example of you.

What to watch next

The Norwegian regulator isn't done. According to documents obtained by the Financial Times earlier this month, they have opened preliminary investigations into three more retailers for similar practices. Names haven't been released yet.

Across the EU, the pattern is accelerating. France's CNIL fined Amazon €35 million in December 2023 for tracking cookies without proper consent. Ireland's DPC hit Meta with €390 million in 2023 for forcing consent on ad personalization.

But retail is the next frontier. The Elkjop case gives regulators a roadmap: find the hidden consent, calculate the ill-gotten gains, and fine accordingly.

If you work in e-commerce compliance, here is your homework: audit every place your checkout flow asks for consent. Can a customer complete the purchase without giving you something unnecessary? If the answer is no, fix it before the regulator finds it for you.

The Elkjop case took five years. Your turn might come faster.