HN Debrief

I told them forced consent was unlawful. 5 years later it cost Elkjop €1.8M

  • Privacy
  • Regulation
  • Europe
  • Consumer Rights

The post is a first person account from a Norwegian privacy activist who challenged Elkjøp, a large Nordic electronics retailer, over a customer club that would not let members stay enrolled unless they accepted direct marketing. He says he warned the company in 2021 that this was unlawful under privacy law, filed a complaint when Elkjøp refused to fix it, and only discovered in 2026 that Norway’s data protection authority had issued a €1.8 million fine. The key point is narrow but important: a company cannot make marketing consent the price of getting loyalty club benefits when customers have a legal right to refuse that marketing. Several people added that the original quote in the blog reads backwards in English and is likely a translation issue, but the regulator’s decision itself is available in English and confirms the underlying issue.

If your product or loyalty program bundles marketing consent into access, discounts, or membership, treat that as an enforcement risk now rather than a clever growth tactic. The bigger lesson is operational: rights complaints do turn into fines, so build clean opt-out paths and document your legal basis before a determined customer does it for you.

Discussion mood

Mostly celebratory and vindicated. People were pleased to see a concrete GDPR fine for forced marketing consent, frustrated by how long enforcement took, and broadly hostile to the idea that companies should be allowed to trade basic rights for perks or access.

Key insights

  1. 01

    Read the regulator decision, not the quote

    The blog’s key sentence sounds reversed in English, which confused multiple readers and made the case seem weaker than it is. The useful move is to skip the awkward translation and read the English version of the Norwegian regulator’s decision, because that removes the ambiguity and anchors the story in the actual enforcement record.

    When a compliance story hinges on one translated sentence, pull the primary decision before you draw conclusions. If you run cross-border operations, expect bad translations to muddy customer complaints and keep official-language documentation handy.

      Attribution:
    • buzer #1
    • 0xfffafaCrash #1
    • ajb #1
    • drnick1 #1
    • LearnYouALisp #1
  2. 02

    Fine design matters as much as fine size

    The more interesting argument was not whether €1.8 million is large in the abstract. It was how regulators should set penalties so violations do not become a line item. One view pushed for benchmarking against the gains from the misconduct. The stronger operational framing was to scale fines to the size of the company, because revenue is easier to verify than claimed profit from a specific tactic and still preserves deterrence.

    If you assess regulatory exposure by asking whether one tactic is profitable, you are using the wrong model. Budget for enforcement that scales with company size and for repeat-offender escalation, not just for a one-off payout.

      Attribution:
    • anakaine #1
    • Retric #1 #2
  3. 03

    This dark pattern is still everywhere

    Examples from other companies made clear that Elkjøp’s setup was not some edge-case mistake. People described loyalty memberships that require at least one marketing channel to stay enabled and public Wi-Fi portals that disable access unless you consent to promotions. That matters because it suggests many teams still treat bundled consent as normal product design even in regulated markets.

    Audit every signup flow that ties discounts, access, or membership retention to promotional consent. The risk is highest in old growth funnels that no one has revisited since the law changed.

      Attribution:
    • QuantumNomad_ #1
    • kristianrs #1
    • RobRivera #1
  4. 04

    GDPR is hard mainly for data-hungry businesses

    The most useful rebuttal to the “GDPR is impossible for small companies” complaint was that difficulty tracks ambition to collect optional data. If you only gather what the product actually needs, keep a contact point, and avoid turning surveillance into a business process, much of the scary compliance burden simply never appears.

    The cheapest compliance project is data minimization. If you are struggling with privacy obligations, cut collection and sharing first instead of adding more policy text and consent screens.

      Attribution:
    • throw9394494 #1
    • Telaneo #1
    • iliveinberlin #1
    • kentm #1

Against the grain

  1. 01

    Some still see this as trivial customer whining

    The dissenting view was that multimillion-euro penalties over loyalty club marketing are overkill and that users should just walk away from services they dislike. That framing is worth noting because it exposes the real divide: whether privacy rights are actual legal limits on product design or merely preferences to be resolved by market choice.

    Do not assume all customers or operators see consent abuse as a serious issue. If you need internal buy-in for privacy changes, frame them as legal constraints and enforcement risk, not just user experience improvements.

      Attribution:
    • jazz9k #1
  2. 02

    Rights-aware customers are seen as business risk

    One commenter said they would ban a customer like this from their services because the compliance risk is too high. Crude as it is, that reaction is revealing. Some operators do not treat these complaints as bug reports. They treat them as threats to a model that depends on customers not pushing back.

    Expect a subset of companies to respond defensively when users test consent flows. If you operate in regulated markets, build escalation paths that fix the issue instead of personalizing the conflict.

      Attribution:
    • londons_explore #1

In plain english

dark pattern
A user interface design that nudges or pressures people into choices they might not otherwise make, often benefiting the company.
GDPR
General Data Protection Regulation, the European Union’s main privacy law that sets rules for collecting and using personal data.

Reference links

Primary enforcement documents

Related regulation and enforcement references

  • SECURE Data Act coverage
    Used to note that some US privacy legislation exists, even if the US lacks GDPR-style federal coverage
  • Enforcement Tracker
    Shared as a database of privacy enforcement actions, including Bulgarian regulator fines

Broader civil liberties context