SmackerNews

I told them forced consent was unlawful. 5 years later it cost Elkjop €1.8M

461 points · 292 comments · 1 day ago · speckx

thatprivacyguy.com

https://web.archive.org/web/20260618212028/https://www.thatp...

https://archive.ph/I4zjA

engeljohnb1 day ago
I'm glad it all worked out for this individual. I hope more people live their lives like this as the dystopia progresses.
Unfortunately, especially in the US, exercising your rights, or even just reading every paper you're expected to put your name to, not only constantly pisses people off for some reason, but also puts you at a significant disadvantage compared to the people that never push back in the interest of not making waves, or even because "whatever it's fine."
buzer1 day ago
Actual decision (Norwegian): https://www.datatilsynet.no/contentassets/c8d0551d2a64403285...
Machine translation of overview & 5.1 which is what the blog post is about (covers some other things as well): https://chatgpt.com/share/6a34732c-0fa4-83e8-aae1-95c25dd117...
[EDIT] Oh, there was actually official English decision available as well: https://www.datatilsynet.no/contentassets/59addbef9c1b48a28f...
0xfffafaCrash1 day ago
The reply I received a few days later did me the favour of putting the violation on the record. Their position, in their own words, was that "in order to receive marketing / offers, it is a condition to be a member of the customer club." That one sentence is the whole case. They had taken a right I am entitled to exercise for free and turned it into the price of admission.
I don’t understand… it would be one thing if it said “receiving marketing/offers is a condition of being a member of the customer club” but that’s not what is being stated above… rather that being a member of the club is required to receive marketing — perhaps something has been misworded or lost in translation?
Insimwytim1 day ago
There's also issue with EU companies forcing candidates to agree to their anti-privacy policies (confusingly named "privacy policies") as a requirement before the job interview.
Those anti-privacy policies will state, that you grant the company and third-parties (so, anyone) permissions to use your data (including voice and image) for any purpose. (Of course, it is stated in a slightly obscure fashion, so a layman may not comprehend it.)
I wonder if there has been any similar action taken against those.
ambicapter1 day ago
I understand where he's coming from, but it is still hilarious that he sued the legal entity that won the case for him, after they found the case in his favor.
Telaneo1 day ago
Datatilsynet, the Norwegian DPA, from my experience, consistently has the user in mind. It (sadly) takes a long time for things to pass through the system, but they consistently come to good decisions.
pavel_lishin1 day ago
The image isn't loading for me, all I see is the prompt used to generate it - which is genuinely preferable.
tomtom13371 day ago
This is extremely cool reading! I'm impressed that they actually fined Elkjøp (as they should!) but very surprised that they didn't keep you informed!
Thank you for sharing!
ryandrake1 day ago
Excellent outcome. I wish we had these rights in the USA! Too bad justice took 5 years though.
peaseagee1 day ago
And how much did it make them over those 5 years?
echoangle1 day ago
Good to know that this is illegal. One of my email providers also does this, maybe I’ll also have to try reporting them and see what happens.
PeterStuer1 day ago
I'm sure I am wrong somewhere. But can someone explain to me how this same reasoning would not apply to every advertizing 'supported' business? You can't opt-out off ads on many websites or streaming services and still hsve access.
sscaryterry1 day ago
This fills my heart with joy. If only ICO in the UK would do the same.
infinite_spin1 day ago
I would like to see these regulations in place here. I have always felt very uncomfortable with companies like TurnItIn.com getting to train their models off of my work, without compensation, where my consent is assumed and there is no opt-out. I've brought this up before, and the general consensus was that my college enrollment is optional, and therefore my consent is freely given. I should have a right to attend a school I pay for and qualified for, without requiring me to give up other rights.
pixelpoet1 day ago
Love to see this, and love our privacy and data handling laws!
Someone1 day ago
FTA: The reply I received a few days later did me the favour of putting the violation on the record. Their position, in their own words, was that "in order to receive marketing / offers, it is a condition to be a member of the customer club."
I don’t see how that implies “if you’re a member of the club, you must receive marketing / offers”. It only says “only members receive marketing / offers”
alexhans1 day ago
It's always satisfying when customer rights stories have a known positive outcome. The timeline is unfortunately quite slow and bureocractic but I'm glad OP managed to find out about it.
RobRivera1 day ago
Lol. Brookfield Place wifi had an OPT IN for their wifi to receive marketing.
If you unclicked it, the 'connect to wifi' button greyed out and a notification appears saying that Opt In is required for wifi.
matheusmoreira1 day ago
Badass. Hope this keeps happening to all of those abusive "take it or leave it" corporations.
abc123abc1231 day ago
5 years?! That's a f*cking joke. Democracy and rule of law does not exist any longer. The politicians get richer, no one challenges them, they pass their offices down within their family, taxes get higher and higher, and services worse and worse.
On the other hand, it is fascinating to be able to watch the destruction of europe and western democracy while it is happening! I imagine that this painful slide is what must have happened during the end of the roman empire. Now we're seeing the end of the european/US empire.
petterroea1 day ago
I personally know other people who have filed similar complaints, and the Norwegian Datatilsynet explicitly stated they acted based on many complaints. I don't think they care about a single person's voice in this, even if they "helped create the law".
It's a shame, but it probably says more about Datatilsynet's capacity. Frankly it would be great if you could simply say "this company did something dodgy", provide proof, and immediately get results. But that's not the world we live in.
vinni21 day ago
I am glad this was resolved. It’s annoying when companies take things for granted. It’s not just Elkjøp doing it. There are other e commerce companies and some online pharmacies doing it too.
spl7571 day ago
The term "forced consent" is an oxymoron. It shouldn't take much more critical thinking than reading that term to know it makes no sense.
VBprogrammer1 day ago
I've often wondered what basis companies are using for the "opt-in to tracking or pay to opt out model". It has spread now to even fairly reputable organisations.
This, at least to my understanding, runs contrary to the spirit of the GDPR regulations. Permission has to be freely given which, when the alternative is paying a subscription, it quite obviously isn't.
setgree1 day ago
The part about this that's amazing to me is that they still are doing nothing after he noted another GDPR violation [0]. He's obviously both competent and litigious. What does the company expect to happen next??
[0] "Under Article 77(2) of the GDPR a supervisory authority is under a binding legal obligation to keep a complainant informed of the progress and the outcome of their complaint. It is not a courtesy and it is not discretionary - it is written into the law. I filed my complaint with IMY, IMY passed it on, the case ended in a multi-million euro enforcement action, and not one of the authorities involved thought to tell the person who started it."
fifilura1 day ago
I am a EU citizen, I bought a (Chinese) robotic lawn mower.
One day, end of April when the grass is growing very rapidly, they presented me with a dialog in the app that basically said.
"We updated the EULA with the explanation "optimized wordings". Please accept."
There was no reference to the new or old EULA, and if I didn't accept I could not start the app and use my new mower. It was bricked.
I am now checking their compliance with GDPR. It is a tedious process because they keep stalling, but I still feel I have all the rights.
And I get a lot of help from chatgpt who works as a patient secretary that translates my "f-fck sake give me my stuff" into formal/friendly legalese with counter questions designed to be difficult to duck.
As of now, 2 months later, they have finally pointed me to "download personal data" in the application which gives me back a PDF with mower model, my email address and some push notification history.
But I know they store much more than that. And I think they know that I know. If nothing else my customer support history. But also for example a map of my garden.
QuantumNomad_1 day ago
the only way to stop the marketing was to cancel my membership of the club altogether
I have experienced this same thing with at least one other big company in Norway.
I could opt out of either SMS or e-mail, but not both, or I would not be able to keep the membership.
Unfortunately, I never made a note of which one that was exactly so I can’t name them and shame them on the spot.
Despite half-hearted attempts at stopping marketing emails now and then by individually logging in and opting out, or clicking unsubscribe links embedded in the email, my email continues to be flooded with marketing both from domestic and foreign companies that I’ve done business with. There is so many companies that even going through a handful of them at a time and unsubscribing there is a seemingly endless amount of companies that remain to unsubscribe from.
It is great to see that someone fights back, and that it is resulting in fines.
NooneAtAll31 day ago
how was 1.8M calculated?
has any calculations been made on how much actual profit was made by these unlawful actions?
d--b1 day ago
Idk about that particular company but the benefit of cheating may be much higher than the 1.8m fine they got.
I personally never specifically consent to anything, yet get a ton of marketing emails. To most companies that send me those emails 1.8m would be a slap on the wrist.
josefritzishere1 day ago
I wish America had real privacy laws like Norway.
angry_octet1 day ago
I don’t know who you are. I don’t know what you want. If you are looking for ransom I can tell you I don’t have money, but what I do have are a very particular set of skills. Skills I have acquired over a very long career. Skills that make me a nightmare for people like you.
pixelneon1 day ago
Hahaha, the sticker looks really funny, but I like it.
yieldcrv1 day ago
I’m imagining an agentic solution in everyone’s inbox that automates GDPR fines and updates
kklisura1 day ago
GDPR is a godsend.
crest19 hours ago
Fuck them with a rusty chainsaw dipped in manure.
pembrook1 day ago
Thankfully inbox providers are now mandating unsubscribe headers (so the unsubscribe button now sits at email client level, not within the body of the email, as it always should have). Making this entire thing irrelevant.
Going through the hassle of policing individual company behavior is beyond silly and a giant waste of resources when you can literally just force the behavior at client level.
This is also basically the story of why GDPR popups are stupid. Set it at the client (browser) level, not on 100,000,000 individual websites done slightly differently every time and try to setup an enforcement dragnet to have expensive fights over misplaced commas.
This should have always been a browser setting and not a multi-billion dollar Kafka-esque nightmare of lawyers and regulators policing every company on earth, wasting Europe's productivity and resources.
It's like how the US makes you file your own taxes when for 99% of people they already know the amount you owe, and then randomly will decide to fine you if your calculated number doesn't line up with their number. It's giant waste of everyones time.
gib4441 day ago
Eveyone getting very excited but on what date did the company actually pay the fine to the EU?
This decision can nevertheless be challenged before Norwegian courts in accordance with Article 78(1) of the GDPR. [0]
Time will tell I guess?
[0] https://www.datatilsynet.no/contentassets/59addbef9c1b48a28f...
HeartStrings1 day ago
"Integritetsskyddsmyndighetensffsf"
Bro, you alright?
jazz9k1 day ago
I'm so glad the GDPR never took hold in the US. Little Karens getting companies fined millions of dollars over what amounts to nothing.
You can always not use their service. Plenty of alternatives out there.
throw93944941 day ago
I wonder if anyone who are cheering this fine, actually read and tried to implement GDPR. It is a nightmare to be fully compliant for small companies.
It is mostly just a theater (like endless cookie consent dialogs in anonymous browsing), to employ more experts and bureaucrats.
EU is now pushing privacy laws that severely undermine privacy.
N_Lens1 day ago
This article reads like “jurisprudence fetishist gets off on technicality!”
How refreshingly European.
arjie1 day ago
It's an interesting story, but I could not help but have my mind skip over it because of the LLMisms. Acts like one of those taboola reels to me. If even just there was a tutorial to get people to write in such a way that it's not obviously LLM text it would be nice because the story is interesting.
I know, it's like complaining about JS etc. but it's like walking into an elevator and smelling very strong perfume. It's hard not to go "whew!"
londons_explore1 day ago
If I did business in the EU, I would be banning this chap from my services on the basis that the risk he poses to the business is too great...

news.ycombinator.com/item?id=48589501