RSS

I told them forced consent was unlawful. 5 years later it cost Elkjop €1.8M

speckx1 pts0 comments

I told them forced consent was unlawful. Five years later it cost Elkjop €1.8 million — That Privacy Guy!

Image generation details

ModelFlux.1 Dev (q8p)

ArchitectureFlux DiT (Diffusion Transformer) + T5-XXL + CLIP-L text encoders · 12B (DiT) + 4.7B (T5-XXL) + 0.4B (CLIP-L)

Text encodersT5-XXL + OpenAI CLIP ViT-L/14

VAEFlux VAE (f16)

SamplerEulerA · 20 steps · guidance 4

Resolution1344×768

Seed234911227

Clip skip1

GeneratorDrawThings (Flux.1 Dev q8p) via TPG Blog Pipeline

HardwareApple M1 Ultra · 20 cores (16 performance + 4 efficiency) · 48 cores GPU · 128 GB unified

OSmacOS 26.3 (build 25D125)

AuthorAlexander Hanff

Prompt<br>The iconic Harry Potter Philosopher's Stone scene of Hogwarts acceptance letters bursting in through every opening of a small English suburban house, hundreds of envelopes flying out of the fireplace, streaming through the letterbox in the wooden front door, and pouring through the chimney, envelopes swirling chaotically through the living room mid-air, motion blur on the flying letters, warm interior daylight, wide angle film still

(c) Hanff & Co. AB - CC BY-NC-SA 4.0<br>· https://www.thatprivacyguy.com/

This could be you<br>Reach privacy, DP, security and AI leaders

Over 1 million reads in the first month — CPOs, DPOs, general counsel, CISOs, compliance teams. No tracking, no ad tech, no auction. Direct deal only.

Get in touch

Back in the summer of 2021 I was a member of the Elgiganten Kundklubb, the customer club the Elkjop group runs across the Nordics, and like a lot of members I was buried under marketing emails. So I did the obvious thing and went looking for a way to switch them off. What I found instead was the problem that has taken five years to put right - the only way to stop the marketing was to cancel my membership of the club altogether.

I wrote to their Data Protection Officer on 30th July and set out, in plain terms, why that arrangement breaks the law. Under Article 21(2) of the GDPR every person has an absolute right to object to direct marketing. Under the ePrivacy Directive, marketing by email is only lawful where I have given my consent, or where there is an existing customer relationship and I am offered a simple way to opt out both at the point my details are collected and in every message after that. And consent, to be worth anything at all, has to be freely given - which under Article 4(11) and Article 7 means it cannot be bundled into, or made a condition of, something else. Forcing me to surrender my membership and the benefits that come with it, just to exercise a right I already hold, is the textbook example of consent that is not freely given.

They put the violation in writing

The reply I received a few days later did me the favour of putting the violation on the record. Their position, in their own words, was that "in order to receive marketing / offers, it is a condition to be a member of the customer club." That one sentence is the whole case. They had taken a right I am entitled to exercise for free and turned it into the price of admission.

So I escalated. I served a formal restriction of processing under Article 18, I sent a full subject access request under Article 15 - the legal basis they were relying on, the legitimate interest balancing test, the recipients, the sub-processors, the international transfers, the profiling, all of it - and I filed a complaint with the Swedish supervisory authority, Integritetsskyddsmyndigheten (IMY), which issued the reference DI-2021-6660. The company's answer to all of this was to point me at a vague privacy policy, and then, when that did not wash, to stretch the deadline on my access request out to ninety days while citing "complexity" and "limited internal resources".

How a Swedish complaint became a Norwegian fine

This is where the machinery of the GDPR comes in. The customer club is run by the Norwegian parent, Elkjop Nordic AS, and on the facts it is the parent that holds the real decision making power over the purposes and the means of the processing. So in September 2022 IMY decided it was not the right authority to deal with this at all. Under the one-stop-shop in Article 56(1), the competent regulator is the one for the controller's main establishment, and that establishment sits in Norway. IMY handed the investigation and my complaint to Datatilsynet, the Norwegian DPA, which accepted the case. And then, as these things tend to, it went quiet for a very long time.

On 1 June 2026 it stopped being quiet. Datatilsynet fined the Elkjop group NOK 20 million, a little over €1.8 million, and it found precisely what I had told them in 2021. The consent the company was relying on for its customer club was not valid - it was forced, it was not specific, and members were not properly informed. On top of that, the company had taken the personal data it gathered through the club and put it to further use for advertising and conversion tracking, without ever carrying out the compatibility...

consent club article elkjop through customer

Related Articles

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

German ruling declares Google liable for false answers in AI Overviews

ahlCVA15 ptsgoogle court search overviews content users

Britain Became as Poor as Mississippi

SanjayMehta15 ptsbritain mississippi next financial crisis self
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.