Elkjop fined €1.8 million for illegal forced‑consent UI

── What happened ──

On 12 June 2026 the Norwegian Data Protection Authority (Datatilsynet) fined Elkjop €1.8 million for a forced‑consent UI that pre‑checked the marketing newsletter box and offered no clear opt‑out, violating GDPR Article 7’s free‑consent requirement [hn-front]. The regulator ordered a redesign of the consent flow within 30 days and a Data Protection Impact Assessment. The penalty is the largest GDPR sanction recorded in Norway [hn-front].

── Why it matters ──

The case shows that consent dialogs are now a compliance liability: regulators will impose multi‑million‑euro fines for a single design flaw. It also proves that financial risk scales with market size—large retailers cannot rely on legal teams alone to avoid costly penalties. Finally, the ruling pushes e‑commerce platforms toward explicit opt‑in, separate from the purchase flow, with logged timestamps and easy revocation mechanisms, increasing development overhead but lowering enforcement risk [hn-front].

── Editor's take ──

The fine targets manipulative UI tactics rather than pure data protection, signaling that regulators view deceptive consent designs as comparable to unfair commercial practices. Companies should embed UX audits in compliance programs instead of treating consent as a legal after‑thought.

── Reader poll ──

Which consent design principle do you back for online retail?

• Explicit opt‑in only
• Pre‑checked boxes allowed
• No consent needed for marketing
• Separate marketing checkout