Back in 2021 a customer of Elkjop’s Nordic club discovered that opting out of marketing required canceling the entire membership. The data officer’s reply framed the issue as a simple condition: “to receive offers, you must be a member.” The writer argued that bundling consent violated Article 21(2) of the GDPR and the e‑Privacy Directive, exposing forced consent for every message sent thereafter.

The complaint escalated to Sweden’s IMY, which redirected the case to Norway’s Datatilsynet under the one‑stop‑shop rule because Elkjop Nordic AS is the main controller. After years of silence, the Norwegian regulator fined the group NOK 20 million—just over €1.8 million—for invalid forced consent, improper profiling, and lack of a compatibility assessment and the continued use of data without lawful basis.

The case exposes how bundled consent remains the default in the digital economy, turning a simple opt‑out into a paid service. The fine and public decision reinforce that consent must be freely given and transparent. Elkjop must now overhaul its data practices or face further legal action, underscoring the regulatory cost of ignoring GDPR for companies that fail to comply.