GDPR and Customer Match: What the €1.85M Elkjop Fine Means for Google Ads
Norway's DPA fined Elkjop €1.85M in June 2026 for four violations: bundled consent for loyalty data, Customer Match upload without a compatibility assessment, insufficient legitimate interest documentation for offline conversions, and systematic data subject rights delays. Here is what each violation means for Google Ads teams using Customer Match and offline conversion imports.
GDPR and Customer Match: What the €1.85M Elkjop Fine Means for Google Ads
Norway's data protection authority (Datatilsynet) fined Elkjop Nordic AS and Elkjop Norge AS NOK 20 million (approximately €1.85 million) on June 1, 2026, following an inspection of their loyalty club data processing. The decision covered over 6 million customer club members across Nordic countries. Four specific violations are relevant to any Google Ads team that uploads customer data for Customer Match or tracks offline conversions: invalid bundled consent, uploading loyalty data to advertising platforms without a compatibility assessment, insufficient legitimate interest assessments for offline conversion sharing, and systematic failure to handle data subject requests. Technical compliance with Google's Data Manager API does not resolve these legal issues.
Key takeaways
- The fine was NOK 20 million (~€1.85 million), issued June 1, 2026, covering Elkjop's processing of 6 million-plus loyalty club members in Norway, Sweden, Finland, and Denmark.
- Violation 1: Elkjop's consent mechanism was invalid because a single consent bundled multiple processing purposes (newsletter, SMS, profiling, analytics, personalization) with no option to accept some and decline others.
- Violation 2: Uploading loyalty member data to advertising platforms for Customer Match was treated as processing for a new purpose, requiring a compatibility assessment or fresh specific consent that Elkjop did not have.
- Violation 3: The legitimate interest assessment for offline conversion sharing was insufficient because it failed to document the number of affected individuals, data categories, children's data implications, and consumer expectations.
- Technical migration to Google's newer Data Manager API was not a legal defense; the authority confirmed that compliance obligations attach to how data is used, not which pipeline carries it.
What happened and why it matters for Google Ads teams
Elkjop operates consumer electronics retail across Norway, Sweden, Finland, and Denmark. Their loyalty club collected customer data for discounts and membership benefits. That same data was uploaded to Facebook and Google for Customer Match audience targeting and offline conversion tracking. The June 2022 inspection by Norway's DPA identified four distinct violations. The final decision was issued June 1, 2026, with the fine applicable across the two Norwegian entities.
The relevance for Google Ads teams: Elkjop's Customer Match and offline conversion practices are common in ecommerce. Collecting emails and phone numbers at checkout, uploading them for Customer Match audiences, and sharing conversion events via API are standard Google Ads workflows. What the Elkjop decision establishes is that these workflows are not legally neutral even when Google's technical requirements are met.
The ICP problem this creates for performance marketers in the EU: your legal team or DPO may have reviewed your privacy policy and consent mechanisms but may not have specifically assessed whether Customer Match upload or offline conversion sharing to Google constitutes secondary processing that requires fresh legal basis. The Elkjop fine makes this gap concrete and financially quantifiable.
Prooflytics operates under GDPR as a service processing marketing data for EU-based clients. For accounts where Customer Match or offline conversion imports are connected data sources, the legal basis question sits upstream of the measurement question but affects what data is lawfully available to the intelligence layer.
Make the call with the whole picture
Briefs are daily; the understanding compounds.
14 days free · no credit card
The four violations in detail
Violation 1: Invalid bundled consent
Elkjop's loyalty club enrollment collected a single consent covering newsletters, SMS marketing, behavioral profiling, analytics processing, and personalization. GDPR Article 7(2) requires that consent be specific: where processing occurs for multiple purposes, each purpose requires its own consent decision. Customers must be able to consent to some purposes and refuse others.
The practical implication for loyalty programs: if your customer data collection at signup or checkout uses a single "I agree to marketing communications" checkbox that covers email, SMS, profiling, and third-party sharing simultaneously, that consent structure does not meet GDPR specificity requirements. Each purpose needs a separate, clearly labeled consent option.
Additional failure: the all-or-nothing structure (accept all processing or receive no membership benefits) means the consent was not freely given. Conditioning access to a loyalty program on consent to profiling is a form of coercion under GDPR.
Violation 2: Customer Match without compatibility assessment
Elkjop uploaded loyalty club member contact data (emails, phone numbers) to advertising platforms for Customer Match audience building. The DPA determined this constituted processing for a new purpose, distinct from the purpose for which the data was originally collected (loyalty discounts and membership benefits).
GDPR Article 6(4) requires that when data is used for a new purpose, the controller must assess whether the new use is compatible with the original purpose. The relevant factors: the link between original and new purpose, context of collection, nature of the data, consequences of the new processing, and whether appropriate safeguards exist.
Elkjop had not conducted this compatibility assessment. They could not demonstrate that customers reasonably expected their contact details to be shared with advertising platforms for ad targeting.
For Google Ads teams: uploading a CRM list to Customer Match that was collected under a "newsletter subscription" or "loyalty program" consent is potentially in the same situation Elkjop was in. The data was not collected for ad targeting. Uploading it for that purpose is secondary processing that requires documented justification.
Violation 3: Insufficient legitimate interest assessment for offline conversions
Elkjop relied on legitimate interest as the legal basis for sharing conversion data with Facebook and Google. GDPR requires that legitimate interest claims be supported by a Legitimate Interest Assessment (LIA) that documents: the specific interest being pursued, the necessity of the processing for that interest, and a balancing test against data subjects' rights and interests.
Elkjop's LIA failed to include: the number of individuals affected, the categories of data processed, implications for children's data, consumer expectations regarding third-party data sharing, and the potential negative consequences of the sharing.
For Google Ads offline conversion imports: if your legal basis for sharing conversion data via Google's Offline Conversions API or Enhanced Conversions is legitimate interest, you need a documented LIA that covers these elements. Stating "we have a legitimate interest in measuring advertising performance" without the balancing test documentation does not meet the standard.
Violation 4: Systematic data subject rights failures
Elkjop automatically classified all rectification requests as "complex," extending the standard 30-day response deadline by two months. Evidence showed 75 unresolved requests exceeding legal timeframes, including cases from February 2021 that remained open during the June 2022 inspection. One customer's incorrect email remained uncorrected for nearly 8 months.
This violation is operationally separate from Customer Match and offline conversions but indicates the broader compliance program weakness. For teams managing customer data that feeds advertising platforms, a data subject rights response failure creates a compounding risk: the customer can request deletion of their data, which must be reflected in your Customer Match audiences and conversion tracking.
What to review in your own account
Consent architecture: review your current consent collection mechanism. If a single checkbox covers multiple marketing purposes, map each purpose separately and assess whether the current consent structure supports them individually.
Customer Match legal basis: for each Customer Match audience, document the legal basis for uploading that specific data set to an advertising platform. If the data was collected under a purpose that does not include ad targeting, document whether a compatibility assessment has been conducted or whether fresh specific consent is required.
Offline conversion LIA: if legitimate interest is your legal basis for sharing conversion events with Google, locate or create the LIA. Verify it includes the number of affected individuals, data categories, children's data assessment, consumer expectations, and a balancing test.
Data subject rights workflow: confirm that requests from customers to delete their data trigger removal from Customer Match audiences. Google's Customer Match allows audience removal via API. If your workflow does not include advertising platform removal as part of the deletion process, close that gap.
Bottom line
- The Elkjop fine establishes that standard Google Ads practices (Customer Match upload, offline conversion sharing) require documented legal basis under GDPR, not just technical compliance with Google's policies.
- The four violations to audit in your own account: consent specificity for data collection, compatibility assessment for Customer Match uploads, legitimate interest documentation for offline conversions, and data subject rights workflows that include advertising platform removal.
- Technical migrations (Data Manager API, Enhanced Conversions) do not substitute for legal basis; the DPA confirmed this explicitly.
- For teams operating under EU/EEA law: assess whether the data you are uploading to Customer Match was collected under a purpose that covers ad targeting. If not, document the compatibility assessment or obtain fresh specific consent.
- You can read independent reviews of Prooflytics on G2 and compare it to alternatives in the marketing analytics category.
Frequently asked questions
Does Google's Customer Match require GDPR compliance on the advertiser side?+
Yes. Google's Customer Match policy requires that advertisers confirm they have the legal right to use the data they upload. Google's technical acceptance of a Customer Match upload does not validate the legal basis for the upload. The advertiser remains the data controller and is responsible for ensuring their legal basis is in place before the upload. The Elkjop case demonstrates that regulators look at the advertiser's compliance, not Google's technical implementation.
Does moving to Google's Data Manager API or Enhanced Conversions fix the legal issue?+
No. The Norwegian DPA explicitly stated that compliance obligations attach to how data is used, not which technical pipeline carries it. Enhanced Conversions and the Data Manager API use more privacy-preserving methods (hashing) but do not change the legal question of whether you have the right to process and share the underlying data with an advertising platform in the first place.
What is the difference between a legitimate interest assessment and a privacy policy?+
A privacy policy describes what data you collect and how you use it. A Legitimate Interest Assessment (LIA) is a documented analysis that justifies a specific processing activity under Article 6(1)(f) of the GDPR. A LIA must include: the legitimate interest being pursued, why the processing is necessary for that interest, and a balancing test showing the interest is not overridden by the data subject's interests or rights. A privacy policy statement that mentions legitimate interest does not constitute a LIA.
Is the Elkjop fine applicable only in Norway, or does it set precedent for other EU countries?+
Norway is part of the EEA and applies the GDPR directly through the EEA Agreement. Norway's DPA decisions are not technically binding in other EU countries, but they are persuasive authority. The violations identified (bundled consent, Customer Match secondary processing, inadequate LIA) reflect principles that apply across the EU. Any EU or EEA advertiser running the same practices faces the same substantive legal risk, regardless of jurisdiction.
What should I do if I am currently using Customer Match with data collected under a general marketing consent?+
The conservative approach: pause Customer Match uploads using that data until you have assessed the compatibility question and documented the outcome. If the data cannot be used without fresh consent, design a consent collection mechanism that specifically mentions sharing with advertising platforms for audience targeting and obtain fresh consent before resuming uploads. If the data can be used under a compatibility assessment, document that assessment with the factors listed above.
Make the call with the whole picture
Briefs are daily; the understanding compounds.
14 days free · no credit card
Continue reading
First-Party Data Attribution for EU Fintech: The Practical Setup Guide
EU fintech companies lose 30-60% of attribution signal when users decline cookie consent. This guide covers the exact first-party stack to fix it: server-side UTM capture, email-hash identity stitching, and cookieless pixel mode - without touching GDPR compliance.
Google Ads Auto-Classifies Conversion-Based Customer Lists: What Advertisers Must Provide
Google Ads began automatically classifying conversion-based customer lists in June 2026, requiring advertisers to provide clearer signals about where audiences sit in the customer journey. Here is what the classification changes, which signals you need to supply, and how this affects Smart Bidding.
Enhanced Conversions for Google Ads: How First-Party Tracking Restores Attribution
Third-party cookie degradation causes Google Ads to undercount conversions, inflating CPL and misleading Smart Bidding. Enhanced Conversions replaces cookie-based tracking with hashed first-party signals from your own domain. Here is how it works and the four components you need to configure.
Google Ads Bid Strategy Testing Now Requires CRM Data: What Changed in 2026
Google Ads changed bid strategy validation requirements in 2026, shifting from surface-level metrics like ROAS and CPC toward conversion value by time window and first-party CRM data integration. Testing a new bid strategy without CRM data now risks false positives and budget waste -- the model validates against aggregated campaign metrics that can be disconnected from actual customer lifetime value.