Amazon fined heavily for violating GDPR by using unconsented data for ad targeting

The news: Amazon has been fined €746 million ($850.6 million) for violating the EU’s General Data Protection Regulation (GDPR) rules on using personal data to target ads, according to a disclosure statement from an Amazon SEC filing.

  • The fine was levied by Luxembourg’s National Commission for Data Protection (CNPD). In addition to a fine, the ruling would force Amazon to change some practices around processing personal data.
  • Amazon, however, says it will “defend [itself] vigorously,” and intends to appeal the decision, according to the filing.

How we got here: The ruling stems from a 2018 class-action complaint by a French advocacy group called La Quadrature du Net (LQDN), which alleged that Amazon doesn’t have consent under GDPR to use shopping data for ad targeting.

  • Importantly, LQDN’s complaint against Amazon centers around “the system of targeted advertising itself,” rather than “occasional security breaches” or other instances where customer data is exposed to third parties, per a blog post by the group.
  • Amazon is not the only company targeted by LQDN: The group also filed complaints against Apple, Facebook, Google, and Microsoft.
  • Google is the only other company so far to be fined as a result of these complaints, with a €50 million ($57.0 million) sanction in 2019. That’s the second-largest fine levied for GDPR violations, behind Amazon’s.

More on this: It’s also not the first time that Amazon’s ecommerce data practices have come under scrutiny in the EU.

  • In November 2020, the European Commission announced two antitrust investigations into Amazon: one into the platform’s use of “nonpublic data” on third-party seller activity on its platform, and another into practices surrounding Amazon’s “Buy Box” on its website, which spotlights potentially attractive deals for buyers.

What’s next?

  • The CNPD’s decision bodes poorly for other Big Tech players and, by extension, for European advertisers that benefit from their ad targeting practices. It remains to be seen whether any EU agencies will take similar action against Apple, Facebook, and Microsoft as a result of LQDN’s complaints—but it took three years for the Amazon ruling, so they’re not out of the woods just yet.
  • Meanwhile, antitrust cases against Amazon are also brewing in other countries, like the US and Australia. Still, privacy protections in those countries are far weaker than in the EU, so it’s unlikely that similar complaints to the LQDN’s would hold water.