Amazon’s Record-Size GDPR Wake‑Up Call

If you ever clicked “accept cookies” on Amazon and wondered what exactly you just agreed to… turns out regulators were wondering the same thing.

And they didn’t like the answer.

In Europe, that curiosity turned into one of the largest GDPR fines in history: a €746 million penalty against Amazon Europe for unlawful personal data processing and targeted advertising practices.

Let’s unpack what actually happened, what rules Amazon broke, and what this means for anyone doing business (or advertising) in the EU.

What happened in the Amazon Europe GDPR case?

In July 2021, Luxembourg’s data protection authority, the CNPD, fined Amazon Europe Core S.à r.l. €746 million for violating the EU’s General Data Protection Regulation (GDPR). The decision centered on how Amazon processed user data for interest‑based (personalized) advertising. (cnbc.com)

Why Luxembourg? Amazon’s main European headquarters is based there, so Luxembourg’s CNPD is its lead supervisory authority under the GDPR’s “one‑stop shop” mechanism.

Amazon immediately pushed back, arguing there was no data breach, no leak to third parties, and that the decision relied on “subjective and untested” interpretations of privacy law. (cnbc.com)

Fast‑forward:

• March 18, 2025 – Luxembourg’s Administrative Court upheld the CNPD’s original decision, confirming the full €746 million fine and the corrective measures. (today.rtl.lu)
• Amazon is still considering a further appeal, but for now the ruling stands and is a major precedent for GDPR enforcement. (today.rtl.lu)

Takeaway: This isn’t just “Amazon got fined.” It’s a detailed judgment about how platforms can (and can’t) use personal data for advertising in Europe.

What GDPR rules did Amazon allegedly violate?

The full CNPD decision isn’t public, but summaries of the authority’s and court’s findings paint a pretty clear picture. The violations cluster around four big GDPR themes: legal basis, consent, transparency, and user rights.

1. Wrong legal basis for targeted advertising

Amazon relied heavily on “legitimate interest” (Article 6(1)(f) GDPR) as the legal basis for using personal data to build advertising profiles and deliver personalized ads.

The CNPD – and later the Administrative Court – said: not good enough. (digitalpolicyalert.org)

Why?

• The scale and intensity of profiling (tracking users across services, building detailed profiles for ad targeting) significantly impacted users’ privacy.
• Those impacts outweighed Amazon’s economic interest in showing more relevant ads.
• Given the intrusiveness of the processing, valid consent (Article 6(1)(a)) should have been the basis, not legitimate interest.

In other words: if you’re going to track people in depth to micro‑target them, you need a clear yes, not a vague claim of “but this is good for business.”

Mini‑takeaway: Legitimate interest is not a magic “we can do anything” button.

2. Consent that wasn’t really consent

Even where consent mechanisms existed, regulators found Amazon did not properly obtain explicit, informed consent for the way it used data in interest‑based advertising. (digitalpolicyalert.org)

Under GDPR, consent has to be:

• Freely given (no dark patterns or “take it or leave it” for non‑essential processing)
• Specific (you know what you’re agreeing to)
• Informed (you understand the purposes and consequences)
• Unambiguous (a clear affirmative action – not silence or vague wording)

The CNPD concluded that Amazon’s implementation didn’t hit these marks, especially for the more invasive tracking and profiling used for personalized ads.

Mini‑takeaway: “You used our site, so you must be fine with deep ad profiling” doesn’t count as consent in the EU.

3. Transparency failures: people didn’t know what was really happening

The case also highlighted serious transparency and information failures:

• Privacy information was unclear, incomplete, and hard to navigate.
• Users weren’t sufficiently informed about the purposes of processing and the extent of profiling.
• Key details were buried or fragmented, making it difficult to understand what data was used and why. (2b-advice.com)

This was treated as a violation of GDPR Articles 12–14, which require concise, intelligible, easily accessible information about data use.

Mini‑takeaway: If your privacy policy reads like a legal puzzle box, regulators are not going to be impressed.

4. Ignoring or mishandling user rights

The CNPD and the court also found Amazon fell short on data subject rights, including: (digitalpolicyalert.org)

• Right of access (Art. 15) – Requests were reportedly unanswered, incomplete, or overly delayed.
• Right to rectification and erasure (Arts. 16 & 17) – Corrections and deletion requests weren’t handled properly or promptly.
• Right to object (Art. 21) – Objections to processing for advertising purposes weren’t effectively honored.

These weren’t treated as one‑off mistakes. The authority described them as systematic shortcomings in Amazon’s data protection management.

Mini‑takeaway: You don’t just need a privacy policy; you need working processes and teams that actually respond to people’s requests.

Who started this? The role of La Quadrature du Net

This wasn’t a regulator randomly waking up one day and deciding to check Amazon.

The case traces back to collective complaints filed in 2018 by French digital rights group La Quadrature du Net, which has been very active in challenging big tech ad practices under GDPR. (cnbc.com)

Their complaint focused on targeted advertising and tracking, arguing that Amazon’s systems violated fundamental GDPR principles and user rights.

Mini‑takeaway: Civil society groups can be extremely influential in how GDPR gets enforced.

Why was the fine so massive?

Under GDPR, regulators can fine companies up to 4% of their global annual turnover for serious violations. For a company of Amazon’s size, that’s… a lot.

The €746 million fine was (at the time) the largest GDPR penalty ever imposed on a single company, before Meta’s later €1.2 billion fine in 2023. (heise.de)

The CNPD and the court considered factors like: (digitalpolicyalert.org)

• Scale of processing – Massive numbers of users affected across the EU.
• Systemic nature – Not a glitch, but how the ad system was designed.
• Duration – The practices had been in place over a considerable period.
• Lack of timely remediation – Amazon was found not to have taken adequate corrective steps for a long time.

On top of the lump‑sum fine, regulators attached corrective orders and even a daily penalty of €746,000 for failing to implement required changes. (digitalpolicyalert.org)

Mini‑takeaway: EU regulators are willing to use the full weight of GDPR for large, persistent, and structural violations.

Amazon’s response: “We disagree”

Throughout this saga, Amazon has maintained that: (cnbc.com)

• There was no data breach and no exposure of customer data to third parties.
• The decision is based on subjective interpretations of GDPR.
• The fine is disproportionate.

After losing in Luxembourg’s Administrative Court in March 2025, Amazon signaled it was considering further appeals, potentially up to Luxembourg’s higher courts.

From Amazon’s perspective, this case isn’t just about one fine; it’s about legal clarity on what is – and isn’t – allowed in personalized advertising under GDPR.

Mini‑takeaway: Expect this to stay in the courts and legal textbooks for a while.

What does this mean for businesses using data in Europe?

Let’s talk practical implications. If you process personal data in the EU – especially for marketing, analytics, or profiling – this case has important lessons.

1. Re‑evaluate your legal bases for advertising

If you’re doing:

• Cross‑site or cross‑service tracking
• Detailed behavioral profiling
• Highly personalized or predictive advertising

…then relying on legitimate interest is risky.

You should:

1. Map your processing activities – What data, from where, used for what specific ads or segments?
2. Run a Legitimate Interest Assessment (LIA) if you think you can rely on it – and document it.
3. Where profiling is intrusive or large‑scale, strongly consider consent instead.

2. Fix your consent flows (no dark patterns)

If consent is your legal basis:

• Use clear, granular options (e.g., separate toggles for analytics vs marketing vs third‑party sharing).
• Avoid pre‑ticked boxes, deceptive design, or “agree or leave” for non‑essential processing.
• Make withdrawal of consent as easy as giving it.

Think: could someone who’s not a lawyer explain what they’re agreeing to in one sentence? If not, you probably need to simplify.

3. Make transparency an actual UX priority

Treat your privacy information like product content, not compliance leftovers.

Concretely:

• Provide layered notices – short, plain‑language summaries with links to more detail.
• Explain in human terms what data you collect, how long you keep it, who you share it with, and why.
• Don’t bury key information in walls of text or hard‑to‑find pages.

If users can’t quickly answer, “What exactly are you doing with my data?” you have a transparency problem.

4. Operationalize data subject rights

GDPR rights sound simple on paper, but implementing them at scale is hard. This case shows regulators will look at how well your processes work in practice.

You should have:

• A clear intake process for access/erasure/objection requests.
• Standard response templates and SLAs (usually 1 month under GDPR).
• Internal tooling to find, export, correct, and delete data reliably.
• A way to enforce objections to advertising across your systems (not just one database).

If a regulator sampled 20 access or deletion requests from the last year, would you be proud of how they were handled?

5. Don’t ignore corrective orders

A key detail in the Amazon case: courts noted that Amazon failed to sufficiently address the violations over time, which helped justify the severity of sanctions and daily penalty threats. (today.rtl.lu)

If a regulator issues:

• An order to stop certain processing
• An instruction to change your consent or privacy notices
• A mandate to improve user rights handling

…you need a concrete remediation plan with timelines, documentation, and clear accountability.

Mini‑takeaway: GDPR enforcement isn’t just about what you did; it’s about how fast and seriously you fix things once you’re called out.

Why the Amazon GDPR ruling matters beyond Amazon

This case is bigger than one company:

• It clarifies the limits of legitimate interest for ad‑driven profiling.
• It reinforces that consent must be real, not implied by clever UX or vague wording.
• It shows regulators and courts are willing to hold massive platforms to the same rules as everyone else.
• It sets a reference point for future fines and enforcement across ad‑tech, e‑commerce, and platforms.

For privacy advocates, it’s a signal that GDPR isn’t just symbolic. For businesses, it’s a warning shot: design your data strategy assuming full‑strength enforcement, not best‑case interpretation.

So… what should you do now?

If you’re operating in or targeting users in the EU, now is a very good time to:

1. Audit your tracking and profiling – Know exactly what data you collect and for which purposes.
2. Review legal bases – Especially for marketing, analytics, and cross‑site tracking.
3. Upgrade consent and transparency – Treat them as product features, not fine print.
4. Stress‑test user rights handling – Run a mock access or erasure request and follow it end‑to‑end.
5. Document everything – If regulators knock, you want to show you’ve thought this through.

Because if a regulator can tell Amazon, “Your ad system overstepped the line,” they can absolutely say it to you.

And unlike Amazon, you probably don’t have a spare €746 million lying around to make the problem go away.