Is Amazon in trouble with the GDPR? You better believe it. On 16 July this year, the CNPD (National Data Protection Commission) in Luxembourg decided to fine the online giant $888 million. Even for Amazon, that’s an enormous slice of both its annual revenue and operating profits. Let’s find out how Amazon and the GDPR came head to head….


The CNPD claimed that Amazon’s processing of personal data did not comply with the requirements of the European Union GDPR. On 29 July, this claim was countered by Amazon, saying that it was without merit and that it would appeal the decision. This massive €776 million fine is the biggest GDPR fine to date and truly shows the regulatory body baring its powerful teeth. Google’s fine of €50 million and that of H&M’s €35 million both in 2020 dwarf in comparison to Amazon’s plight.


Personal data, by definition, is a tricky and complex concept to unpack. Some say that it is the all-encompassing collection of an individual’s identifiers, both online and offline. According to the GDPR, personal data embraces

  • Name
  • Physical attributes
  • Health information
  • Economic, cultural and social identity
  • Identification numbers
  • Online identifiers including IP addresses
  • Location data

Companies accessing and using personal data enter a minefield, just like Amazon and the GDPR. For example, an online marketing survey may require a user to enter identifiers such as ethnicity, eye colour, or income level. While a user may willingly divulge this information, a company needs to justify its use to the GDPR. VP of Education and Chief Methodologist at EWSolutions, a data management consulting operation, says:

“You need to document that you need to know someone’s eye color or what their favorite food is, and you’ll need to prove how that data satisfies a stated business goal so that auditors can clearly see the necessity.”

Also realize that before a business can collect any personal data at all, it needs to obtain informed, unambiguous consent from an individual. This can be as simple as asking a user to check to box and confirm consent.


Just how did Amazon land in the GDPR muck? The CNPD’s ruling stemmed from a complaint made by 10,000 people filed by the privacy rights group LQDN (La Quadrature du Net). It was said that Amazon had imposed a series of targeted advertising campaigns without acquiring free consent. Amazon is also under scrutiny from the European Commission surrounding a breach of EU antitrust rules for

“distorting competition in online retail markets”


 From the Amazon run-in with the GDPR you can see that the EU means business when it comes to protecting the rights and personal data of individuals. If you have any doubts about your adherence to the GDPR, contact Zhero right now. We have over 20 years of experience in Business IT Management and Risk Mitigation. Don’t risk the fine. And we not talking small. The GDPR can demand anything up to 4% of your annual global revenue. Ask Amazon.