Allegations of Behavior Profiling for Ad Targeting Lands Amazon $888M in Record GDPR Fines


Amazon hit with $888 million fine over alleged GDPR violations. The company said it will contest the legitimacy of the penalty, which is the highest ever for GDPR-related transgressions. What does this mean for Google’s FLoC?

A day after Amazon posted solid Q2 resultsOpens a new window wherein the world’s largest online retailer made over $100 billion in revenue for the third straight quarter, the company has been fined almost a billion dollars over alleged GDPR violations. The penalty, $888 millionOpens a new window to be exact, was imposed by Luxembourg National Commission for Data ProtectionOpens a new window (CNDP).

Issued a couple of weeks ago, the fine was disclosed only recently when Amazon filed the SEC Form 10-Q. Amazon saidOpens a new window , “On July 16, 2021, the Luxembourg National Commission for Data Protection (the ‘CNPD’) issued a decision against Amazon Europe Core S.à r.l. claiming that Amazon’s processing of personal data did not comply with the EU General Data Protection Regulation. The decision imposes a fine of €746 million and corresponding practice revisions.”

The fine itself is the largest ever imposed by a European authority based on the General Data Protection Regulation (GDPR) that came into force in 2018. In fact, the fine is larger than all previousOpens a new window GDPR-related penalties put together. However, it is considerably smaller than $15.44 billion or 4% of Amazon’s total 2020 annual revenue. At present, GDPR sanctions fines up to €20 million or 4% of an offender’s annual turnover under Article 83Opens a new window .

It isn’t a surprise that Amazon will fight the decision. The company said. “We believe the CNPD’s decision to be without merit and intend to defend ourselves vigorously in this matter.”


Back in 2018, the French advocacy group for digital rights and internet protection La Quadrature du Net had registered a complaintOpens a new window against Amazon Europe Core SARL, Amazon EU SARL, Amazon Services Europe SARL, and Amazon Media.

The complaint was filed over concerns that Amazon is using personal data to target users with advertising. The complaint also mentions concerns over the behavioral profiling of users. However, in this particular case, the allegation that Amazon’s usage of user data is non-consensual, and not ad targeting using profiling, is the operative concern.

“Aucun document publié par Amazon ne laisse penser que celui-ci compte fonder ses traitements d’analyse comportementale et de ciblage publicitaire sur le consentement de ses utilisateurs.”

It roughly translates to, “No document published by Amazon suggests that this one intends to base its behavioral analysis and advertising targeting treatments on the consent of its users.” The group also has some issues with the legalities of Amazon’s contract with users.

In the past, La Quadrature du Net has also registered complaintsOpens a new window with the Irish data privacy watchdog Data Protection Commission against Facebook, Apple, Microsoft, and Google. None of the four complaints have been actioned so far.

Following CNDP’s verdict, La Quadrature du Net criticized France’s data privacy regulator Commission Nationale de l’informatique et des libertés (CNILOpens a new window ).

“The exemplary posture of the Luxembourg authority is also a cold shower for the CNIL in France which, for a long time, was a leader in Europe for data protection,” the group said in a recent blog postOpens a new window . “Today, the CNIL is no more than a shadow of itself, while our collective complaints, initially brought before it, offered it the ideal opportunity to be the spearhead of the GDPR against systemic violations of personal data at the heart of GAFAM’s business model.”

GAFAM is basically an acronym for Big Tech companies Google, Apple, Facebook, Amazon, Microsoft.

See Also: How To Minimize the GDPR’s Impact on Your SEO Strategy

GDPR Fines Issued in the Past

Even after a year of coming into effect, GDPR-related penalties had been rather unheard of. In the first 20 months of the GDPR up to January 2020, EU-based regulatory bodies had issued a total of €114 million ($139 million). For the 12 months until January 2021, the imposition of fines surged by 39% to €158.5 million ($193.4 million), as DLA Piper notedOpens a new window .

The €50 million ($56.6 million) penalty on Google issued in 2020 was the previous record-holder for the highest GDPR-related fine. Here’s a look at the 10 biggest GDPR fines from 2020 and 2021 ordered by fine value.

Company Sector Year Penalized Penalty Value (Million) Reason
GoogleOpens a new window Search, IT, Enterprise Software 2019, Upheld in 2020 €50 ($56.6) Data consent issues
H&MOpens a new window Clothing Retailer 2020 €35 ($41) Illicit monitoring of hundreds of employees
Telecom ItaliaOpens a new window Telecommunications 2020 €27.8 ($31.5) Unsolicited communication for promotion
British Airways Airlines 2020 €22 ($26) Insufficient security led to a data breach wherein 400,000 customers were exposed
MarriottOpens a new window Hospitality 2020 €20.4 ($23.8) Insufficient scrutiny of reservation systems led to a data breach wherein 383 million customer data records were exposed
WindOpens a new window Telecommunications 2020 €17 ($20) Non-consensual ad spamming

Forceful data collection (location) for marketing activities

NotebooksbilligerOpens a new window Retail Consumer Electronics 2021 €10.4 ($12.5) Unlawful video surveillance of employees
Vodafone SpainOpens a new window Telecommunications 2021 €8.15 ($9.72) Unlawful processing of personal data to deliver ads
GoogleOpens a new window Search, IT, Enterprise Software 2020 €7 ($7.9) Non-fulfillment of obligations with respect to the right to delisting request from search.
CaixabankOpens a new window Banking and Financial Services 2021 €6 ($7.2) Unlawful usage of customers’ personal data

Of these companies, only Google appealed against the fine, which was shot down by a French courtOpens a new window .

Amazon’s Response

Like Google, Amazon also intends to appeal against the imposition of the fine. The company told the Wall Street JournalOpens a new window (WSJ):

“Maintaining the security of our customers’ information and their trust are top priorities. There has been no data breach, and no customer data has been exposed to any third party. These facts are undisputed. We strongly disagree with the CNPD’s ruling, and we intend to appeal. The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.”

The WSJ, who in June 2021 reported an expected fine of $425 millionOpens a new window for Amazon said that the Luxembourg-based regulator received at least one objection to make the fine even higher. Subsequently, the current fine stands at $888 million.

See Also: Are GDPR Class Action Lawsuits the Next Big Headache for Data Professionals?

Closing Thoughts

It is unclear as of now what exactly the CNDP found to warrant such a high fine. $888 million is inconsequential for Amazon and its scale of operations but the margin between the penalty on Amazon and the $50 million hit on Google in 2020 is what makes this interesting.

Google’s now delayed implementation of Federated Learning of Cohorts (FLoC) also raises doubts about the company’s position in the advertising space. With FLoC, Google will replace cookie-based tracking and ad targeting. It instead categorizes individuals into cohorts depending on their respective online activities or behavior.

Non-consensual behavior profiling is what landed Amazon into this latest trouble with EU laws. So it remains to be seen how Google navigates the European market with regulators, armed with GDPR, watching over. For now, Google has said FLoC will not be testedOpens a new window in regions where GDPR is enforced, taking the EU out of the equation.

The first phase of FLoC testing, called Origin Trail, was recently concluded. As online ad agency Criteo pointed out, only 0.02% of Chrome usersOpens a new window were a part of the test, thus making it a challenge to draw meaningful conclusions. Until the time Google goes to the EU, there will be plenty for the company to keep an eye on as Amazon-EU battle it out.

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!