Facing €746 Million Fine for Alleged Advertising-Related GDPR Violations

Amazon GDPR Fine has been slapped with a record-breaking €746 million ($888 million) GDPR penalty for allegedly violating the EU’s stringent data protection law. In addition to the fine, Amazon is required to implement corresponding practice revisions to prevent further violations of the requirements of the General Data Protection Regulation.

All companies and individuals doing business with EU residents are required to comply with strict privacy regulations, which place restrictions on the collection, processing, and use of data subjects’ personal data. has an EU base in Luxembourg. As such, investigations into potential violations of GDPR are dealt with by the Luxembourg Data Protection Authority, the National Commission for Data Protection (CNPD). On July 16, 2021, CNPD issued a decision about stating the online retailer is alleged to have violated the requirements of the GDPR in relation to how customers are targeted with advertising. The GDPR fine was recently disclosed by in a 10-Q filing with the Securities and Exchange Commission.

Under the GDPR, companies can be fined up to €20 million for violations of the GDPR, or 4% of global annual turnover for the previous financial year. In 2020, Amazon’s global annual revenue was €186.70 billion ($221.60 billion), so while the €746 million is considerable, it falls well short of the maximum possible financial penalty.

While financial penalties for GDPR violations have been issued when businesses experience data breaches, in this case Amazon suffered no data breach and no customer information was disclosed to any third party. The decision is based on how customers are targeted with advertising, with the company investigated following a complaint made in 2018 by French privacy rights group La Quadrature du Net over its business practices. CNPD has not released a statement about the fine to date and has not publicly disclosed exactly which aspects off the GDPR have been violated.

“The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation,” said in a statement. “We believe the CNPD’s decision to be without merit and intend to defend ourselves vigorously in this matter.”


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

If the fine is upheld, it will be the largest ever GDPR financial penalty imposed in the 3 years since the GDPR took effect. could even face a further financial penalty. Amazon has been subject to considerable antitrust scrutiny and has been investigated over its use of data from sellers on its platform and is alleged to be using those data to benefit its own retail business by unfairly promoting its own retail products over those of sellers that use the platform, which are its competitors. If the complaints are found to have merit, Amazon could be fined 10% of its annual global revenue.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: