Irish privacy group urges DMA action against Amazon consent violations

The Irish Council for Civil Liberties (ICCL) has written to European Fee officers on July 14, 2025, demanding speedy enforcement motion towards Amazon’s consent practices that allegedly violate each the Digital Markets Act (DMA) and Common Knowledge Safety Regulation (GDPR). The letter, addressed to Dr. Filomena Chirico of DG Join and Dr. Alberto Bacchiega of DG Competitors, describes Amazon’s present knowledge discover as implementing “exactly what we warned of” of their April 2022 correspondence.

In line with the ICCL letter, Amazon at present shows a knowledge discover presenting a single “Settle for” button for customers to “proceed” with knowledge mixture and cross-use throughout its providers. The group claims this method undermines GDPR’s granular requirement that there be a lawful foundation for every processing goal. Their criticism references screenshots displaying how Amazon’s consent interface operates by a number of screens, with the info discover clarifying that info in query constitutes “private info.”

Abstract

Who: The Irish Council for Civil Liberties (ICCL), led by Dr. Johnny Ryan, Director of ICCL Implement, wrote to European Fee officers Dr. Filomena Chirico (Head of Unit, DG Join) and Dr. Alberto Bacchiega (Director for Digital Platforms, DG Competitors).

What: ICCL calls for instant enforcement motion towards Amazon’s knowledge consent practices, alleging the corporate violates each DMA Article 5(2) and a number of GDPR provisions by a single “Settle for” button that legitimizes knowledge mixture and cross-use throughout Amazon’s providers with out granular consent for every processing goal.

When: The enforcement request was submitted on July 14, 2025, following Amazon’s implementation of consent practices that ICCL claims fulfill their April 19, 2022 warning about potential DMA misuse by gatekeepers.

The place: The criticism targets Amazon’s operations throughout the European Union, the place the corporate operates as a chosen gatekeeper underneath the Digital Markets Act and should adjust to GDPR knowledge safety necessities.

Why: ICCL argues Amazon’s method undermines GDPR’s granular consent necessities and violates DMA prohibitions on knowledge mixture, creating unfair aggressive benefits whereas weakening privateness protections that ought to defend web customers and support small companies in competing with dominant platforms.

The technical implementation reveals Amazon linking the info discover to a subsequent “study extra” display that explicitly identifies the info as “private info.” Amazon’s privateness discover makes use of this time period to imply “private knowledge” underneath GDPR definitions. The “Settle for” button seeks to legitimize mixture and cross-use of non-public knowledge Amazon has collected throughout its huge conglomerate for various processing functions.

Dr. Johnny Ryan, Director of ICCL Implement, emphasizes the urgency of the scenario in saying the criticism. He states that “Amazon has carried out a consent request that does exactly what we warned of” of their earlier correspondence with competitors and knowledge safety specialists. The group’s April 19, 2022 letter had particularly warned about dangers that Article 5(2) of the DMA could possibly be misused by gatekeepers.

The ICCL’s technical evaluation identifies a number of GDPR violations in Amazon’s method. These embody Article 5(1)(a) relating to equity and transparency, Article 5(1)(b) regarding processing goal incompatibility and specificity, and Article 5(1)(c) and (e) relating to minimization and storage limitation. The group additionally cites violations of Article 8 relating to little one consent and Article 9 regarding delicate knowledge dealing with.

Past GDPR issues, the criticism alleges DMA violations underneath Article 5(b) and (c), and presumably sections (a) and (d). The group particularly targets Amazon’s person interface design, noting that the “Settle for” button seems highlighted in yellow whereas different discover parts, together with the “Decline” choice, show in commonplace black or blue. This design constitutes what ICCL characterizes as a non-neutral person interface that violates Article 13(3) of the DMA.

Amazon’s knowledge discover explicitly states the corporate at present combines and cross-uses private knowledge. The platform seeks “consent for Amazon providers to remain linked” and signifies it’ll “proceed to enhance your expertise on the Retailer utilizing your exercise on different Amazon providers.” The discover additionally guarantees to “proceed to enhance your expertise on providers supplied outdoors the Retailer with our purchasing historical past.” Customers who decline will “cease utilizing a shared understanding of your pursuits between Retailer and different Amazon providers.”

This ongoing habits instantly contradicts Article 5(2) DMA provisions. The regulation prohibits gatekeepers from processing private knowledge for internet advertising providers, combining private knowledge from core platform providers with knowledge from different providers, and cross-using private knowledge from related core platform providers in different providers supplied individually by the gatekeeper.

The enforcement request comes amid rising regulatory scrutiny of major tech platforms’ DMA compliance. The European Fee designated six firms as gatekeepers in 2023, together with Amazon, Google, Apple, Meta, Microsoft, and ByteDance. Recent enforcement actions demonstrate regulators’ willingness to impose substantial penalties, with Apple receiving €500 million and Meta €200 million in fines for DMA violations.

Amazon’s transparency initiatives beforehand included introducing pricing transparency reports for its demand-side platform in response to DMA necessities. Nonetheless, privateness advocates argue these measures fail to handle elementary consent violations within the firm’s knowledge assortment practices.

The criticism highlights broader tensions between digital market regulation and platform business models. Meta lately appealed a Fee determination requiring the corporate to supply much less customized promoting with out fee choices, whereas other platforms have implemented enhanced data portability measures to exhibit compliance.

Trade observers be aware the importance of ICCL’s intervention within the Amazon case. European data protection authorities have been developing standardized enforcement procedures, with German authorities establishing unified wonderful procedures underneath GDPR in June 2025. The Amazon criticism represents a check case for the way successfully the DMA can forestall gatekeepers from undermining present knowledge safety frameworks.

The Fee faces stress to exhibit DMA effectiveness by enforcement actions. In line with the ICCL letter, Amazon’s method demonstrates how dominant companies can use the DMA “to undermine GDPR protections that ought to be a defend for web customers and an support to small enterprise.” The group’s warning from April 2022 particularly anticipated that gatekeepers would declare they’ll mix and cross-use all knowledge when customers present “one single all-encompassing consent.”

Cross-regulatory cooperation initiatives between the European Knowledge Safety Board and Fee officers might affect how authorities tackle the Amazon case. The EDPB has established devoted subgroups centered on clarifying interaction between GDPR and newer digital laws, together with the DMA and EU Synthetic Intelligence Act.

Current courtroom choices have added complexity to enforcement landscapes. German courts ruled that Meta’s AI training practices using public data do not violate DMA data combination prohibitions, creating potential precedents for the way knowledge processing functions have an effect on regulatory interpretation.

For the advertising group, Amazon’s case represents broader questions on how platforms can legally accumulate and make the most of knowledge throughout providers. Publishers and advertisers have increasingly demanded transparency in programmatic promoting relationships, with Amazon’s DSP offering detailed breakdowns of writer earnings, supply-side charges, and whole advertiser prices.

The end result of ICCL’s enforcement request might set up essential precedents for the way DMA provisions work together with present GDPR necessities. European regulators should stability platform innovation with person privateness protections whereas guaranteeing smaller companies can compete successfully in digital markets.

Privateness advocates argue that permitting Amazon’s present practices to proceed would undermine the DMA’s elementary objectives of truthful competitors and person safety. The case highlights ongoing challenges in implementing significant consent necessities when dominant platforms management each the selection structure and the underlying infrastructure customers rely upon.

Key Phrases Defined

Digital Markets Act (DMA): European Union regulation that entered drive in November 2022, concentrating on massive on-line platforms designated as “gatekeepers” because of their market dominance. The DMA requires these platforms to adjust to particular obligations designed to stop unfair enterprise practices, promote interoperability, and guarantee truthful competitors. For entrepreneurs, the DMA represents a elementary shift in how main platforms function, doubtlessly affecting promoting concentrating on, knowledge sharing capabilities, and cross-platform integration methods.

Gatekeeper: Official designation underneath the DMA for giant digital platforms that meet particular quantitative thresholds, together with annual EU turnover exceeding €7.5 billion or market capitalization above €75 billion, plus controlling essential gateways between enterprise customers and shoppers. Presently six firms maintain this designation: Amazon, Google, Apple, Meta, Microsoft, and ByteDance. Gatekeepers face strict compliance obligations that instantly impression their promoting and knowledge processing capabilities.

Cross-platform knowledge mixture: The follow of merging private knowledge collected from completely different digital providers or platforms owned by the identical firm to create complete person profiles. Underneath DMA Article 5(2), gatekeepers can’t mix private knowledge from core platform providers with knowledge from different providers with out specific person consent. This restriction considerably impacts how platforms can construct viewers segments and ship focused promoting throughout their ecosystem.

Granular consent: GDPR requirement that customers should present separate, particular consent for every distinct knowledge processing goal somewhat than blanket approval for all actions. This precept means firms can’t use a single consent mechanism to authorize a number of completely different makes use of of non-public knowledge. For advertising groups, granular consent necessitates extra advanced consent administration methods and will cut back the scope of information obtainable for promoting personalization.

Core platform providers: Particular digital providers recognized by the DMA that function essential gateways for enterprise customers to achieve finish customers, together with on-line engines like google, social networking providers, video-sharing platforms, messaging providers, and internet advertising providers. Restrictions on these providers instantly have an effect on how entrepreneurs can entry audiences and measure marketing campaign efficiency throughout completely different platforms.

Knowledge portability: DMA requirement that customers can simply switch their knowledge between completely different platforms and providers, breaking vendor lock-in results. This obligation permits customers to maneuver their info, together with promoting preferences and interplay historical past, to competing platforms. For entrepreneurs, enhanced knowledge portability might enhance platform switching and require extra refined cross-platform attribution methods.

Non-neutral person interface: Interface design that unfairly influences person selections by visible emphasis, placement, or different design parts that favor sure choices over others. The DMA prohibits gatekeepers from utilizing such designs to subvert person autonomy in making selections about knowledge processing or service choice. Advertising groups should guarantee their consent interfaces and selection architectures adjust to neutrality necessities.

Self-preferencing: Follow the place platforms give preferential therapy to their very own providers, merchandise, or content material over opponents’ choices in search outcomes, suggestions, or different discovery mechanisms. DMA Article 6(5) particularly prohibits this habits for designated gatekeepers. The restriction impacts how platforms can promote their promoting merchandise and will create new alternatives for third-party advertising providers.

Programmatic promoting: Automated shopping for and promoting of digital promoting house utilizing real-time bidding methods and algorithmic decision-making. DMA compliance impacts programmatic promoting by restrictions on knowledge sharing between platform providers and necessities for pricing transparency. These adjustments might alter bidding methods, viewers concentrating on capabilities, and marketing campaign optimization approaches.

Provide-side platform (SSP): Expertise platforms that assist publishers promote their promoting stock to advertisers by automated auctions. DMA transparency necessities mandate detailed reporting of SSP charges and income distribution, affecting how publishers and advertisers consider programmatic promoting relationships. Understanding SSP operations turns into essential for entrepreneurs in search of to optimize their media shopping for methods underneath new transparency requirements.

Timeline