Amazon v. CNPD (12 March 2026): Legitimate interest rejected in AdTech

On 12 March 2026, Luxembourg’s Administrative Court confirmed that Amazon’s behavioral advertising could not rely on legitimate interest (Art. 6(1)(f) GDPR) and upheld information shortcomings. It nevertheless annulled the 2021 fine in light of CJEU case law requiring proof of fault (intent or negligence). Sources: CNPD and Luxembourg Justice.

The case

• Organization: Amazon Europe Core S.à r.l. (Luxembourg)
• Authority: National Commission for Data Protection (CNPD)
• Judgments: Administrative Tribunal (18/03/2025) and Administrative Court (12/03/2026, No. 52757C)
• CNPD measures (2021): €746m fine, compliance orders, €746,000/day penalty
• Provisions: Arts. 6, 12–17, 21 GDPR and cookies/trackers rules

The Court confirmed that legitimate interest was not a valid legal basis for the behavioral advertising at stake and that Amazon’s information practices were non‑compliant at the time, while annulling the fine due to the CJEU’s fault requirement (Dec. 2023).

Legal reasoning

1) Legal basis for behavioral advertising

• Article 6 of the GDPR (EUR‑Lex) lists lawful bases (including consent and legitimate interest). For a concise refresher, see our page on core GDPR obligations and key articles.
• EDPB guidance has long held that cross‑site tracking and profiling for ads generally require valid consent: Guidelines 05/2020 (consent) and Guidelines 8/2020 (targeting).
• Luxembourg’s Administrative Court aligns with this approach: legitimate interest was not a valid basis for Amazon’s ad processing (official note), reinforcing consent for behavioral ads involving cookies/IDs.

2) Information and data subject rights

• Arts. 12–14 GDPR require clear information on purposes and legal bases, including the interests pursued under Art. 6(1)(f). Art. 21 sets the right to object. See EUR‑Lex.
• The Court confirmed that Amazon’s information practices were not compliant at the time of the CNPD decision (CNPD release).

3) Fines and the fault requirement after the CJEU (2023–2025)

• On 5 Dec 2023 (C‑807/21 Deutsche Wohnen; C‑683/21), the CJEU rejected strict liability for GDPR fines: the authority must prove at least negligence. See the CJEU press release and EUR‑Lex C‑683/21.
• On 13 Feb 2025 (C‑383/23, ILVA), the CJEU clarified that Art. 83 caps are computed at the “undertaking” (competition law) level: Infocuria.
• Accordingly, the Administrative Court annulled the 2021 fine and invited the CNPD to reassess any financial penalty “in light of this case law,” notably the fault requirement (CNPD).

What changes for organizations

• AdTech and multi‑site retargeting: assume consent (Art. 6(1)(a)) for ad trackers and profiling. Legitimate interest is defensible only in narrow cases (EDPB 05/2020 and 8/2020).
• Cookie banners: avoid dark patterns, offer refusal as easy as acceptance, and separate purposes (exempted analytics vs targeted advertising).
• Notices and records: align disclosures (Arts. 12–14), list recipients (adtech stack) and transfers (Arts. 44–49), and highlight the right to object (Art. 21). See our Luxembourg GDPR support for DPOs.
• Enforcement readiness: document choices (balancing tests, DPIA for large‑scale profiling). Lack of a paper trail makes negligence easier to establish (CJEU 2023).

Quick examples

• LU e‑commerce “accept‑all or nothing”: high risk. Move to a compliant CMP (granularity, symmetric refusal, consent proof).
• Luxembourg media: separate content personalization from targeted ads; do not hide ad purposes under “service improvement” via legitimate interest.
• Cross‑border mobile app: explicit in‑app consent for third‑party SDKs, easy withdrawal, updated notices.

Decision tree: legitimate interest or consent?

1. Does the purpose involve third‑party trackers/IDs to profile and target ads beyond what is strictly necessary? — Yes: seek consent first (EDPB 05/2020; 8/2020). No: go to 2.
2. Is processing strictly necessary (security, anti‑fraud, exempted audience measurement, service performance)? — Yes: legitimate interest may be viable with a documented balancing test and an effective right to object (Art. 6(1)(f), 21). No: consent required.
3. Information and proof: compliant notices (Arts. 12–14), consent/opt‑out logs? No: likely non‑compliance.
4. Fine risk: records, balancing tests, DPIA? Without them, negligence is easier to establish (CJEU 2023).

Common pitfalls

• Confusing “experience personalization” (possibly internal/necessary) with “behavioral advertising” (typically requires explicit consent). See EDPB 8/2020.
• Bundling analytics and ads under a single “marketing cookies” toggle: EDPB expects real granularity.
• Omitting the right to object (Art. 21) when relying on legitimate interest.
• Underestimating the fault requirement for fines since 2023 (C‑683/21; C‑807/21).

Further reading

Primary texts and guidance: GDPR (EUR‑Lex), EDPB 05/2020, EDPB 8/2020. For day‑to‑day implementation, consider an outsourced DPO mandate.

Luxembourg in 2026: the Amazon ruling cements a clear EU line—behavioral ads using trackers and cross‑site profiling require consent; fix your notices and log your decisions.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.