Legitimate interest or consent? The “Amazon v. CNPD” lesson

On 12 March 2026, Luxembourg’s Administrative Court annulled the record fine imposed on Amazon, while confirming that behavioral advertising cannot rely on legitimate interest. This turning point clarifies when to choose between consent and legitimate interest. See the Ministry of Justice press release.

The case

In its judgment of 12 March 2026 (No. 52757C), the Administrative Court ruled on Amazon Europe Core S.à r.l.’s appeal against a CNPD decision finding several GDPR infringements in the context of behavioral advertising, accompanied by a penalty payment and a €746m fine (the fine was annulled due to lack of sufficient characterization of fault as required by post‑2021 EU case law). The Ministry of Justice published a summary of the ruling, and the CNPD noted that its material findings of non‑compliance (including the inadequate legal basis) were confirmed. See the official release and the CNPD information note.

In essence, the case raises a central question for data/marketing governance: can behavioral advertising rely on Article 6(1)(f) GDPR (legitimate interest), or does it require Article 6(1)(a) (consent) and strict adherence to the EDPB’s “Consent” Guidelines 05/2020? See the Guidelines 05/2020.

Legal reasoning

• GDPR framework. Lawfulness rests on one of the Article 6(1) bases. Two options are at stake here:
  • Legitimate interest (Art. 6(1)(f)), requiring a three‑part test: a specific and real interest; necessity of the processing; and a balancing test in favor of the controller (including an effective Art. 21 opt‑out). In October 2024, the EDPB issued draft Guidelines 1/2024 detailing these conditions and recalling recent case law on necessity and proportionality. See the EDPB 1/2024 developments.
  • Consent (Art. 6(1)(a)), which must be freely given, specific, informed and unambiguous, and as easy to withdraw as to give (Guidelines 05/2020). In practice, for behavioral advertising, this means granular choices, no dark patterns, and no gating access to non‑essential services. See the EDPB text.
• Court and CNPD takeaways. According to the public release, the Court confirmed the unlawfulness of certain processing operations identified by the CNPD (including the inadequate legal basis), while annulling only the monetary sanction due to insufficient analysis of “fault” (intent/negligence) required by more recent EU case law to impose a fine. The CNPD stressed it had “secured compliance” through corrective measures and that its “key findings” were confirmed. Substantively, legitimate interest for large‑scale behavioral targeting fails the necessity/balancing test given the intrusiveness of profiling. See the Justice release.
• Convergence with the CJEU. CJEU Case C‑252/21 (Meta Platforms, 4 July 2023) already set the scene: strict necessity (processing is “necessary” only if objectively indispensable) and tight controls on profiling, especially where inferences about special categories may arise (Art. 9). This makes it particularly hard to justify cross‑site/cross‑app tracking for personalized ads under legitimate interest alone. See EUR‑Lex.

What changes in practice

• Platforms, e‑commerce, Luxembourg media: consent banners must offer granular choices per purpose, no pre‑ticked boxes, refusal as easy as acceptance, and withdrawal at any time. Advertising cookies/SDKs and any background processing may only start after valid consent. See Guidelines 05/2020. For Luxembourg‑specific practice, see our CNPD compliance overview and the GDPR reference page for article citations.
• International groups operating in Luxembourg: privacy notices and records must precisely reflect 6(1)(a) for targeting, and 6(1)(f) only for purposes that pass the EDPB 1/2024 test (defined interest, necessity, documented balancing, effective opt‑out). See the EDPB 1/2024 draft.
• Fine governance: the 12 March 2026 ruling reminds that authorities must establish fault to impose monetary sanctions; for companies, this means evidencing due diligence: necessity tests, DPIA where applicable, balancing analyses, decision logs, proof of privacy‑by‑default settings. See the ruling reference. To structure this work, a DPO mandate can accelerate compliance.

Quick examples

• Cross‑site behavioral advertising: legal basis = consent (6(1)(a)); legitimate interest rejected. See the CNPD position.
• Limited, aggregated audience measurement without matching or persistent identifiers: potentially 6(1)(f) if the EDPB 1/2024 test is met and an effective Art. 21 objection is provided. See EDPB 1/2024.
• Security/fraud (abnormal access detection): often 6(1)(f), with demonstrable necessity and strong minimization. See the EDPB reminders.

Common pitfalls

1. “Stacking” multiple heterogeneous purposes under a single legitimate interest. EDPB 1/2024 requires a specific interest per purpose and necessity/balancing for each, with solid documentation. See the 1/2024 draft.
2. Triggering trackers/SDKs before collecting consent, or making refusal harder than acceptance (dark patterns, greyed options, skewed nudges). Guidelines 05/2020 prohibit this. See the Guidelines 05/2020.
3. Confusing “information in Terms of Service” with consent. CJEU C‑252/21 confirms consent must be free and specific; blanket acceptance of ToS is insufficient for ad profiling. See Case C‑252/21.
4. Forgetting the Art. 21 objection for legitimate interest. The opt‑out must be effective, accessible and documented; otherwise the balance tilts against the controller. EDPB 1/2024 stresses concrete balancing and effective safeguards. See EDPB 1/2024.
5. Skipping the DPIA when profiling is “likely to result in high risk.” Without a DPIA, necessity/balancing is rarely credible for highly intrusive processing. Documentation is scrutinized in enforcement and litigation. See the EDPB lines.

Official sources

• Administrative Court (Luxembourg) — Press release on the 12 March 2026 ruling (No. 52757C): “Arrêt de la Cour administrative en relation avec un des grands acteurs mondiaux au niveau du commerce en ligne.” https://justice.public.lu/fr/actualites/2026/03/arret-cour-administrative-amazon.html
• CNPD (Luxembourg) — “The CNPD has secured effective data-processing compliance by Amazon, has seen its key findings confirmed and pursues its work”, 13 March 2026. https://cnpd.public.lu/en/actualites/national/2026/03/arret-ca-amazon-cnpd.html
• EDPB — Guidelines 05/2020 on consent under the GDPR (consolidated). https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_fr
• EDPB — Guidelines 1/2024 on processing based on Article 6(1)(f) GDPR (public consultation, October 2024). https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2024/guidelines-12024-processing-personal-data-based_de
• CJEU — Case C‑252/21, Meta Platforms et al., 4 July 2023 (EUR‑Lex text and press release). https://eur-lex.europa.eu/legal-content/EN/CASE/?uri=CELEX%3A62021CJ0252 and https://curia.europa.eu/jcms/upload/docs/application/pdf/2023-07/cp230113en.pdf

In short: in light of “Amazon v. CNPD”, Luxembourg organizations should reserve legitimate interest for genuinely necessary, low‑intrusion processing and use consent for ad profiling. The key is evidence: documented tests, compliant choice interfaces, and decision governance. For practical support, reach us via the contact page.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.