Irish privacy group urges DMA action against Amazon consent violations

The Irish Council for Civil Liberties (ICCL) has written to European Commission officials on July 14, 2025, demanding rapid enforcement action against Amazon's consent practices that allegedly violate both the Digital Markets Act (DMA) and General Data Protection Regulation (GDPR). The letter, addressed to Dr. Filomena Chirico of DG Connect and Dr. Alberto Bacchiega of DG Competition, describes Amazon's current data notice as implementing "precisely what we warned of" in their April 2022 correspondence.

According to the ICCL letter, Amazon currently displays a data notice presenting a single "Accept" button for users to "continue" with data combination and cross-use across its services. The organization claims this approach undermines GDPR's granular requirement that there be a lawful basis for each processing purpose. Their complaint references screenshots showing how Amazon's consent interface operates through multiple screens, with the data notice clarifying that information in question constitutes "personal information."

Summary

Who: The Irish Council for Civil Liberties (ICCL), led by Dr. Johnny Ryan, Director of ICCL Enforce, wrote to European Commission officials Dr. Filomena Chirico (Head of Unit, DG Connect) and Dr. Alberto Bacchiega (Director for Digital Platforms, DG Competition).

What: ICCL demands immediate enforcement action against Amazon's data consent practices, alleging the company violates both DMA Article 5(2) and multiple GDPR provisions through a single "Accept" button that legitimizes data combination and cross-use across Amazon's services without granular consent for each processing purpose.

When: The enforcement request was submitted on July 14, 2025, following Amazon's implementation of consent practices that ICCL claims fulfill their April 19, 2022 warning about potential DMA misuse by gatekeepers.

Where: The complaint targets Amazon's operations across the European Union, where the company operates as a designated gatekeeper under the Digital Markets Act and must comply with GDPR data protection requirements.

Why: ICCL argues Amazon's approach undermines GDPR's granular consent requirements and violates DMA prohibitions on data combination, creating unfair competitive advantages while weakening privacy protections that should shield internet users and aid small businesses in competing with dominant platforms.

The technical implementation shows Amazon linking the data notice to a subsequent "learn more" screen that explicitly identifies the data as "personal information." Amazon's privacy notice uses this term to mean "personal data" under GDPR definitions. The "Accept" button seeks to legitimize combination and cross-use of personal data Amazon has collected across its vast conglomerate for diverse processing purposes.

Dr. Johnny Ryan, Director of ICCL Enforce, emphasizes the urgency of the situation in announcing the complaint. He states that "Amazon has implemented a consent request that does precisely what we warned of" in their previous correspondence with competition and data protection experts. The organization's April 19, 2022 letter had specifically warned about risks that Article 5(2) of the DMA could be misused by gatekeepers.

The ICCL's technical analysis identifies multiple GDPR violations in Amazon's approach. These include Article 5(1)(a) regarding fairness and transparency, Article 5(1)(b) concerning processing purpose incompatibility and specificity, and Article 5(1)(c) and (e) regarding minimization and storage limitation. The organization also cites violations of Article 8 regarding child consent and Article 9 concerning sensitive data handling.

Beyond GDPR concerns, the complaint alleges DMA violations under Article 5(b) and (c), and presumably sections (a) and (d). The organization specifically targets Amazon's user interface design, noting that the "Accept" button appears highlighted in yellow while other notice elements, including the "Decline" option, display in standard black or blue. This design constitutes what ICCL characterizes as a non-neutral user interface that violates Article 13(3) of the DMA.

Amazon's data notice explicitly states the company currently combines and cross-uses personal data. The platform seeks "consent for Amazon services to stay connected" and indicates it will "continue to improve your experience on the Store using your activity on other Amazon services." The notice also promises to "continue to improve your experience on services provided outside the Store with our shopping history." Users who decline will "stop using a shared understanding of your interests between Store and other Amazon services."

This ongoing behavior directly contradicts Article 5(2) DMA provisions. The regulation prohibits gatekeepers from processing personal data for online advertising services, combining personal data from core platform services with data from other services, and cross-using personal data from relevant core platform services in other services provided separately by the gatekeeper.

The enforcement request comes amid growing regulatory scrutiny of major tech platforms' DMA compliance. The European Commission designated six companies as gatekeepers in 2023, including Amazon, Google, Apple, Meta, Microsoft, and ByteDance. Recent enforcement actions demonstrate regulators' willingness to impose substantial penalties, with Apple receiving €500 million and Meta €200 million in fines for DMA violations.

Amazon's transparency initiatives previously included introducing pricing transparency reports for its demand-side platform in response to DMA requirements. However, privacy advocates argue these measures fail to address fundamental consent violations in the company's data collection practices.

The complaint highlights broader tensions between digital market regulation and platform business models. Meta recently appealed a Commission decision requiring the company to offer less personalized advertising without payment options, while other platforms have implemented enhanced data portability measures to demonstrate compliance.

Industry observers note the significance of ICCL's intervention in the Amazon case. European data protection authorities have been developing standardized enforcement procedures, with German authorities establishing unified fine procedures under GDPR in June 2025. The Amazon complaint represents a test case for how effectively the DMA can prevent gatekeepers from undermining existing data protection frameworks.

The Commission faces pressure to demonstrate DMA effectiveness through enforcement actions. According to the ICCL letter, Amazon's approach demonstrates how dominant firms can use the DMA "to undermine GDPR protections that should be a shield for internet users and an aid to small business." The organization's warning from April 2022 specifically anticipated that gatekeepers would claim they can combine and cross-use all data when users provide "one single all-encompassing consent."

Cross-regulatory cooperation initiatives between the European Data Protection Board and Commission officials may influence how authorities address the Amazon case. The EDPB has established dedicated subgroups focused on clarifying interplay between GDPR and newer digital regulations, including the DMA and EU Artificial Intelligence Act.

Recent court decisions have added complexity to enforcement landscapes. German courts ruled that Meta's AI training practices using public data do not violate DMA data combination prohibitions, creating potential precedents for how data processing purposes affect regulatory interpretation.

For the marketing community, Amazon's case represents broader questions about how platforms can legally collect and utilize data across services. Publishers and advertisers have increasingly demanded transparency in programmatic advertising relationships, with Amazon's DSP providing detailed breakdowns of publisher earnings, supply-side fees, and total advertiser costs.

The outcome of ICCL's enforcement request may establish important precedents for how DMA provisions interact with existing GDPR requirements. European regulators must balance platform innovation with user privacy protections while ensuring smaller businesses can compete effectively in digital markets.

Privacy advocates argue that allowing Amazon's current practices to continue would undermine the DMA's fundamental goals of fair competition and user protection. The case highlights ongoing challenges in enforcing meaningful consent requirements when dominant platforms control both the choice architecture and the underlying infrastructure users depend on.

Key Terms Explained

Digital Markets Act (DMA): European Union regulation that entered force in November 2022, targeting large online platforms designated as "gatekeepers" due to their market dominance. The DMA requires these platforms to comply with specific obligations designed to prevent unfair business practices, promote interoperability, and ensure fair competition. For marketers, the DMA represents a fundamental shift in how major platforms operate, potentially affecting advertising targeting, data sharing capabilities, and cross-platform integration strategies.

Gatekeeper: Official designation under the DMA for large digital platforms that meet specific quantitative thresholds, including annual EU turnover exceeding €7.5 billion or market capitalization above €75 billion, plus controlling important gateways between business users and consumers. Currently six companies hold this designation: Amazon, Google, Apple, Meta, Microsoft, and ByteDance. Gatekeepers face strict compliance obligations that directly impact their advertising and data processing capabilities.

Cross-platform data combination: The practice of merging personal data collected from different digital services or platforms owned by the same company to create comprehensive user profiles. Under DMA Article 5(2), gatekeepers cannot combine personal data from core platform services with data from other services without explicit user consent. This restriction significantly affects how platforms can build audience segments and deliver targeted advertising across their ecosystem.

Granular consent: GDPR requirement that users must provide separate, specific consent for each distinct data processing purpose rather than blanket approval for all activities. This principle means companies cannot use a single consent mechanism to authorize multiple different uses of personal data. For marketing teams, granular consent necessitates more complex consent management systems and may reduce the scope of data available for advertising personalization.

Core platform services: Specific digital services identified by the DMA that serve as important gateways for business users to reach end users, including online search engines, social networking services, video-sharing platforms, messaging services, and online advertising services. Restrictions on these services directly affect how marketers can access audiences and measure campaign performance across different platforms.

Data portability: DMA requirement that users can easily transfer their data between different platforms and services, breaking vendor lock-in effects. This obligation allows users to move their information, including advertising preferences and interaction history, to competing platforms. For marketers, enhanced data portability may increase platform switching and require more sophisticated cross-platform attribution strategies.

Non-neutral user interface: Interface design that unfairly influences user choices through visual emphasis, placement, or other design elements that favor certain options over others. The DMA prohibits gatekeepers from using such designs to subvert user autonomy in making choices about data processing or service selection. Marketing teams must ensure their consent interfaces and choice architectures comply with neutrality requirements.

Self-preferencing: Practice where platforms give preferential treatment to their own services, products, or content over competitors' offerings in search results, recommendations, or other discovery mechanisms. DMA Article 6(5) specifically prohibits this behavior for designated gatekeepers. The restriction affects how platforms can promote their advertising products and may create new opportunities for third-party marketing services.

Programmatic advertising: Automated buying and selling of digital advertising space using real-time bidding systems and algorithmic decision-making. DMA compliance affects programmatic advertising through restrictions on data sharing between platform services and requirements for pricing transparency. These changes may alter bidding strategies, audience targeting capabilities, and campaign optimization approaches.

Supply-side platform (SSP): Technology platforms that help publishers sell their advertising inventory to advertisers through automated auctions. DMA transparency requirements mandate detailed reporting of SSP fees and revenue distribution, affecting how publishers and advertisers evaluate programmatic advertising relationships. Understanding SSP operations becomes crucial for marketers seeking to optimize their media buying strategies under new transparency standards.

Timeline

• April 19, 2022: ICCL writes to European Commission warning about DMA Article 5(2) risks
• May 4, 2022: Commission responds acknowledging granular consent requirements under GDPR Article 5(1)(b)
• September 2023: European Commission designates Amazon as DMA gatekeeper
• March 2024: Amazon introduces pricing transparency reports for DSP 
• April 2025: Commission imposes €700 million in DMA fines on Apple and Meta
• June 2025: German authorities establish unified GDPR fine procedures
• July 2025: Travel industry calls for stricter Google DMA enforcement
• July 14, 2025: ICCL writes to Commission demanding rapid DMA enforcement against Amazon