In 2025, the data protection enforcement landscape continues evolving rapidly. EU authorities imposed €1.2 billion in GDPR fines from January 2024 to January 2025, a 33% decrease from the previous year's €1.78 billion. The cumulative total of GDPR fines has reached €5.88 billion by early 2025. Potential penalties for non-compliance remain substantial—up to €20 million or 4% of a company's global revenue, whichever is higher. A landmark European Court of Justice ruling from February 2025 clarified that fines can be calculated based on the entire corporate group's worldwide annual turnover, not just the subsidiary involved, significantly raising stakes.

BACK

Mismanagement of downstream customer data risks hefty fines
E-commerce firms face heightened vulnerability to data-protection fines amid tightening and diverse regulations globally
Value chain: downstream
Consumer durables retail
Publication date: 16 Mar 2025
By Melanie Kramer
AT A GLANCE
Global variation in data protection laws adds compliance challenges for e-commerce firms within consumer durables retail.
With vast access to downstream consumer data, firms lacking strong governance frameworks face significant risks.
Industry best practices include maintaining transparency, securing explicit user consent and implementing stringent data security measures.
Data risks in ecommerce
Recent enforcement actions highlight e-commerce firms' vulnerability. Amazon's appeal against its €746 million fine was unsuccessful, focusing on ad targeting practices lacking transparency and consent. LinkedIn faced a €310 million fine, and Meta received a €251 million penalty in 2024. These actions underscore the risks associated with data handling practices in e-commerce.
Alibaba's challenges
Alibaba faces unique challenges due to cross-border data transfer concerns. During the Paris 2024 Olympics preparations, French authorities expressed concerns about Alibaba's cloud services hosting sensitive data, fearing Chinese government access. Despite Alibaba's GDPR compliance commitment, international retailers face growing scrutiny over data handling practices across diverse regulatory regions.

Financial risks
The February 2025 ECJ ruling (C-383/23) has significant financial implications for retail conglomerates. The court clarified that group-wide turnover can determine maximum fines, which should be "effective, proportionate and dissuasive" based on the overall undertaking's economic position. For multinational retailers like Walmart, Home Depot, and IKEA, potential fines could be based on global operations, not just European subsidiaries. This ruling stemmed from a case involving furniture retailer ILVA, where the Danish Data Protection Agency proposed a fine based on the entire Lars Larsen Group's turnover.

Balancing data and privacy
E-commerce firms face the challenge of balancing data utilisation and privacy protection. Recent research from Alibaba.com shows that 59% of UK SMEs consider digital sourcing more important now than a year ago, increasing the volume of consumer data collected. The European Sustainability Reporting Standards (ESRS), particularly ESRS S7, require detailed disclosures on consumers' data privacy impacts, creating new obligations for retailers. Recent GDPR enforcement actions target manipulative cookie banners and unclear privacy notices, emphasizing the need for vigilance in data handling practices.
FURTHER READING
- Complete guide to GDPR (European Union)
- European Sustainability Reporting Standard S7 Consumers & End-users Standard (EFRAG)
- Global data protection regulations (PWC)

BACK