Looking Back H&M’s Big GDPR Fine and What Retailers Still Haven’t Learned About Data Privacy

Table of Contents

Before we know it will have been 5 years since H&M’s €35.3 million GDPR fine rocked the retail industry, you’d expect most major brands to have learned the lesson: data privacy isn’t optional it’s operational. Yet as enforcement ramps up across both the EU and the U.S., companies continue making the same costly mistakes and unless they automate their privacy compliance with software tools like the ones built by Captain Compliance we can expect these fines to continue.

Let’s rewind to the landmark 2020 H&M case and examine why today’s retailers are still getting privacy wrong, and how to fix it before regulators and litigators come knocking.

The 2020 H&M GDPR Fine: A Cautionary Tale

In October 2020, Germany’s data protection authority in Hamburg imposed a record-breaking fine of €35.3 million (roughly $41 million) on fashion giant H&M. The offense? Unlawful employee surveillance.

The company had been systematically recording sensitive details about employee health, family issues, religious beliefs, and vacation experiences and storing that information in a centralized database accessible by multiple managers.

This wasn’t a case of customer data misuse. This was a clear violation of employee data protection rights under Article 5 and Article 6 of the GDPR:

  • No lawful basis for processing sensitive data
  • Excessive retention without necessity
  • Lack of transparency to data subjects (employees)

The takeaway? GDPR isn’t just about cookie banners and marketing consent. It governs internal HR practices, surveillance policies, and workplace technology.

H&M Fined for GDPR Violation

Fast Forward: U.S. Retailers Are Now in the Crosshairs

Though the H&M case drew global attention, American retailers largely viewed GDPR as “Europe’s problem.” That mindset has shifted dramatically in 2024 and 2025, thanks to a wave of state-level enforcement and emerging privacy litigation via CIPA as well as CCPA, CPRA, and biometric laws.

Todd Snyder (California, 2025)

In early 2025, New York-based menswear brand Todd Snyder was hit with an enforcement action by California’s Attorney General for non-compliant tracking practices on its eCommerce site.

The AG’s findings included:

  • Use of session replay tools without valid consent
  • Failure to provide “Do Not Sell or Share” links for third-party advertising
  • Lack of transparency in cookie and pixel disclosures
  • No documented user rights request workflow

While the financial penalty was undisclosed, sources familiar with the case suggest it was in the low seven figures, and included mandatory remediation and quarterly audits.

More importantly, Todd Snyder is just the latest in a series of enforcement actions targeting retailers for behind-the-scenes data collection and inadequate consumer rights disclosures. CPPA also fined Honda Motors $632,500 earlier this year over privacy violations and small businesses are hit with arbitration demands on a weekly basis over privacy violations from Swigart law Firm.

Other Notable Retailer Fines

  • Sephora USA (2022) – Fined $1.2 million under the California Consumer Privacy Act (CCPA) for failing to honor “Do Not Sell” requests and improperly sharing customer data with adtech vendors.
  • Clearview AI (2022) – Though not a retailer, Clearview’s $20 million fine under GDPR for biometric scraping foreshadowed stricter regulation of face-based tracking—a growing concern in retail surveillance and smart fitting rooms.
  • Notebooksbilliger.de (2021, Germany) – Fined €10.4 million for video monitoring employees without proper legal basis, echoing the H&M case and further underlining that employee privacy is in scope and its not just consumer data you are responsible for but your internal team as well.

Data Governance in Retail Is Broken is an Emerging Pattern

Retailers today collect more data than ever across physical stores, websites, loyalty programs, apps, and wearables. But most still lack:

  • Centralized data inventories
  • Clear legal basis for each processing activity
  • Internal data minimization protocols
  • Responsive consumer rights request systems
  • Employee data policies that reflect privacy law

As a result, they’re exposed on all fronts: marketing consent, third-party tracking, internal surveillance, and inadequate vendor contracts.

What Retailers Need to Do Now

To stay ahead of regulators (and consumer lawsuits), privacy teams and general counsel should prioritize:

1. Internal Data Audits

Start with a map of all data flows customer-facing and employee-facing. Identify legal bases and assess whether consent is valid, explicit, and documented.

2. Employee Data Governance

If you’re collecting employee wellness information, performance data, or surveillance footage, you must have clear justification, retention limits, and employee notice mechanisms.

3. Cookie Consent and Tracking Disclosure

Don’t wait for an enforcement letter. Implement a fully compliant Captain Compliance cookie consent banner, ensure consent is granular and opt-in, and disclose all third-party trackers in your privacy policy and cookie table (we have an automated solution for this just ask).

4. Data Subject Consumer Rights Workflows 

Can a user request access to their data? Delete it? Opt out of sale or sharing? If you can’t answer these in real-time, you’re out of step with CPRA and GDPR alike. Check out the worlds best Data Subject Access Request software solution and integrate end-to-end functionality to avoid future headaches.

5. Vendor and AdTech Contracts

Review third-party scripts and plugins, especially marketing tools. Many retailers are unaware that using behavioral analytics or personalized ad pixels without proper safeguards qualifies as “selling” data under state laws. CCPA is going to now to interpreted to say that exfiltration via a Meta-Pixel running on a site triggers a private right of action.

Captain Compliance: Your Privacy Partner in Retail Risk Reduction

At Captain Compliance, we specialize in helping retailers modernize their privacy operations:

  • Automated cookie consent systems tailored for GDPR, CPRA, and emerging U.S. laws
  • Hosted privacy policies and terms that dynamically update with jurisdictional requirements
  • Employee data risk assessments to help avoid an H&M-style scandal
  • Consent Management and opt-out infrastructure that scales with your eCommerce stack
  • Ongoing monitoring to flag new legal exposure points

Whether you’re a global apparel brand or a fast-growing direct-to-consumer startup, we make compliance manageable without slowing down the business.

Retailers can’t afford to treat privacy like a checkbox. As the H&M and Todd Snyder cases prove, privacy violations don’t just damage trust—they come with fines, audits, and long-term risk.

The new retail reality? Privacy is part of the brand experience. Those who get it right will win not only in court but in the hearts of customers.

 

Written by: 

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a trial now.