Italy’s Competition Authority (AGCM) has imposed a €4 million fine on Poste Italiane for what it deemed an unfair and aggressive commercial practice related to the data access permissions required to use the BancoPosta and PostePay mobile applications on Android devices.
According to the official decision published in the AGCM’s Weekly Bulletin, Poste made the functionality of these financial apps conditional on the user’s authorization to access sensitive data stored on their smartphones. Users who refused access were met with warnings that they had only three remaining logins before being permanently blocked from the apps.
The message presented to Android users read:
“Protect your device. In order to prevent potential fraud, Poste Italiane introduces a new security feature. The feature is mandatory, activate it immediately. In the absence of such authorization, you have a maximum number of 3 accesses after which you will no longer be able to access and operate the App.”
The AGCM found that the practice began in April 2024 and violated Articles 20, 24, and 25 of the Consumer Code, which prohibit aggressive commercial conduct and require a standard of professional diligence in business-to-consumer relationships. The Authority noted that the conduct was especially problematic due to the information asymmetry between financial institutions and their clients, who may feel compelled to accept such conditions without fully understanding the implications for their personal data.
The investigation was triggered by consumer reports, and the Authority determined that the justification offered by Poste — to detect potential spyware and prevent fraud — did not sufficiently justify the invasive nature of the data collection. The AGCM also underlined that less intrusive technical solutions were available and that Poste itself had already planned to discontinue the practice in February 2025, reinforcing the conclusion that the measure was disproportionate.
Consumer associations, including the National Union of Consumers, welcomed the decision. Meanwhile, Poste Italiane has announced its intention to appeal the fine before the Regional Administrative Court (TAR).
This case highlights the growing scrutiny of how digital platforms, particularly those tied to essential financial services, balance cybersecurity measures with data protection and consumer rights. It also reinforces regulators’ willingness to penalize large institutions for aggressive consent practices — particularly when they affect access to fundamental services like banking.
