Every December, we all settle in with mince pies, twinkly lights, and the same festive films and traditions we’ve always loved.
But once you work in privacy, you can’t help noticing that… well… a lot of Christmas lore would give a real-world organisation an absolutely terrible audit score.
We promise we’re not here to ruin anyone’s Christmas, but we’ve taken a look at the moments where festive joy meets questionable governance — with love, not judgement.
Because even Christmas magic could use a DPO.
Santa’s Naughty or Nice List - The Original Algorithm With Zero Governance
.png?width=205&height=205&name=Untitled%20design%20(4).png)
The Naughty or Nice List is iconic. It’s been running for centuries. It’s also, if we’re honest, the most ambitious data project in history.
Santa tracks the behaviour of every child on Earth, all year, with absolutely no transparency and a review process that appears to be… festive vibes only.
Wonderful tradition, but probably not audit-ready.
Red flags:
- Invisible, large-scale profiling - To be fair, we are told in multiple songs and films that we’re being tracked all year round, but that’s probably not how we’d recommend notifying people about data collection.
- Automated decision-making with zero safeguards - You’re either “naughty” or “nice”, with no explanation and no chance to appeal. That feels naughty to us…
- Unclear retention - The list seems to stretch back a few hundred years. Impressive, but not exactly a necessary retention period.
A festive classic, but if Santa ever needed a DPO (which he definitely does!), this would be item number one on their to-do list.
Elf - Big Energy, No Access Controls
.png?width=205&height=205&name=Untitled%20design%20(7).png)
In Elf, Buddy ends up working in a publishing company’s mailroom. He’s not staff, he’s had no training, but ends up with full access to the company’s mailroom.
“Sorting the mail” soon leads to questionable handling practices, and a level of enthusiasm no data protection policy has ever accounted for.
Image: Elf (2003)
Red flags:
- No onboarding - Buddy isn’t employed, but is somehow put straight to work in a room full of potentially personal and sensitive information.
- Unrestricted access - He’s surrounded by mail that could contain anything from home addresses to private correspondence, with zero guidance.
- Chaos as a service - The mailroom slips into a level of chaos where any hope of structured data handling is long gone.
Buddy brings the vibes, but as a mailroom compliance hire? Hard pass.
The Santa Clause - Festive Magic, Questionable Contracting
In The Santa Clause, Scott Calvin becomes Santa because he… puts on a coat.
That’s it. One wardrobe malfunction later and he’s suddenly responsible for Christmas, global logistics, and what is essentially the world’s biggest CRM for children.
Image: The Santa Clause (1994)
Red flags:
- Unclear terms & forced opt-in - The contract only appears in microscopic print after he’s already activated it.
- No informed consent - No one explains the job, the risks, or the data he’s now responsible for.
- Biometric data processing - The physical transformation kicks in automatically, with no discussion, no notice and definitely no DPIA.
Magical? Yes. Compliant? We don’t love it..
Elf on the Shelf - Behaviour Tracking, But Make It Festive
.png?width=205&height=205&name=Christmas%20film%20images%20(1).png)
Elf on the Shelf has become a December staple: a tiny elf appears, keeps an eye on the household, and feeds daily updates to the North Pole. Harmless in practice, but in governance terms, it raises an eyebrow or two.
Red flags:
- Daily monitoring with no transparency - Kids are watched around the clock, but no one’s ever received anything resembling a privacy notice.
- Unclear controller - Is the elf responsible? The parents? Santa? The North Pole? Hard to say, and none of them have documented it.
- High-risk behavioural surveillance - Tracking, reporting, and influencing behaviour… all without safeguards, boundaries, or accountability.
If this were a workplace monitoring tool, it wouldn’t make it past the first meeting.
The Grinch - Unauthorised Sentiment Analysis From Mount Crumpit
.png?width=169&height=169&name=Christmas%20film%20images%20(2).png)
Next up in the “informal Christmas surveillance” category: The Grinch.
Monitoring an entire town’s behaviour from his mountain outpost, purely out of personal interest and with absolutely no transparency.
Image: The Grinch (2000)
Red flags:
- Unannounced observation - From Mount Crumpit, the Grinch keeps a very close eye on Whoville’s activities with no transparency whatsoever.
- Informal mood tracking - He monitors how happy (or noisy) the Whos are with no lawful basis, just strong personal motivation.
- Behavioural insights with no safeguards - His entire plan hinges on monitoring routines, patterns, and emotional responses - all undocumented and entirely unregulated.
Works for a Christmas saboteur, not so sure the lack of transparency would fly anywhere else.
Arthur Christmas - A Tech Upgrade Without the Safeguards
.png?width=205&height=205&name=Christmas%20film%20images%20(3).png)
Arthur Christmas gives us Santa powered by big tech. It’s slick, fast, and wildly data-heavy. And the privacy foundations are, shall we say, festive rather than formal.
We’ve got heat mapping, behaviour tracking, and absolutely no sign of a lawful basis.
Image: The Arthur Christmas (2011)
Red flags:
- Excessive data collection - The S-1 gathers detailed behavioural and location data on millions of children, with absolutely no clear lawful basis beyond “it helps us deliver faster”.
- Lack of transparency - Families have no idea this level of monitoring is happening. There’s not a single privacy notice in sight.
- No DPIA - Global, real-time monitoring of children feels like a moment to complete some paperwork. The elves, however, seem unconcerned.
Impressive tech, but as a privacy framework, it needs more than Christmas spirit to hold it together.
And to round it off… The Twelve Days of Christmas - Proportionate Response? Never Heard of It
.png?width=205&height=205&name=Christmas%20film%20images%20(4).png)
The Twelve Days of Christmas is a classic, but when you look at it through a privacy lens, the whole thing reads like a wildly over-enthusiastic subscription service.
Daily gifts, increasing volume, no warning, no opt-out and no unsubscribe link.
It’s generous, yes, but it reads like a consent model that accidentally unlocked twelve days of continuous processing.
Red flags:
- Excessive, unnecessary gifts - Twelve straight days of escalating presents feels less like thoughtful gifting and more like a purpose limitation failure in festive form.
- No opt-out mechanism - Once the deliveries begin, they don’t stop. There’s no way to pause, refuse, or even question why you suddenly have a house full of birds.
- Disproportionate response - A single gift aligns with what a recipient might expect; a parade of performers and livestock does not. This has got to be well outside the boundaries of reasonable, proportionate processing.
The lack of transparency, choice, and proportion here would raise eyebrows anywhere outside a Christmas playlist.
A Little Holiday Perspective
If the Elf on the Shelf has caught you working from the sofa, or watched you join the universal club of “people who’ve emailed the wrong person”, we wouldn’t panic.
Compared to Santa’s year-long profiling, these slip-ups barely register. Your stocking should remain coal-free.
Just try not to leave Santa out too many cookies this year, he’s famously terrible at data minimisation.