France’s data protection regulator, the CNIL, just hit Criteo with some not-so-très-bien news.
The CNIL is planning to recommend a fine of $65 million against Criteo for alleged GDPR violations, the company announced in an SEC filing on Friday.
The filing is very thin on detail. For example, it’s not even clear what practice or data use Criteo is being dinged for.
In the filing, Criteo said it was made aware of the news by the rapporteur assigned to this investigation. A rapporteur isn’t the antitrust enforcer investigating the charges, but rather an EU appointee elected by fellow members of parliament to record and draft a report about legislative proceedings for a regulator or other EU administrator.
Once the charge becomes public, it will be submitted to a body of EU data protection authorities before the sanction is confirmed.
The soonest Criteo expects to face an actual potential penalty is mid-2023.
If that sounds slow-moving, consider that the original legal complaint that triggered this investigation was first submitted to the CNIL in November 2018 by an advocacy group called Privacy International. That complaint alleged that much of the programmatic and third-party data marketplace was in violation of GDPR. Criteo, Tapad, Quantcast, Acxiom, Experian, Equifax and Oracle were all named in the 2018 filing, though the CNIL’s investigation of Criteo only began in 2020.
The air of secrecy may be frustrating, though it’s not surprising or out of character for European regulators.
Criteo has also said it will not discuss the issue any further until the proceedings are resolved, beyond a statement from Ryan Damon, the company’s chief legal officer.
“We find the merits of this report to be fundamentally flawed, and the proposed sanctions to be incommensurate with the alleged non-compliant actions,” Damon said in the filing.
Tough times
Ad tech has been under the microscope ever since GDPR hit the scene in 2018.
Earlier this year, the Belgian data regulator issued an edict that IAB Europe’s Transparency & Consent Framework was illegal in its current form under GDPR. (IAB Europe was able to give its members as heads up two months before the news was officially announced.)
But a heads up isn’t always enough to save companies from the fallout that follows a regulatory pronouncement, even if they’re given time to try and cure the problem before details are shared publicly.
All a regulator has to do is say “boo” for a company in its crosshairs to get put through the wringer.
In 2018, the CNIL brought a number of cases against tech companies big and small, and released a bunch of reports regarding investigations before those investigations were resolved. In many instances, there was no penalty issued, because the company was able to remedy
the violation, demonstrate good faith effort to comply and avoid a sanction.
But just the news of a CNIL investigation alone regardless of the outcome is enough to freak out its customers and put the stopper on new business.
The CEO of Fidzup, a French location data startup, penned a Medium post in 2020 condemning the CNIL for the death of his company, which never recovered after the CNIL announced an investigation, despite the company never being sanctioned. Teemo, another French data startup, was bought by a Singaporean company and rebranded because it couldn’t recover either.
These days, the CNIL is more mindful of how its announcements play to the public and the effect they have on the business community.
Criteo mis mindful of the news will play as well.
The rapporteur in this case updated the company on August 3. One day later, Criteo reported its Q2 earnings. Criteo had a decent quarter, and that news was allowed to sit for a minute before Criteo filed an update to the SEC on its pending CNIL sanction today.
On the topic of Criteo’s earnings, the company made $18 million in profit in Q2 2022 – just to give you a sense of how much a $65 million fine would hurt if it’s eventually levied.
