Criteo Hit With $44 Million Fine for GDPR Violations

Advertising powerhouse Criteo has found itself in GDPR hot waters with a massive fine of $44 million for breaching GDPR rules. The French privacy watchdog, Commission nationale de l’informatique et des libertés (CNIL), found Criteo had failed to obtain people's consent before collecting their data for ad targeting purposes, and had also neglected to provide sufficient information and transparency while respecting individuals' rights. The substantial fine serves as a reminder of the importance of complying with GDPR requirements and handling personal data responsibly while underscoring the commitment of regulators to ensuring transparency in data processing practices. “They didn’t say that targeted advertising was forbidden, but that people have to be told and given a choice about it,” said Mathieu Roche, co-founder and CEO of ID5. “This is how the industry had organized itself, with the TCF in particular.” What are the violations? The CNIL found Criteo in violation of five infringements of the GDPR. These include a failure to demonstrate that people gave their consent for targeted ads. The law states that the Criteo tracker (cookie) used for targeted ads cannot be placed on the user’s terminal without their consent. Further, the ad tech giant failed to divulge all the ways it would process a person’s data, thereby, violating transparency protocols. The Trade Desk Wants to Be the App Store for Ad Tech Criteo also failed to provide people with the right to access the data withheld by the company when requested. To that, the company failed to fully comply with data deletion requests as they only ceased displaying personalized ads to users but failed to delete their unique identifier or associated browsing activities. Lastly, Criteo had murky agreements in place with its partners that lacked specific details regarding their obligations as data controllers, including requirements outlined in the GDPR, such as handling data subject rights, notifying authorities and individuals of data breaches, and conducting impact assessments as needed. What did the regulators say? The CNIL considered multiple factors when determining the penalty, including “a very large number of people” impacted by the data processing (approximately 370 million identifiers across the EU) and the comprehensive collection of data on users' consumption habits. Despite lacking user names, the CNIL determined that the data possessed the potential to re-identify individuals in specific cases. The CNIL also took into account the company's business model, which heavily relies on extensive data collection and processing to deliver targeted ads. To that, the CNIL found that processing people's data without valid consent allowed the company to expand its user base and increase its revenue gains as an ad intermediary. Criteo made a revenue of $2.01 billion in 2022, according to the company’s latest financial reports. Criteo will appeal this decision before the courts. “A number of the CNIL’s interpretations and applications of the GDPR are not consistent with the European Court of Justice rulings and even with the CNIL’s own guidance,” Ryan Damon, chief legal officer at Criteo said in a statement to Adweek. “The decision relates to past matters and does not include any obligation for Criteo to change its current practices.” How did we get here? This decision follows a complaint filed by Privacy International and Austrian-based non-profit None of Your Business (NOYB) with CNIL in 2018, raising concerns about the data processing practices of Criteo and other players in the ad-tech industry. The complaint centered around Criteo's use of tracking and data profiling techniques to target users with targeted ads. Both parties argued that Criteo lacked a legal basis for such tracking. What was the preliminary decision? In response, CNIL launched an investigation in 2020 to address the issue and came out with its preliminary decision the same year. CNIL found that Criteo had indeed breached GDPR and imposed a hefty fine of approximately $69.6 million (€60 million). For Ad Tech, Cannes This Year Is All Business However, Criteo has since made efforts to contest the fine and sought a reduction in the amount, arguing that its actions were unintentional and did not result in any harm, the company said via statement. The company emphasized several factors to support its case, including the absence of evidence indicating harm caused by the breaches, the measures taken to mitigate potential harm, its cooperation with the supervisory authority, and the low intrusiveness of the personal data involved. The CNIL seemingly took into account Criteo's concerns and decided to reduce the fine by one-third, still, the sanction remains "vastly disproportionate" in light of the alleged breaches, according to Damon.

Data

Criteo Hit With $44 Million Fine for GDPR Violations, Reinforcing Data Privacy and Transparency Rules

The company will appeal this decision before the court

Trishla Ostwal

About

Subscriptions

Events

Publications

WORK SMARTER - LEARN, GROW AND BE INSPIRED.

Subscribe today!

Trishla Ostwal