With a €40 million GDPR fine against Criteo, French regulators target the Parisian giant over its data practices

The decision comes after a five-year process dating back to November 2018, when the British nonprofit Privacy International filed a complaint with the CNIL not long after the EU’s General Data Protection Rules went into effect. A month later, Austria-based digital rights group NOYB (“None Of Your Business”) filed a similar complaint, which was then followed by French regulators’ official investigation starting in 2020.

When the CNIL’s investigation began, experts saw it as having the potential to draw a line in the sand for the ad tech industry. Some wondered what kind of precedent a ruling might have — especially without much case law to lean on related to GDPR — and if regulators would levy high fines against Criteo. Regulators had proposed a €60 million fine but ultimately dialed back by €20 million after Criteo pushed for a lighter penalty.

Some observers say that going after France’s own ad-tech darling the same week as the Cannes Lions International Festival of Creativity is taking place sends a strong signal to the industry.

“DPAs are not afraid to turn their attention inward rather than focus merely on major U.S. big tech,” said Eric Lamy, a lead customer data pm at Endeavor. “It also shows that failure to specify responsibilities owed by all parties under joint controller agreements is sufficient to demonstrate significant liability.”

The core of the case relates to Criteo’s tracker cookie and how the company processed data for personalized advertising. In a summary of the case, CNIL said it noticed “several infringements” including a lack of evidence showing that the company validated user consent. According to the CNIL, the company didn’t have the names of users but the amount of data collected still allowed individuals to be re-identified in some cases.

“I expect this to be a high-stake case for Ad Tech,” privacy researcher Lukasz Olejnik wrote in a series of tweets about the ruling. “Many are eagerly interested in how it ends. Having read the full case description/detail, I don’t rule out this case going to EU Court of Justice.”

In its summary, CNIL said Criteo violated five parts of GDPR, including not providing enough transparency, failing to “respect the right of access,” not complying with users’ right to withdraw content and have their data erased, and not meeting standards when it comes to agreements between data controllers. When deciding the fine, the CNIL said it took into account the 370 million identifiers Criteo has across the EU and also the company’s monetization model.

“When a person exercised their right to withdraw consent or deletion of their data, the process implemented by the company only stopped the display of personalised advertisements to the user,” according to the CNIL. “However, the company did not delete the identifier assigned to the person or erase navigational events related to that identifier.”

Criteo already plans to appeal the decision, according to the company’s disclosure about the case filed on Thursday with the U.S. Securities and Exchange Commission. When Digiday asked Criteo for comment, a spokesperson emailed a statement from Criteo Chief Legal Officer Ryan Damon, which said the decision relates to past matters and doesn’t include any obligations to change the company’s current practices. Damon’s statement also pointed out the size of the fine is “vastly disproportionate in light of the alleged breaches and misaligned with general market practice in such matters.”

“We believe that a number of the CNIL’s interpretations and applications of the GDPR are not consistent with the European Court of Justice rulings and even with the CNIL’s own guidance,” Damon said in the statement. “As we stated previously, we consider that the allegations made by the CNIL do not involve risk to individuals nor any damage caused to them. Criteo, which uses only pseudonymized, non-directly identifiable and non-sensitive data in its activities, is fully committed to protecting the privacy and data of users.”

NOYB and Privacy International celebrated Thursday’s outcome. However, some experts expressed disappointment that the ruling didn’t address enough of the technical aspects of the case. In a Twitter thread about the case, Michael Veale, an associate professor of digital rights and regulation at UCLA, said CNIL was “too formalistic” and “misses the structural absurdity of the industry.” (He added that Criteo might also be able to rely on a commonly used legal loophole.)

The decision comes amid a number of other enforcement actions happening across the EU related to ad tech. Along with data privacy rulings in other countries such as Ireland, the European Commission also recently opened a new antitrust case into Google that addresses issues beyond privacy, such as whether the tech giant abused its market power to favor its own systems. The CNIL is also reportedly investigating complaints into ChatGPT related to privacy violations, according to a report back in April. The watchdog also released a new “action plan for AI” last month that focused on generative AI.

Based on the CNIL’s full explanation of its decision, privacy lawyer Luis Montezuma said companies that rely on third-party data need to have consent agreements with first-party data providers and also be prepared to audit publisher data.

“If an organization wants to use (or reuse) personal data for improving the performance of advertising (operations by training models), they need to identify a legal basis,” Montezuma said.