France-based advertising technology company Criteo has received a revised fine of €40 million from the French Data Protection Authority (CNIL) for violating GDPR and failing to get user consent around personalized advertising.
As reported by TechCrunch, the CNIL launched its investigation into Criteo in 2020, after receiving a formal complaint from London-based Privacy International, which at the time said that it was ‘’gravely concerned’’ at data processing practices of various companies in the adtech and data broking sectors, including Criteo. Vienna-based non-profit organization None of Your Business (NOYB) later joined the complaint citing similar concerns.
‘’CRITEO specialises in “behavioral retargeting”, which consists of tracking the navigation of Internet users in order to display personalised advertisements,’’ the CNIL wrote in a press release announcing the revised fine. ‘’To this end, the company collects the browsing data of Internet users thanks to the CRITEO tracker (cookie) which is placed on their terminals when they visit certain CRITEO partner websites. Through this tracker, the company analyses browsing habits in order to determine which advertiser and for which product, it would be most relevant to display an advertisement to a particular user. Then, it participates in real time bidding and displays personalised advertising if it has won the bid.’’
According to Privacy International and NOYB, the French company didn’t have a legal basis for its practices. In August 2022, the country’s data protection watchdog announced its preliminary determination that Criteo had indeed violated GDPR and issued a fine of €60 million on the company.
While the fine has now been decreased to €40 million, the CNIL said that it found five infringements of the General Data Protection Regulation by the Paris-headquartered firm, which include:
- Failure to demonstrate that the data subject gave its consent (Article 7.1 GDPR)
- Failure to comply with the obligation of information and transparency (Articles 12 and 13 GDPR)
- Failure to respect the right of access (Article 15.1 GDPR)
- Failure to comply with the right to withdraw consent and erasure of data (Articles 7.3 and 17.1 GDPR)
- Failure to provide for an agreement between joint controllers (Article 26 GDPR)
In a statement to TechCrunch, Ryan Damon, Criteo’s Chief Legal Officer, said that the company intends to appeal the CNIL’s decision. Damon argued that the decision is ‘’vastly disproportionate’’ when compared to other alleged violations in the industry.
“As we stated previously, we consider that the allegations made by the CNIL do not involve risk to individuals nor any damage caused to them,” he said. “Criteo, which uses only pseudonymized, non-directly identifiable and non-sensitive data in its activities, is fully committed to protecting the privacy and data of users. The decision relates to past matters and does not include any obligation for Criteo to change its current practices; there is no impact to the service levels and performance that we are able to deliver to our customers as a result of this decision. We continue to uphold the highest standards in this area and operate a fully transparent and regulatory-compliant global business. We will be making no further statement at this stage.”