In a stunning turn of events, adtech firm Criteo has found itself in hot water with regulators, facing a hefty penalty of 40 million euros (U.S. $44 million) for multiple alleged violations of the General Data Protection Regulation (GDPR). The French data protection authority, CNIL, recently announced the fine, which sent shockwaves through the industry and left Criteo employees feeling like their yacht had suddenly transformed into a funeral barge, with no explanation for this colossal punishment.
The core issue at hand revolves around Criteo’s data processing practices and its failure to obtain proper consent from European Union citizens. Criteo employs a cookie tracker that collects browsing data from internet users, enabling the company to serve them relevant advertisements. While Criteo claims that it doesn’t collect names, the sheer amount of data it gathers—about 370 million identifiers across the EU—has raised concerns about the potential identification of individuals.
The CNIL’s investigation into Criteo’s practices was initiated in January 2020 following complaints from Privacy International and the European Center for Digital Rights. The regulator uncovered five violations of the GDPR, including Criteo’s failure to demonstrate valid consent, lack of transparency in its privacy policy, inadequate provision of information to individuals exercising their right of access, failure to comply with requests to withdraw consent and delete data, and absence of proper agreements between joint controllers.
While Criteo’s proposed penalty was initially set at €60 million (U.S. $66 million), the final fine was reduced. However, even with the reduced amount, the company remains determined to appeal the CNIL’s decision, claiming that the sanction is disproportionate and not aligned with industry standards. Criteo’s Chief Legal Officer, Ryan Damon, stated that the CNIL’s interpretations and applications of the GDPR are inconsistent with European Court of Justice rulings and even the CNIL’s own guidance.
The timing of the penalty announcement, coinciding with the prestigious Cannes Lions International Festival of Creativity, is noteworthy. Some industry observers perceive this as a deliberate signal to the adtech sector that regulators are willing to take action, even against France’s own ad-tech darling. Eric Lamy, a lead customer data project manager at Endeavor, noted that regulators are not shying away from scrutinizing major U.S. big tech companies and that the case underscores the significance of specifying responsibilities in joint controller agreements.
At the heart of the case lies Criteo’s use of tracker cookies and its handling of data for personalized advertising. The CNIL discovered several infringements, including the absence of evidence validating user consent and insufficient transparency. The regulator also criticized Criteo for not respecting individuals’ right of access, failing to comply with requests to withdraw consent and delete data, and neglecting to establish proper agreements with data controllers. The CNIL took into account Criteo’s vast database of 370 million identifiers and the company’s monetization model when determining the fine.
Privacy researcher Lukasz Olejnik suggests that this high-stakes case could have far-reaching implications for the adtech industry, speculating that it might even reach the European Court of Justice. The ruling received mixed responses, with groups such as NOYB and Privacy International celebrating the outcome, while others expressed disappointment that the technical aspects of the case were not adequately addressed.
Criteo’s decision to appeal the fine reflects its stance that the allegations do not pose risks to individuals or cause them harm. The company emphasizes its commitment to protecting user privacy and asserts that it uses only pseudonymized, non-directly identifiable, and non-sensitive data in its operations.
This penalty against Criteo is just one of several enforcement actions taking place across the European Union, highlighting the increased regulatory focus on the adtech industry. From data privacy rulings to antitrust cases, regulators are actively examining the practices of tech giants. The CNIL itself is reportedly investigating complaints related to privacy violations involving ChatGPT, and the watchdog recently released an “action plan for AI” that centers around generative AI.
Moving forward, companies reliant on third-party data will need to ensure proper consent agreements with first-party data providers and be prepared to audit publisher data. As privacy lawyer Luis Montezuma suggests, organizations must identify a legal basis when utilizing personal data for advertising purposes and be diligent in meeting GDPR requirements.
Adding fuel to the fire, insiders claim that Criteo is currently under scrutiny by the Federal Trade Commission (FTC) for past misconduct. Allegedly, Criteo shared personal health information with advertising platforms and companies like Facebook, Google, and others, directly contradicting its promise to users that their health data would never be shared. While these claims remain to be proven, they add another layer of concern to Criteo’s compliance woes.
The CNIL’s penalty against Criteo serves as a stark reminder that regulators are taking data privacy seriously, and no company, regardless of its stature, is immune to the consequences of non-compliance. As the adtech industry navigates the evolving regulatory landscape, it must prioritize transparency, consent, and data protection to maintain public trust and avoid finding themselves on the wrong side of the law.
