France imposes €40 million fine on adtech company Criteo

The French data protection authority CNIL has concluded its investigation against the French adtech company Criteo, which has been ongoing since the end of 2018, and imposed a fine of €40 million for several data protection violations. The proceedings were based on complaints submitted by Privacy International and NOYB, which had criticised the inadequate possibility to withdraw online tracking consent users provide to Criteo. The CNIL used the complaints as an opportunity to conduct an extensive audit of the company and included other aspects of its GDPR compliance.

For some background, Criteo is a well-known player in the online marketing industry that specialises in retargeting services. When users visit websites of Criteo partners, a tracker records the users’ browser data. This enables the service to analyse the users’ surfing behaviour and display personalised advertising on behalf of its customers.
The following breaches, which Criteo has apprently already started to address, were identified by the CNIL:

  1. Breach of the obligation to ensure consent
    In the past, Criteo had neither checked nor ensured whether its data partners obtained valid consent from users for the use of the Criteo tracker. In particular, it was found that some partners used the Criteo tracker completely without any consent mechanism.
  2. Breach of information and transparency obligations
    Criteo’s privacy policy did not contain a full description of all processing purposes. Also, some processing activities were only described vaguely, so that users could not understand what data was being processed for which purposes.
  3. Disregarding requests for information
    Requests for information from users were only answered incompletely and in a way that was not comprehensible to users.
  4. Failure to observe the right of withdrawal and the right to be forgottenIf data subjects revoked their consent or requested deletion of their personal data, Criteo stopped serving personalised ads to them, but neither the tracking ID assigned to the individual nor the personal data associated with it were effectively deleted.
  5. Breach of the obligation to conclude Joint Controller Agreements
    The agreement concluded between Criteo and its partners did not meet the requirements under the GDPR regarding the obligations of joint controllers, for example with regard to the handling of data subject right requests.

What is the significance of the case for businesses in the online marketing industry – and beyond?
The case shows how a comparatively small audit can turn into a far-reaching review of data protection documentation and implementation within a company. 

Efforts to ensure compliance with data protection law should therefore be given priority within a company to reduce the risk of substantial fines for GDPR violations.

Businesses in the online marketing industry should take a closer look at the individual points raised by the CNIL and check their implementation. As your ePrivacy team, we will be happy to advise and support you in this.