France fines ad tech giant €40m over GDPR breaches

Criteo argues its actions were unintentional and did not cause any harm

France's data protection authority CNIL has imposed a €40 million fine on Criteo, the ad tech giant headquartered in Paris, for GDPR violations in its handling of personal data for targeted advertising.

Criteo offers "behavioural retargeting" services across numerous websites, using tracking cookies that analyse browsing patterns and predict users' potential purchases of products and services.

With a database encompassing approximately 370 million individuals in Europe, the company gathers valuable insights into consumer behaviour.

According to CNIL's ruling, Criteo was found to have neglected the verification of individuals' consent while processing their data.

The decision comes following a five-year process that commenced in November 2018. It started when the British non-profit organisation Privacy International lodged a complaint [pdf] with CNIL, expressing concern about the data processing practices of various players within the data brokering and adtech industry, including Criteo.

About a month later, noyb ("None Of Your Business"), a digital rights group based in Austria, joined forces with the complaint, further amplifying the collective concerns regarding the data processing activities raised against Criteo and other entities.

The core of the case relates to Criteo's use of tracker cookies and other data-processing methods to create detailed profiles of internet users, enabling more precise ad targeting. Privacy International and noyb contended that Criteo lacked a valid legal basis for conducting such tracking activities.

In 2020, CNIL initiated a formal investigation into the matter.

In August 2022, CNIL issued a preliminary decision stating that Criteo had violated GDPR regulations and imposed a fine of €60 million on the company. Subsequently, Criteo took steps to negotiate a reduction in the fine.

In its summary of the case, CNIL identified five instances of GDPR infringements related to Criteo's ad-tracking practices:

• Criteo's failure to provide sufficient evidence of obtaining user consent for data processing.
• Criteo's non-compliance with the obligation to provide clear and transparent information about data processing activities.
• Criteo's failure to respect users' right to access their personal data.
• Criteo's failure to adequately uphold users' rights to withdraw consent and request the erasure of their data.
• Criteo's omission of an agreement between joint controllers

According to the CNIL, while Criteo did not possess the individual names of every user, the data it collected was deemed "sufficiently accurate" to potentially re-identify individuals in certain cases.

This suggests that Criteo might have been able to identify individuals by cross-referencing anonymised datasets with publicly available records or by employing other data-matching techniques to infer the identities of users.

Criteo argues that its actions were unintentional and did not cause any harm.

Ryan Damon, chief legal officer at Criteo, stated that the decision pertains to past issues and does not impose any requirements to alter the company's present practices.

Damon also said the fine was "vastly disproportionate" considering the alleged breaches, and inconsistent with typical practices observed in similar cases within the industry.

Criteo intends to appeal the decision, as stated in the company's disclosure filed with the US Securities and Exchange Commission on Thursday.