Advertising powerhouse Criteo has found itself in GDPR hot waters with a massive fine of $44 million for breaching GDPR rules.
The French privacy watchdog, Commission nationale de l’informatique et des libertés (CNIL), found Criteo had failed to obtain people’s consent before collecting their data for ad targeting purposes, and had also neglected to provide sufficient information and transparency while respecting individuals’ rights.
The substantial fine serves as a reminder of the importance of complying with GDPR requirements and handling personal data responsibly while underscoring the commitment of regulators to ensuring transparency in data processing practices.
“They didn’t say that targeted advertising was forbidden, but that people have to be told and given a choice about it,” said Mathieu Roche, co-founder and CEO of ID5. “This is how the industry had organized itself, with the TCF in particular.”
What are the violations?
The CNIL found Criteo in violation of five infringements of the GDPR.
These include a failure to demonstrate that people gave their consent for targeted ads. The law states that the Criteo tracker (cookie) used for targeted ads cannot be placed on the user’s terminal without their consent. Further, the ad tech giant failed to divulge all the ways it would process a person’s data, thereby, violating transparency protocols.
Criteo also failed to provide people with the right to access the data withheld by the company when requested. To that, the company failed to fully comply with data deletion requests as they only ceased displaying personalized ads to users but failed to delete their unique identifier or associated browsing activities.
Lastly, Criteo had murky agreements in place with its partners that lacked specific details regarding their obligations as data controllers, including requirements outlined in the GDPR, such as handling data subject rights, notifying authorities and individuals of data breaches, and conducting impact assessments as needed.
What did the regulators say?
The CNIL considered multiple factors when determining the penalty, including “a very large number of people” impacted by the data processing (approximately 370 million identifiers across the EU) and the comprehensive collection of data on users’ consumption habits.
Despite lacking user names, the CNIL determined that the data possessed the potential to re-identify individuals in specific cases. The CNIL also took into account the company’s business model, which heavily relies on extensive data collection and processing to deliver targeted ads.
To that, the CNIL found that processing people’s data without valid consent allowed the company to expand its user base and increase its revenue gains as an ad intermediary. Criteo made a revenue of $2.01 billion in 2022, according to the company’s latest financial reports.
Meanwhile, Criteo will appeal this decision before the courts.
