Adtech firm Criteo faces a proposed fine of 60 million euros (U.S. $61.4 million) from France’s data protection authority (DPA) for noncompliance with the European Union’s General Data Protection Regulation (GDPR).
The proposed penalty, which the company disclosed in a regulatory filing Friday, stems from a CNIL investigation opened in January 2020 into Criteo’s data processing practices related to targeted advertising and user profiling.
Although the company was notified of the proposed fine on Aug. 3, a final decision—including any financial sanction—is unlikely to be approved until 2023, it stated.
Criteo has the right to respond to the CNIL’s findings and the proposed penalty before a draft decision is sent to other EU DPAs as part of the cooperation mechanism under Article 60 of the GDPR.
The CNIL has not commented publicly on the case. Its investigation covers separate complaints against Criteo lodged in 2018 by London-based privacy rights charity Privacy International and the European Center for Digital Rights, which is headed by privacy campaigner Max Schrems.
The Privacy International complaint singled out six other firms—credit reference agencies Experian and Equifax, data brokers Acxiom and Oracle, and adtech firms Tapad and Quantcast—over the way they collected, used, and sold personal data to drive ad revenue without peoples’ knowledge or consent.
In May 2019, the Irish Data Protection Commission confirmed it is investigating Quantcast, while the U.K.’s Information Commissioner’s Office (ICO) has ongoing probes into Acxiom, Experian, and Equifax.
On Twitter, Privacy International called Criteo’s business model “a manipulation machine.” It alleged the company’s online advertising platform “sp[ies] on people’s online browsing behavior to try and predict their propensity to engage with specific products and the types of ad design they would best respond to.”
In a statement on its website, Criteo’s Chief Legal Officer Ryan Damon said, “We strongly disagree with the findings in the CNIL investigator’s report, both on the merits relating to the investigator’s assertions of noncompliance with GDPR and the quantum of the proposed sanction.”
He added the merits of the report were “fundamentally flawed,” while the proposed fine was “incommensurate with the alleged noncompliant actions.”
Damon said the company looks forward to “further dialogue with the CNIL” and will defend its case. He added, “Criteo continues to uphold the highest privacy standards and operates a fully transparent and regulatory-compliant global business.”
The adtech industry has faced greater scrutiny under the GDPR in recent years. In February, the European arm of the Interactive Advertising Bureau was fined €250,000 (then-U.S. $286,000) by the Belgian DPA for data privacy violations regarding its Transparency and Consent Framework, which was meant to ensure GDPR compliance within the adtech sector.
In November, the ICO called on Google and other online companies to eliminate privacy risks posed by the adtech industry when it issued a set of data protection standards companies must meet to safeguard people’s privacy online when developing new advertising technologies.