French DPA fines adtech firm Criteo $44M under GDPR

The French data protection authority, CNIL, announced the fine in English on Thursday. Criteo in August disclosed it faced a proposed penalty of €60 million (U.S. $66 million) from the regulator regarding the matter.

Despite the reduced penalty, the company said it intends to appeal the CNIL’s decision.

The details: Criteo utilizes a cookie tracker through partner websites to help it collect the browsing data of internet users to determine which relevant advertisements to serve them. The company gathers a significant amount of data—about 370 million identifiers across the European Union, the CNIL noted—and though it doesn’t collect names, the data is considered enough to identify an individual in some cases.

The CNIL in January 2020 opened its investigation into Criteo’s data processing practices related to targeted advertising and user profiling following complaints received by Privacy International and the European Center for Digital Rights. The regulator said it found five infringements of the GDPR by Criteo, including:

• Failure to demonstrate the data subject gave consent. The company had not put in place measures to ensure its partners were validly collecting the consent of the users it was processing the data of at the time of the CNIL’s probe, the regulator said. Criteo’s contracts with partners now include a clause relating to proof of consent.
• Failure to comply with information, transparency obligations. The company’s privacy policy previously did not include all intended purposes for processing; Criteo has since updated the policy, the CNIL said.
• Failure to respect right of access. Criteo was found to have not provided sufficient information when individuals exercised their right of access. The CNIL said the company is working to address this.
• Failure to comply with right to withdraw consent and erasure of data. The company “did not delete the identifier assigned to the person or erase navigational events related to that identifier” when users requested deletion of their data, according to the regulator.
• Failure to provide for an agreement between joint controllers. Agreements between Criteo and its partners did not specify obligations regarding the requirements of the GDPR, the CNIL said.

The CNIL’s case against Criteo was cross-border; the 29 other EU supervisory authorities approved the decision.

Company response: “Criteo has taken note of the CNIL’s final sanction decision … and intends to appeal this decision before the competent courts,” said the company’s Chief Legal Officer Ryan Damon in a statement. “[T]he sanction remains vastly disproportionate in light of the alleged breaches and misaligned with general market practice in such matters. In addition, we believe that a number of the CNIL’s interpretations and applications of the GDPR are not consistent with the European Court of Justice rulings and even with the CNIL’s own guidance.

“The decision relates to past matters and does not include any obligation for Criteo to change its current practices; there is no impact to the service levels and performance that we are able to deliver to our customers as a result of this decision.”