The French data protection authority CNIL has fined Criteo, an online advertising company, 40 million euros for violations of the General Data Protection Regulation (GDPR). The company, which specializes in “advertising retargeting,” has been under investigation by CNIL due to complaints from data protection organizations Noyb and Privacy International. CNIL auditors found numerous deficiencies in Criteo’s practices, including a lack of transparency, failure to respect individuals’ rights, and insufficient proof of consent for data processing.
Criteo tracks internet users’ browsing activities in order to display personalized advertisements. The company collects browsing data through cookies stored on users’ devices when they visit partner websites. By analyzing surfing behavior, Criteo determines the most relevant advertiser and product to target a specific user. The company then participates in real-time auctions for banner space and only displays personalized ads if it wins the auction. In 2022, Criteo generated a net profit of €11 million on sales of over €2 billion.
CNIL’s decision also highlighted Criteo’s violations of Article 15 (right to information) and Article 26 (obligation to conclude an agreement between joint data controllers) of the GDPR. The company also disregarded individuals’ right to withdraw consent and delete data. CNIL considered the large number of people affected by Criteo’s processing, as the company has data on approximately 370 million EU citizens and collects detailed information on their consumption habits.
The CNIL acted as the single point of contact under the GDPR and coordinated its decision with all 26 other European supervisory authorities involved in the case. Noyb, one of the complainants, emphasized the significance of the decision as a strong signal to the adtech industry that they will face serious consequences for breaking the law.
The investigation into Criteo has also expanded to explore other areas that were not part of the original complaint. Recently, Microsoft’s advertising network Xandr discovered a list on the internet containing sensitive information such as health, sexual, and political data used for targeted advertising in the AdTech sector.
This decision by CNIL serves as a reminder to companies in the adtech industry to comply with GDPR regulations and prioritize the protection of individuals’ data.
