Criteo, a major online advertisement and tracking company in Europe, has been fined €40 million by the Commission national de l’informatique et des libertés (“CNIL”), France’s data protection authority. Criteo provides behavioural retargeting services on thousands of websites by placing tracking cookies on websites, which analyse browsing habits to determine which products and services users are most likely to buy. The company has data on about 370 million people in Europe for this purpose.
The original complaint against Criteo was filed by Privacy International and None of Your Business in 2018. The complaint stated that Criteo did not provide users with a proper option to withdraw consent for the use of their information, such as prior online activity, which Criteo used for their behavioural retargeting services. This, the complainants submitted, is contrary to the European Union’s General Data Protection Regulations (“GDPR”), which were introduced in 2012 and govern data protection and privacy concerns.
- Article 7(1) of the GDPR: Criteo failed to demonstrate that the data subjects (i.e., the users) gave their consent to the tracking cookies;
- Articles 12 and 13 of the GDPR: Criteo failed to comply with the obligation of information and transparency, effectively meaning that Criteo did not divulge all the ways it would process user data;
- Article 15(1) of the GDPR: Criteo failed respect users’ right of access, which means that it did not provide users with all the data it held when requested to do so;
- Articles 7.3 and 17.1: Criteo failed to comply with users’ rights to withdraw consent and erasure of data, meaning that Criteo did not delete or remove all of a user’s data when requested;
- Article 26 of the GDPR: Criteo failed to provide for an agreement between joint controllers, which means that it did not have clear agreements in place with partner companies that stipulate the role of each party and their obligations in managing users’ data.
The CNIL found that these infringements demonstrate a clear violation of users’ privacy, a lack of transparency and a violation of users’ rights. Following these findings, the CNIL fined Criteo €60 million in August 2022. However, the company sought to reduce the fine, arguing that its actions were not deliberate and did not result in any harm. Further, it argued that the fine was excessive in comparison to other fines that had been instituted by CNIL to companies like Google and Meta. The fine has thus been reduced to 40 million euros. However, Criteo’s chief legal officer has stated that they plan to appeal the decision.
Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice. For any enquiries, please contact us at [email protected].