Adtech giant Criteo hit with revised €40M fine by French data privacy body over GDPR breaches
French advertising technology giant Criteo has been issued with a revised fine of €40 million ($44 million) over failings to garner users’ consent around targeted advertising.
The case in question dates back to 2018 when Privacy International filed a formal complaint with the Commission nationale de l’informatique et des libertés (CNIL), France’s data privacy watchdog, using GDPR regulations that had recently been introduced across the European Union. Privacy International said it was “gravely concerned” at the data processing activities of several players in the data broking and adtech industry, one of which was Criteo. None of Your Business (NOYB), an Austria-based non-profit based in co-founded by lawyer and privacy activist Max Schrems, also later added its name to the complaint.
The crux of the issue centred on what Privacy International referred to as a “manipulation machine,” vis-à-vis how Criteo used various tracking and data-processing techniques to profile internet users for more granular ad-targeting, such as using prior online activity to predict what products an online shopper might want to buy — this is known as “behavioral retargeting.”
Privacy International and NOYB asserted that Criteo didn’t have a proper legal basis for this tracking, with the CNIL launching a formal investigation in 2020.
Preliminary decision
Fast-forward to August 2022, and the CNIL reached a preliminary decision that Criteo had indeed breached GDPR and slapped the Paris-based company with a €60 million fine. In the intervening months, however, Criteo sought to reduce the figure.
In a summary document made public today, Criteo argued that its actions were non-deliberate and did not result in any harm. It said (translation via DeepL):
The company believes that better consideration of the criteria set out in Article 83(2) of the GDPR, in particular with regard to the absence of evidence of harm, the non-deliberate nature of the breaches, the measures taken to mitigate harm, the cooperation it says it has shown with the supervisory authority and the categories of personal data concerned, which present low intrusiveness, would justify that, should the restricted panel decide to impose a fine, it significantly reduce the amount of 60 million euros proposed by the rapporteur.
Criteo added that the initial fine represented half of its earnings and 3% of its global sales, which is “close to the legal maximum” allowed under GDPR. Moreover, it argued that the fine was excessive compared to other fines meted out by the CNIL to the likes of Google and Facebook’s parent Meta, which amounted to just 0.07% and 0.06% of their respective global sales.
Thus, the CNIL has seemingly paid at least some heed to Criteo’s grievances and reduced the fine by one-third. However, Criteo chief legal officer Ryan Damon says that the company plans to appeal the decision, calling it “vastly disproportionate” when positioned against other alleged breaches elsewhere in the industry.
“In addition, we believe that a number of the CNIL’s interpretations and applications of the GDPR are not consistent with the European Court of Justice rulings, and even with the CNIL’s own guidance,” Damon said in a statement issued to TechCrunch.
Findings
The CNIL’s final report still paints a scathing picture of Criteo’s disregard for privacy, noting that the data processing involved “a very large number of people” from across the European Union, including the “consumption habits” of millions of internet users.
In total, the CNIL says it found five GDPR infringements involving Criteo’s ad-tracking activities, including a failure to demonstrate that the data subject (i.e. the user) gave their consent, which is covered by article 7(1) of GDPR; a failure to “comply with the obligation of information and transparency (articles 12 and 13), effectively meaning that Criteo didn’t divulge all the ways it would process user data; a failure to “respect the right of access” (article 15(1), meaning Criteo didn’t provide users with all the data it held when requested; a failure to “comply with the right to withdraw consent and erasure of data” (articles 7.3 and 17.1 GDPR), meaning Criteo didn’t delete or remove all of a user’s data when they requested this; and a failure to “provide for an agreement between joint controllers” (article 26), which means Criteo didn’t have clear agreements in place with its partner companies that stipulate the role of each party and their obligation in managing users’ data.
In its conclusion, the CNIL said that although Criteo didn’t have individual names of each user, the data was “sufficiently accurate to re-identify individuals” in some instances, which means that it was likely able to identify individuals by cross-referencing otherwise anonymized datasets with public records or combining other data-meshing techniques to infer the identity of users.
And then, of course, there is the elephant in the room — Criteo’s motivations with regards to its main mechanisms for making money.
“The CNIL also took into account the business model of the company which relies exclusively on its ability to display to internet users the most relevant advertisements to promote the products of its advertiser customers and thus on its ability to collect and process a huge amount of data,” the CNIL wrote. “The CNIL considered that the processing of individuals’ data without proof of their valid consent enabled the company to unduly increase the number of persons concerned by its processing and thus the financial income it derives from its role as an advertising intermediary.”
However, Criteo is sticking to its original arguments, insofar as it says that no damage was ultimately done, while pointing to the fact that the CNIL has not requested Criteo to alter any of its current practices.
“As we stated previously, we consider that the allegations made by the CNIL do not involve risk to individuals nor any damage caused to them,” Damon said. “Criteo, which uses only pseudonymized, non-directly identifiable and non-sensitive data in its activities, is fully committed to protecting the privacy and data of users. The decision relates to past matters and does not include any obligation for Criteo to change its current practices; there is no impact to the service levels and performance that we are able to deliver to our customers as a result of this decision. We continue to uphold the highest standards in this area and operate a fully transparent and regulatory-compliant global business. We will be making no further statement at this stage.”
*This story was updated with comment from Criteo.