CRITEO fined EUR 40 million for data protection infringements

French data protection authority CNIL has sanctioned online advertising company CRITEO with a fine of EUR 40 million for failing to ensure valid consent from individuals whose data it processed. The fine comes as a result of investigations carried out by the CNIL following complaints filed by Privacy International and None of Your Business.

CRITEO specializes in behavioral retargeting, a practice that involves tracking the online activities of Internet users to display personalized advertisements. The company collects browsing data through its CRITEO tracker (cookie) placed on users' devices when they visit partner websites. By analyzing browsing habits, CRITEO determines the most relevant advertisements to display to individual users through real-time bidding.

During its investigations, the CNIL identified several infringements by CRITEO, particularly related to the lack of evidence of individuals' consent, inadequate information and transparency, and non-compliance with individual rights.

The CNIL's restricted committee, responsible for imposing sanctions, levied a fine of EUR 40 million on CRITEO. In determining the penalty, the CNIL took into account the scale of the data-processing activities, which affected approximately 370 million identifiers across the European Union. Despite not possessing users' names, the CNIL considered the data to be potentially re-identifiable in certain cases. The CNIL also acknowledged CRITEO's business model, heavily reliant on collecting and processing vast amounts of data to display relevant advertisements and generate income as an advertising intermediary.

In accordance with the General Data Protection Regulation (GDPR)'s one-stop shop mechanism, the decision was submitted to the other 29 European supervisory authorities, all of whom approved the sanctions, recognizing the cross-border nature of the case.

The CNIL identified five infringements of the GDPR by CRITEO:

Failure to demonstrate valid consent from data subjects (Article 7.1 GDPR): The CRITEO tracker (cookie) was deposited on users' devices without their consent, and the company failed to verify the consent collected by its partners.

Failure to comply with information and transparency obligations (Articles 12 and 13 GDPR): CRITEO's privacy policy lacked completeness and used vaguely worded terms, impeding users' understanding of the data being used and the purposes.

Failure to respect the right of access (Article 15.1 GDPR): CRITEO provided incomplete data when individuals exercised their right of access and failed to provide sufficient information to understand the content.

Failure to comply with the right to withdraw consent and erasure of data (Articles 7.3 and 17.1 GDPR): CRITEO only stopped displaying personalized advertisements but did not delete identifiers or associated navigational events upon withdrawal of consent or data deletion requests.

Failure to establish an agreement between joint controllers (Article 26 GDPR): The agreement with partners lacked clarity on various obligations outlined in the GDPR, including data subjects' rights, breach notification, and impact assessments.

CRITEO has taken corrective measures to address these infringements. The company has added a clause in its contracts with partners to ensure proof of consent is promptly provided. Its privacy policy has been updated to include all intended data processing purposes in simple and understandable terms. CRITEO now provides complete data in response to access requests and has implemented procedures for individuals to exercise their right to withdraw consent. Additionally, agreements with partners have been amended to include all necessary obligations under Article 26 of the GDPR.