A Deep Dive Into Criteo’s 40M GDPR Fine From the CNIL

It was only a matter of time before the GDPR fines started ratcheting up.

As we just recently crossed the fifth year anniversary of GDPR, one thing has become clearly evident — regulators will continue their tough stance on violations. I noted as much in my 5 Data Privacy Trends to Watch in 2022 article written for AdMonsters.

Well, just last week, while everyone in ad tech was traversing La Croisette for the Cannes Lions International Festival of Creativity 2023, the French Data Protection Authority (CNIL) levied a hefty fine against global commerce media company, Criteo.

The revised fine of €40M ($44 Million), dates back to complaints filed by None of Your Business (NOYB), an Austria-based nonprofit, and Privacy International in 2018, stating that Criteo did not have a legitimate legal basis for behavioral targeting. CNIL’s initial investigation in 202o found the ad tech company in breach of GDPR, slapping them with a €60M fine. Criteo attests that their actions were not deliberate, nor did they cause any harm. Criteo also argued that the initial fine represented half of its earnings and 3% of its global sales, which is “close to the legal maximum” allowable under GDPR.

I took a deep dive into Criteo’s 40M GDPR fine from the CNIL (one of the highest fines for cookie-related violations). Below are three highlights that jumped out at me:

Proof of Consent Required – Although the collection of consent for cookies was the responsibility of Criteo’s partners, who are in direct contact with their website users, Criteo was still required to verify and be able to demonstrate that these users gave their consent. The CNIL required Criteo to incorporate a new clause on proof of consent in its contracts. Partners must “promptly provide Criteo, upon request and at any time, with proof that the consent of the data subject has been obtained by the partner.” I am interested to see whether the CNIL will come back to Criteo to see if this clause has been exercised. Accountability is the new king. Adtech companies will need a solution for auditing and demonstrating accountability in the U.S. and EU, as regulators in both jurisdictions are no longer willing to allow companies to rely on paper assurances.

Consent Can Be Given and Taken Away – The CNIL alleged that when a person exercised their right to withdraw consent, the process implemented by the company only stopped the display of personalized advertisements to the user; it did not stop all processing activities. Criteo addressed this by putting in place a procedure to allow individuals to exercise their right to withdraw consent directly by clicking the button “Deactivate Criteo Services” in the company’s privacy policy.

Joint Controller Agreements work for Ad Tech – The CNIL did not challenge the joint controller agreements Criteo had in place with partners, but they got dinged for not specifying all of the respective obligations of controllers under the GDPR, such as the exercise by data subjects of their rights, the obligation to notify the supervisory authority and data subjects of a data breach or, if necessary, the carrying out of an impact assessment under Article 35 of the GDPR.

This is a huge fine (2% of turnover), but most of the issues raised seemed solvable to me.