Criteo, the French advertising technology giant, has been slapped with a reduced fine of €40 million ($44 million) over its failure to obtain user consent for targeted advertising. This case was initiated by Privacy International in 2018 when it filed a formal complaint against several players in the adtech industry, including Criteo, claiming concerns about their data processing activities. The crux of the issue revolved around Criteo’s use of tracking and data-processing techniques to profile internet users for granular ad targeting, referred to as “behavioral retargeting”.
The Commission nationale de l’informatique et des libertés (CNIL), France’s data privacy watchdog, launched an investigation into these allegations in 2020. Preliminary findings in August 2022 determined that Criteo had indeed breached GDPR regulations leading to a hefty fine of €60 million being levied on the Paris-based company. However, Criteo contested this decision arguing that their actions were unintentional and didn’t result in any harm.
In response to these contentions, CNIL adjusted the penalty reducing it by one-third but still maintained that Criteo exhibited blatant disregard for privacy. The final report found five GDPR infringements related to Criteo’s ad-tracking activities which included failure to demonstrate user consent, inadequately disclosing ways it would process user data and neglecting requests for data erasure among others.
Despite these findings and reduction in fines, Chief Legal Officer Ryan Damon stated that the company plans to appeal against the “vastly disproportionate” decision while reaffirming that their practices did not cause any harm or risk to individuals. He also highlighted that CNIL hasn’t requested any changes in their current practices indicating no impact on service levels and performance they deliver to their customers.