The sanction has long hovered over the head of the French specialist in online advertising and more specifically in retargeting. Criteo is now set on its fate. The Cnil imposes a fine of 40 million euros.
It will therefore have taken several years for the data protection authority to condemn the hexagonal adtech, following a complaint in 2018 and the opening of an investigation in 2020. Last August, an NGO suggested that the sanction could reach 60 million euros.
Retargeting without proof of consent for years
Due to the numerous shortcomings noted by the Commission, the condemnation was, in the end, inevitable. Through its retargeting activities, Criteo has been guilty of no less than 5 GDPR violations.
The job of adtech, as detailed by the Cnil, consists of following the navigation of Internet users in order to display targeted advertisements. This monitoring takes place through a cookie or tracer, placed on their terminals.
Have Internet users given their consent to this data collection? This is undoubtedly the original problem. For the CNIL, the answer is clear. It notes a lack of proof of the consent of individuals to the processing of their data.
This is the first failure attributed to Criteo, even if its cookie was deposited by partners. “However, this does not exempt the company CRITEO from its obligation to verify and to be able to demonstrate that Internet users have given their consent”, recalls the authority.
Lack of partner audit by Criteo
In addition, the checks revealed that the company had not taken any measures to remedy this and thus check that valid consent was collected. Moreover, contractually, the partners were not required by clauses to provide proof of the consent of Internet users.
Finally, culpable inaction, “the company had not undertaken any audit campaign of its partners before the CNIL initiated the procedure.” Subsequently, under investigation, Criteo updated its contracts to include a proof of consent clause.
It nevertheless accumulates other shortcomings, which therefore concern the obligation of information and transparency (since also corrected), respect for the rights of access, withdrawal of consent and deletion of its data. Finally, his conviction is also justified by a breach of the obligation to provide for an agreement between joint data controllers.
Then what about the penalty? For breaches that may seem comparable, Google was for example fined 100 million euros in 2020. To determine the penalty imposed on Criteo, the CNIL specifies that it took into account different criteria.
The profitable financial inaction of adtech
Among these, “the fact that the processing in question concerned a very large number of people”, with 370 million identifiers for the EU and the extent of the collection on the consumption habits of Internet users.
Criteo may claim not to be able to identify individuals themselves. The “data were sufficiently precise to allow, in certain cases, to re-identify the people”, replies the Commission.
It also highlights its economic model and its practices in terms of consent, which are financially profitable. Clearly, Criteo had a direct interest in being lax in this sector. A parameter that could lead to judging the sanction ultimately almost lenient.
“The CNIL considered that the fact of processing people’s data without proof of their valid consent has enabled the company to unduly increase the number of people concerned by its processing and therefore the financial income it derives from its role as ‘advertising intermediary’, she observes.