Adtech giant Criteo faces $65M fine in France for GDPR consent breaches

In the latest blow to the creepy ‘tracking-ads’ complex, French adtech giant Criteo has been found in breach of European Union data protection regulation and hit with a €60 million sanction (~$65 million) by the country’s national privacy watchdog in a preliminary decision following a multi-year investigation.

Digital rights advocacy group Privacy International, which lodged a formal complaint against the surveillance adtech giant back in 2018, when the bloc’s General Data Protection Regulation (GDPR) came into application, tweeted news of the sanction today.

It accuses Criteo of operating what it dubs a “manipulation machine”, via the application of a suite of tracking techniques and data processing practices which are designed to profile web users so they can be targeted with behavioral ads and advertisers pay for “individual-level shopper predictions”.

Privacy International’s complaint argues Criteo does not have proper legal bases for all this tracking and profiling to be compliant with the GDPR — and it appears France’s watchdog is minded to agree.

A spokeswoman for Privacy International said they have not received a copy of the CNIL’s preliminary decision but were informed of the development by the French watchdog following standard complaint handling procedure.

“The CNIL informed us on Tuesday 3 August as they have an obligation to keep complainants informed of the progress of their complaints. It’s not a final decision yet, hence why it’s not public,” she told TechCrunch. “They can’t even share it with us. Criteo now has the opportunity to make representations and to implement corrective measures, after which there will be a hearing, followed by a final decision likely in 2023.”

We’ve also reached out to the CNIL.

Update: A spokesperson for the regulator told us: “The CNIL has received complaints from Privacy International and [privacy advocacy group] noyb against Criteo; as part of the investigation of these complaints, checks were carried out.”

“Without confirming or denying the notification of a penalty report to Criteo, the CNIL specifies that such a document is only a document subject to contradictory exchanges and does not prejudge the decision that the restricted group adopts at the end of a penalty procedure,” they added.

A Criteo filing, dated August 3, confirms the preliminary finding by the CNIL of what is described in the form 8-K/A filing as “certain GDPR violations, in particular relating to the Company’s contractual relationships with its advertisers and publishers with respect to consent collection oversight”.

“The report includes a proposed financial sanction against the Company of €60.0 million ($65.4 million). Under the CNIL sanction procedures, Criteo has the right to respond in writing to the report, both with respect to the GDPR findings and the value of the sanction, following which there will be a formal hearing before the CNIL Sanction Committee. The CNIL Sanction Committee will then issue a draft decision that will be submitted for consultation to other European data protection authorities as part of the cooperation mechanism mandated by GDPR. Any final decision on resolution and potential financial penalties would likely not occur until 2023,” Criteo’s filing goes on.

We contacted Criteo for further comment on the sanction and a spokeswoman pointed us to a statement on its website in which Ryan Damon, its chief legal officer, also writes:

We strongly disagree with the findings in the CNIL investigator’s report, both on the merits relating to the investigator’s assertions of non-compliance with GDPR and the quantum of the proposed sanction. We find the merits of this report to be fundamentally flawed, and the proposed sanctions to be incommensurate with the alleged non-compliant actions. We look forward to further dialogue with the CNIL as well as to defend our case to the ultimate arbitrator of a final decision. Criteo continues to uphold the highest privacy standards, and operates a fully transparent and regulatory-compliant global business. We will not have any further comment until these ongoing proceedings are resolved.

The CNIL does not appear to have issued notification of the decision on its own website — likely because it’s preliminary. (Although EU DPAs do not always publish decisions, either.)

It remains to be seen whether the watchdog will stick to its guns as a French adtech giant pushes aggressively back against its findings.

But the preliminary decision is just the latest blow (in Europe) for the so-called ‘surveillance advertising’ ecosystem — which, during earlier years of regulatory slumber on data protection, made it its mission to strip web users of their privacy in a bid to optimize advertisers’ ability to manipulate individuals’ attention.

A string of privacy and data scandals have raised awareness of what some critics dub the biggest data breach of all time — leading to a rude awakening around mainstream adtech’s creepy, consentless modus operandi, which in turn is leading to a dual regulatory and legislative reckoning (even as plenty of actual GDPR enforcement remains still to come).

Earlier this year, Belgium’s DPA confirmed an earlier preliminary finding against ad industry body, the IAB Europe, and its flagship cross-industry standard for collecting user choices around tracking ads, called the Transparency and Consent Framework/TCF — identifying a laundry list of GDPR violations and giving the IAB a hard deadline of six months to reform the framework to bring it into compliance (although privacy experts have suggested nothing short of a root and branch reconfiguration of these systems will do).

In recent years, France’s CNIL has also issued some major sanctions against tracking cookie violations — under the bloc’s ePrivacy legislation — and earlier this year Google (one of the sanctioned tech giants) issued a revised cookie banner in Europe which finally offers users a clear choice to deny its tracking. Quite the win.

This year, EU lawmakers have also agreed on a ban on the use of sensitive data and children’s data being used for targeted  advertising in incoming digital regulations. While a judgement just this week, by the bloc’s top court, looks set to bolster that incoming restriction by cementing a non-narrow definition of what constitutes sensitive data.