Q&A: €40 million fine for AdTech giant Criteo - What does it mean?

Why does this decision matter?

Our complaint against Criteo formed part of a larger set of coordinated complaints we filed in 2018 against 7 data brokers (Acxiom, Oracle), AdTech companies (Criteo, Quantcast, Tapad), and credit referencing agencies (Equifax, Experian) with data protection authorities in France (CNIL), Ireland, (DPC) and the UK (ICO). The EU General Data Protection Regulation (GDPR) had recently come into force, and the AdTech industry was (and still is) a prime affront to the rights and principles enshrined in that legislation. Indeed, AdTech companies and data brokers rely on the collection and sharing of immense amounts of personal data to provide their services. This all happens without the knowledge and full consent of users. While most people understand that some level of tracking happens online, it's hard to imagine the scale and precision of this industry (as we discovered ourselves). Despite exploiting the data of millions of people, the hundreds of companies involved in that industry are mostly non-consumer facing and their practices are therefore rarely challenged.

Criteo is one of the world's largest AdTech companies, headquartered in France. It partners with thousands of websites to track people across the websites they visit in order to profile them and serve them targeted advertising. It takes part in the Real-Time Bidding (RTB) system, wherein advertisers bid for advertising space every time we load a page, relying on the profiles they've created about us (or bought from data brokers or other suppliers). Unfortunately, the CNIL's decision did not address RTB - a system denounced by other human rights organisations as "the biggest data breach ever recorded". Nevertheless, it took aim at a key problem in the AdTech industry - its reliance on a data supply chain that is unaccountable and works as a free-for-all market.

The CNIL's sanction is significant - €40 million is nearly half the maximum fine that authorities can impose under the GDPR (in light of Criteo's worldwide turnover). While the CNIL found that the various breaches revealed during its investigations were rectified, it still considered that the severity and scale of the breaches justified a forceful sanction.

What did the CNIL find Criteo did wrong?

The CNIL's decision found a number of breaches of the EU GDPR:

1. Failure to demonstrate that the data subject gave their consent (Article 7(1) GDPR) - this is a key aspect of the decision. In essence, the Criteo tracker (a cookie) is placed on its partners' websites (40,000+) to collect personal data from website visitors. In this operation, Criteo and its partners are what the GDPR calls "joint controllers", which means they are jointly responsible for ensuring compliance with data protection law in the collection and further processing of data. While the partner websites are responsible for collecting people's consent to the Criteo cookie being placed on their device, Criteo should have ensured that this consent was properly obtained - the CNIL's investigations found that Criteo had no mechanism in place to do so, and that over half of the partner websites tested by the investigation did not collect lawful consent.

2. Failure to comply with the obligation of information and transparency (Articles 12 and 13 GDPR) - closely intertwined with the validity of consent, transparency and information are key to ensuring that people really know what they're consenting to when they do. In this case, consenting to Criteo's cookie meant accepting that granular data about your online browsing behaviour would be shared with Criteo, combined with existing data or profiles about you, and used by thousands of advertisers to serve you targeted advertising. But the CNIL found that Criteo's privacy policy was not sufficiently explicit about the purposes of data processing and was contradictory in terms of the lawful basis it relied on.

3. Failure to respect the right of access (Article 15.1 GDPR) - the CNIL found that when people requested access to the personal data that Criteo held about them, the company would not provide all the data it held. It only provided some of its datasets, preventing people from grasping the extent of Criteo's processing and the uses it made of their data.

4. Failure to comply with the right to withdraw consent and erasure of data (Articles 7.3 and 17.1 GDPR) - when people withdrew their consent to Criteo's processing of their data, or requested erasure of their data, Criteo only stopped serving them with targeted advertising, and did not delete their data. It did so because it considered that it had a "legitimate interest" in continuing to process this data to improve its services or to deliver even more personalised advertising. This was unlawful in particular because Criteo couldn't ensure that people had validly consented to their data being processed in the first place.

5. Failure to provide for an agreement between joint controllers (Article 26 GDPR) - the CNIL found that the contracts that Criteo had in place with its 40,000+ partner websites did not comply with the GDPR's requirements, in particular because they lacked some key clauses on assignation of responsibilities between joint controllers. In a context where people's personal data was shared daily between 40,000+ partners and Criteo, this was concerning.

To justify its significant fine, the CNIL argued in particular that Criteo's entire business model relies on extensive data processing, and that the various breaches identified enabled it to "unduly increase" the number of data subjects whose data it processed, and hence its financial revenue. In addition, by not proceeding to deletion of data when required to do so, and using that data to improve its technology, it also benefited financially and increased its competitiveness in the targeted advertising market.

What sort of data was Criteo collecting and what did it use it for?

Section II.B. of the CNIL's decision describes Criteo's data collection and use process in detail.

When a user visits any of Criteo's partner websites, these websites place a Criteo tracker, or "cookie", on their device. Each user is assigned a unique identifier, called Criteo ID, that enables Criteo to recognise the user on future visits on the same and any other partner website.

Criteo then records in its databases many actions that the user takes on the partner website - such as which pages they viewed, how long they spent on a certain page, which product pages they clicked on, what products they put in their shopping cart, etc. It also records the user's Criteo ID, a device identifier and their geographic location (through their IP address), and crosses that information with any identifier provided by its partners (including email addresses), the user's browsing history, ad interaction history, and any other information derived from all the above to determine the user's interests.

When the user visits another partner's website, that website informs Criteo of the size of advertising space available, the nature of the website, and an identifier through which Criteo can recognise the user. Criteo then uses its various data processing technologies and algorithms to decide which advert would be the most relevant to display, based on the user's browsing habits and products Criteo has identified as of interest to that user. Based on this analysis, Criteo participates in a Real-Time Bidding (RTB) auction - if it wins, Criteo places an ad on the webpage.

Aside from this primary use, Criteo also uses data to improve its technology and services. In particular, it uses machine learning to train and automatically configure its targeting algorithms, in order to improve the efficacy and granularity of its targeted advertising.

Is it all good news?

While PI welcomes the CNIL's decision and hopes it will trigger Criteo and other similar companies to revisit their practices, the CNIL missed a number of opportunities to raise the standard of data protection compliance in the AdTech industry.

First, the CNIL did not question the validity of consent to collection and processing by hundreds of companies. For consent to be fully informed (a requirement under the GDPR), users would have to read lengthy privacy policies every time they visit a Criteo partner website, and actually understand what they imply. This is virtually impossible. The mass collection, sharing and re-use of personal data in the AdTech industry is fundamentally at odds with the principles and rights enshrined in the GDPR.

Relatedly, the CNIL did not address Real-Time Bidding (RTB) - the system through which our personal data is broadcasted to hundreds of companies every time we visit a website. The Irish Council for Civil Liberties is pursuing a large-scale legal battle against RTB, that will hopefully put an end to this uncontrollable market. A first decision from the 28 EU data protection authorities, led by the Belgian Data Protection Authority, has gone in the right direction - it found that the RTB system, and the Transparency and Consent Framework (TCF) of the AdTech industry’s trade body “IAB Europe”, violate the GDPR.

Third, the CNIL did not consider that Criteo may process sensitive data - called "special categories data" in the GDPR - the processing of which comes with higher standards of consent and stricter rules. But given the vast amount of data that AdTech companies process, and their ever-more elaborate techniques of profiling, PI considers that through the use of categories that are inherently sensitive and through the sensitive details that can be revealed by the combination of various sources of data, these companies do process sensitive data. For example, in response to our data subject access requests, Criteo provided information revealing sensitive details about our staff - such as that they had visited a webpage with information about fatigue during pregnancy. More recently, research by The Markup revealed that Microsoft's ad platform Xandr labelled users as "heavy purchasers" of pregnancy test kits, "depression-prone", or visiting places of worship. These are all types of data that should be considered special categories data under the GDPR.

Finally, PI finds that the CNIL too easily satisfied itself that through a simple new contract clause with its partners and an audit plan, Criteo would be fully able to ensure that its partners collected valid consent. This is quite a low bar and we would have expected further investigations and assurances.

How did we get here?

On 8 November 2018, Privacy International filed complaints against seven AdTech companies, data brokers, and credit referencing agencies with relevant data protection authorities in France (CNIL), Ireland, (DPC) and the UK (ICO). Criteo was one of the seven.

These complaints are part of our wider campaigns to uncover the hidden data ecosystem and empower all of us to ask companies to stop exploiting our data.

In March 2020, the CNIL confirmed that it was investigating Criteo following Privacy International's complaint. Over two years later, in August 2022, the CNIL proposed a €60 million fine for various breaches of the EU GDPR. Following a hearing in March 2023, the CNIL's final decision, which we discuss in this Q&A, was delivered in June 2023, inflicting a €40 million fine on Criteo (nearly half the maximum possible sanction amount taking account of Criteo's annual turnover).

What happens next?

Criteo intends to appeal the decision, claiming its misalignment "with general market practice in such matters." We find this argument unpersuasive - just because everyone does something wrong, doesn't mean they should be allowed to do it. Redressing widespread but unlawful practices has to start somewhere. And it's not the first time that an industry-wide practice has been challenged - the Belgian authority's decision against IAB Europe invalidated the consent mechanism used by thousands of websites in Europe.

We will watch the appeal closely, and hope the CNIL's sanctions are upheld.

What can I do?

Having strong laws and technology which protect privacy is incredibly important, but the most important thing is that people are aware of the issues and are able to influence powerful companies and governments. You can read more about the case and how AdTech companies like Criteo operate by checking out our case page.

To keep up to date on the case and all our work, you can sign up to our mailing list - don’t worry, you can choose the topics you are most interested in… and we take proper care of your data!

If you want to take action against the AdTech industry while limiting the threats to your privacy, you can read our guides to protect yourself from online tracking. They can help you limit how trackers can follow you online and reduce how much advertising you are exposed to.

As we are a charity with limited funds, any support you can give us through a donation would be most appreciated.

To reiterate however, to really ensure that we don’t sleepwalk into a world of ubiquitous corporate and state surveillance, it is essential that people put pressure on governments and corporations - so if there’s one thing you can do, it’s make your voice heard!