French advertising technology giant Criteo has been issued a revised fine of €40 million ($44 million) over failures to obtain users’ consent regarding targeted advertising.
The case in question dates back to 2018 when Privacy International filed a formal complaint with National Commission for Computing and Liberties (CNIL), France’s data privacy watchdog, using the GDPR regulations that were recently introduced across the European Union. Privacy International said it is “deeply concerned” by the data processing activities of several players in the data broking and adtech industry, one of which is Criteo. None of Your Business (NOYB), an Austria-based non-profit co-founded by lawyer and privacy activist Max Schrems, also later added its name to the complaint.
The core of the issue centers on what Privacy International calls a “manipulation machine,” how Criteo uses various tracking and data-processing techniques to profile internet users for more granular ad- targeting, like using previous online. activity to predict which products an online shopper wants to buy – this is known as “behavioral retargeting.”
Privacy International and NOYB stated that Criteo did not have a proper legal basis for this tracking, with the CNIL launching a formal investigation in 2020.
Preliminary decision
Fast-forward to August 2022, and the CNIL has reached a preliminary ruling that Criteo has indeed violated the GDPR and slapped the Paris-based company with a fine of €60 million. In recent months, however, Criteo has sought to reduce that number.
In a summary document published today, Criteo argued that its actions were not intentional and did not result in any harm. It said (translation by DeepL):
The company believes that it is better to consider the criteria set out in Article 83(2) of the GDPR, especially regarding the absence of evidence of damage, the unintentional nature of the violations, the measures taken to reduce the damage , the cooperation that it says it shows with the supervisory authority and the categories of personal data concerned, showing low intrusiveness, reason that, if the restricted panel decides to impose a fine, it significantly reduce the amount of 60 million euros proposed by the rapporteur.
Criteo added that the initial fine represents half of its earnings and 3% of its global sales, which is “close to the legal maximum” allowed under the GDPR. In addition, it argued that the fine was excessive compared to other fines imposed by the CNIL on the likes of Google and Facebook’s parent Meta, which amounted to only 0.07% and 0.06% of their respective global sales. .
Therefore, the CNIL seems to have considered Criteo’s complaints and reduced the fine by one third.
FOUND
The CNIL’s final report still paints a scathing picture of Criteo’s disregard for privacy, saying that data processing involves “too many people” from across the European Union, including “habits of consumption” by millions of internet users.
In total, the CNIL said it found five violations of the GDPR related to Criteo’s ad tracking activities, including failure to demonstrate that the data subject (ie the user) provided with their consent, covered by article 7(1) of the GDPR; a failure to “fulfill the obligation of information and transparency (articles 12 and 13), effectively meaning that Criteo does not disclose all the methods of processing user data; a failure to “respect the right of access” (article 15(1), meaning that Criteo does not provide users with all the data it holds upon request; a failure to “fulfill the right of revocation of consent and deletion of data” ( articles 7.3 and 17.1 GDPR), meaning that Criteo does not delete or delete all data of a user when they request it; and a failure to “provide an agreement between the joint controller” (article 26), which means that Criteo does not have clear agreements made with its partner companies that define the role of each party and their obligation to manage users’ data.
In its conclusion, the CNIL said that although Criteo does not have the individual names of each user, the data is “precise enough to re-identify individuals” in some instances, meaning that it is likely to be able to to identify individuals by cross-referencing. otherwise anonymized data with public records or combining other methods of linking data to determine the identity of users.
And then, of course, there’s the elephant in the room – Criteo’s motivations regarding its main mechanisms for making money.
“The CNIL also considered the company’s business model which relies solely on its ability to show internet users the most relevant advertisements in order to promote the products of the advertiser’s customers and thus efficiently to collect and process large amounts of data. ,” wrote the CNIL. “The CNIL considers that the processing of the data of individuals without proof of their valid consent enables the company to increase the number of people concerned by of its processing and thus the financial income it derives from its role as an advertising intermediary.”
TechCrunch has reached out to Criteo for comment, and will update here if — or if — we hear back.
