One of the world’s largest adtech companies is facing a €40 million GDPR fine over failure to collect proper consent for personal information processing, among other issues. Paris-based Criteo’s targeted advertising program was also cited for transparency and right of access shortcomings, as well as failure to meet data controller obligations in its relationships with transfer partners.
Criteo provides “cost per click” targeted advertising banners that are chosen based on profiles of user internet browsing behavior, and partners with a broad variety of major retailers. The company is estimated to have the personal data of some 370 million people across the European Union.
GDPR fine determined by large number of data subject, broad assortment of personal data collected
Criteo has a globe-spanning “partner ecosystem” of websites that place tracking cookies on visitor devices; their behavior is then profiled and fed into a real-time ad bidding system. The company has been in business for over a decade now, and has long maintained that this collected data is anonymized.
Complaints lodged by privacy watchdog group “noyb” and Privacy International (dating back to 2018) assert that though Criteo does not pair these profiles with real names, the information they collect is sufficient to identify an individual if someone desires to. France’s CNIL agreed with this contention, and found five separate areas of cause for GDPR fines due to failure to adhere to mandatory regulations.
The CNIL decision, which was approved by all of the other 29 European supervisory authorities under the “One Stop Shop” mechanism, noted that Criteo’s business model was built entirely on targeted advertising and that the company had incentive to skirt consent requirements as a means of growth. The fact that hundreds of millions of EU internet users are impacted was a factor in the size of the GDPR fine, as was the scope of data collected by the platform: technical device information, what the user interacts with and lingers on when browsing each partner site, geolocation data, and internet connection data among other items.
The consent issue that contributed to the GDPR fine was a matter of partner oversight. Criteo itself is not required to collect consent for the targeted advertising cookies, which are placed by its partners on their own websites. However, the GDPR does have certain requirements for oversight of programs such as these, including verification of the partner’s collection of consent.
The CNIL investigation found that at least “several” partners were placing cookies without user consent, that Criteo’s contracts with partners did not have a clause requiring them to demonstrate proof of consent, and that the company had no audit program in place for checking on this.
Several other shortcomings also contributed to the GDPR fine tally. Criteo was docked for having an incomplete and overly vague privacy policy, not properly transmitting all required personal data to satisfy “right of access” requests, failing to completely delete the stored data of subjects that withdrew consent, and that the company did not specify some of the respective obligations of controllers.
Criteo calls targeted advertising fine “disproportionate,” vows to appeal
Documents released with the decision indicate that Criteo was originally headed for a €60 million GDPR fine under a preliminary CNIL decision, but successfully managed to argue the total down. The company continues to attempt to chip away at the penalty, however, calling it “disproportionate” due to representing 3% of its global turnover, 1% short of the maximum allowed by the law. The company points out that similar targeted advertising fines handed by CNIL to Google and Facebook represented less than a tenth of a percent of their global turnover.
Criteo also points out that, other than being required to change its contract language and implement an audit program, it is not being asked to fundamentally change any of its business practices as part of the GDPR fine terms. Third-party data brokers have come up with a variety of creative ways in which to challenge decisions against them, such as SafeGraph’s 2022 contention that it also shares its targeted advertising data with scientists and it would be detrimental to important research to put limits on it. Similar cases have also noted that data broker claims of anonymizing subjects are weak; geolocation information is a particularly potent way of getting around these restrictions, often positively identifying someone when paired with just one other key data point.
At times, the company vacuums up extremely sensitive user information for its targeted advertising profiles. Criteo was among a number of major companies named in a February US Department of Justice order that banned pharmacy discount service GoodRx from sharing health data for advertising purposes. Along with the other GoodRx partners, Criteo was ordered to delete any data of this nature that it had received.