The tech giant Criteo has received a €40 million fine after it was found to have breached data protection rules on targeted advertising.
Criteo, which claims to have captured the identity and interest data of 72% of all Internet users, came under investigation after a complaint was lodged by Privacy International.
The digital rights advocacy group accused Criteo of running a “manipulation machine”, with an array of tracking techniques and data processing practices being used to profile web users.
It then sold the information to advertisers, who used the data to provide “individual-level shopper predictions”.
A long time coming
This incident demonstrates both the strengths and weaknesses of GDPR (General Data Protection Regulation) enforcement. On the one hand, the sizeable penalty acts a strong deterrent that should prevent Criteo or other organisations from conducting similar practices.
Indeed, one of the most frequently discussed aspects of the GDPR is the disciplinary power that it gives to supervisory authorities – and a fine of this scale would have been unthinkable in the EU prior to its introduction.
However, reaching a verdict over such a large penalty is not easy, and it means that it can take a long time for a decision to be made.
In this case, Criteo first came under scrutiny for its data processing practices in 2018 – soon after the GDPR took effect – when Privacy International filed a formal complaint against the organisation.
The data privacy activist group NOYB, headed by Max Schrems, later added its name to the complaint.
Following a lengthy investigation, France’s data protection authority, CNIL, provisionally agreed with their conclusion. In August 2022, it issued a €60 million fine against Criteo.
However, the decision was not publicly announced, and the CNIL said that a final decision wasn’t expected until the following year. That estimation proved correct, with the data protection body issuing its final decision in June.
During that time, Criteo criticised the decision, and the CNIL ultimately decided to reduce the penalty by one third.
In a summary document made public today, Criteo argued that it didn’t intentionally flout its requirements and that its failures didn’t result in harm.
Criteo added that the initial fine represented half of its earning and 3% of its turnover, which is “close to the legal maximum” allowed under the GDPR – which can be 4% of annual global turnover (or €20 million, if that sum is greater).
The adtech firm said that the decision was excessive compared to similar fines issued by the CNIL, such as the €90 million fine for Google (0.07% of its annual global turnover) and Meta’s €390 million fine (0.06%).
Still too much?
Although the CNIL did reduce the fine, it’s still a hefty percentage of Criteo’s annual global turnover, and the organisation is set to appeal for a further reduction.
Criteo’s chief legal officer, Ryan Damon, called the fine “vastly disproportionate”, and added:
“We believe that a number of the CNIL’s interpretations and applications of the GDPR are not consistent with the European Court of Justice rulings, and even with the CNIL’s own guidance.”
But whether you can use the penalties levied against Google and Meta as a baseline for an acceptable fine in this case depends on the severity of the breach.
Not all data protection failures are created equal, and supervisory authorities make their decisions based on the non-compliances they discover as much as the size of the organisation in question.
In this case, the CNIL was scathing in its assessment of Criteo’s data privacy practices. It noted that its data processing involved “a very large number of people” from across the European Union, including the “consumption habits” of millions of Internet users.
The CNIL found five separate GDPR infringements related to Criteo’s ad-tracking activities. This includes its failure to demonstrate a legal basis for processing data – which in this case would have been consent – the rules for which are covered in Article 7.
It also found that Criteo didn’t explain to data subjects that their data was being collected and how it was being used (Articles 12 and 13), and it didn’t uphold their right to access data collected about them.
Additionally, Criteo failed to comply with the right to withdraw consent and erase data (Articles 7 and 17), and didn’t have clear agreements in place with third parties regarding the way personal data was managed (Article 26).
The CNIL’s main objection over Criteo’s data processing practices was the organisation’s business model. Although the adtech firm said it didn’t intentionally breach the GDPR’s requirements, the supervisory authority determined that data processing practices that Criteo performs fundamentally violate data protection law.
“The CNIL also took into account the business model of the company which relies exclusively on its ability to display to internet users the most relevant advertisements to promote the products of its advertiser customers and thus on its ability to collect and process a huge amount of data,” the CNIL wrote.
“The CNIL considered that the processing of individuals’ data without proof of their valid consent enabled the company to unduly increase the number of persons concerned by its processing and thus the financial income it derives from its role as an advertising intermediary.”
Nonetheless, Criteo says that no harm comes from these activities, and that it’s being unfairly punished.
Criteo’s Ryan Damon told TechCrunch: “Criteo, which uses only pseudonymized, non-directly identifiable and non-sensitive data in its activities, is fully committed to protecting the privacy and data of users.
“The decision relates to past matters and does not include any obligation for Criteo to change its current practices; there is no impact to the service levels and performance that we are able to deliver to our customers as a result of this decision.
“We continue to uphold the highest standards in this area and operate a fully transparent and regulatory-compliant global business. We will be making no further statement at this stage.”
Although the CNIL confirmed that Criteo doesn’t process individuals’ names, it found that in some cases the information “sufficiently accurate to re-identify individuals”.
GDPR compliance support
If you’re looking for support meeting your GDPR requirements, IT Governance is here to help. We offer a variety of consultancy options for organisations looking to bolster their compliance practices.
Whether you’re looking for a little guidance or you’d like a dedicated consultant, we have you covered.
Our team of experts are on hand to help you at any stage of your GDPR journey. You can learn more about our services on our website or by speaking to one of our experts.