Criteo whacked by €40m fine from 2018 data breach

Adtech giant Criteo, whose clients include Asos, Deliveroo, Procter & Gamble and Shopify, has been issued with a GDPR fine of €40m (£34m) by the French data protection regulator CNIL for failing to get proper consent for targeted advertising.

The case dates back to the first days of GDPR in 2018 when Privacy International filed a formal complaint with the French regulator, saying it was “gravely concerned” at the data processing activities of seven players in the data broking and adtech industry. Max Schrems’-backed privacy organisation, NOYB, later added its name to the complaint.

The crux of the issue centered on how Criteo used various tracking and data processing techniques to profile Internet users for more granular ad targeting, such as using prior online activity – behavioral retargeting – to predict which products an online shopper might want to buy.

Privacy International and NOYB maintained that Criteo did not have a proper legal basis for this tracking, with CNIL launching a formal investigation in 2020.

CNIL reached a preliminary decision that the company had indeed breached GDPR and slapped it with a €60m fine but this has now been reduced following representations made by Criteo.

Criteo said the initial fine represented half of its earnings and 3% of its global sales, which is “close to the legal maximum” allowed under GDPR. It argued that the fine was excessive compared to other fines dished out by CNIL to the likes of Google and Facebook parent Meta, which amounted to just 0.07% and 0.06% of their respective global sales.

CNIL’s final report slates Criteo’s disregard for privacy, noting that the data processing involved “a very large number of people” from across the EU, including the “consumption habits” of millions of Internet users.

Even so, Criteo chief legal officer Ryan Damon said the company plans to appeal the decision, branding it “vastly disproportionate” compared to other breaches.

Damon added: “We consider that the allegations made by the CNIL do not involve risk to individuals nor any damage caused to them. Criteo, which uses only pseudonymized, non-directly identifiable and non-sensitive data in its activities, is fully committed to protecting the privacy and data of users.

“The decision relates to past matters and does not include any obligation for Criteo to change its current practices; there is no impact to the service levels and performance that we are able to deliver to our customers as a result of this decision. We continue to uphold the highest standards in this area and operate a fully transparent and regulatory-compliant global business. We will be making no further statement at this stage.”