Global AdTech Company CRITEO fined €40 million in France for unlawfully collecting personal data

Following a 2018 complaint by Privacy International, French AdTech company Criteo was fined €40 million for failing to ensure that data subjects had provided their consent to processing, failing to sufficiently inform them and to enable them to exercise their rights.

Press release
Sheep with PI logo on its face, text reading "FREE FROM PROFILING"

French data regulator CNIL announced today a strong sanction against Criteo, one of the world's largest AdTech companies. Although close to the maximum GDPR fine, the amount of the fine was reduced from 60 to 40 million following a hearing at CNIL's offices in March 2023, during which Criteo pleaded for a reduced fine in light of its 10 million euros profit in 2022. CNIL seems to have acknowledged this argument but maintained a significant fine. This sanction follows a Privacy International complaint filed in November 2018.

Privacy International welcomes this decision which challenges the disregard for users' data rights practiced in the surveillance advertising ecosystem and enabled by AdTech companies. One of the CNIL's most serious findings is Criteo's inability to ensure consent to tracking was collected from the users of its 40,000 partners prior to collecting, sharing and processing their personal data for advertising purposes.

Criteo intends to appeal the decision, claiming its misalignment "with general market practice in such matters." We find this argument absurd - just because everyone does something wrong, doesn't mean they should be allowed to do it. Redressing widespread but unlawful practices has to start somewhere. And it's not the first time that an industry-wide practice is challenged - the Belgian authority's decision against IAB Europe invalidated the consent mechanism used by thousands of websites in Europe.

Eliot Bendinelli, Strategy Lead at Privacy International, said:

The online advertising industry and all the actors that revolve around it must open their eyes today: surveillance advertising is not compatible with privacy. Criteo's behaviour is proof that we can't trust an industry that has been given five years to adapt to GDPR and can't deliver on the bare minimum of obtaining content from users. It's time for publishers, advertisers and investors to walk away from this industry in light of the infringements and disregard for privacy it's built on.

Lucie Audibert, lawyer at Privacy International, said:

This sanction sends a strong message to the thousands of AdTech players out there. For years they've built gigantic data supply chains, without seeking to ensure that the users they target have consented to their private information being traded as a commodity. Criteo being a central actor in this industry, the entire European ecosystem must revise its practices in depth - after some years of lax enforcement, GDPR is starting to show some teeth against privacy-invasive business practices.

At a time whe Artificial Intelligence (AI) dominates policy makers' concerns, and when GDPR sounds like old news, we must remember that most AI learning systems are built on massive datasets, collected with scant regard for people's rights. The quality of AI systems depends on this data. As such, the questions and concerns raised in this case in regard to consent, lawfulness or data quality are all as important as new legislative proposals to regulate AI.