On June 22, 2023, the French data protection authority (CNIL) released Deliberation SAN-2023-009 of June 15, 2023, in which it fined Criteo €40 million for failing to verify that personal data was being processed with consent in violation of the General Data Protection Regulation (GDPR) following a complaint.
Background to the case
Following complaints lodged by two organizations, Privacy International and None of Your Business (NOYB), CNIL highlighted that it carried out several investigations into Criteo. CNIL detailed that Criteo specializes in ‘behavioral retargeting’ and collects the browsing data of internet users via its tracker (cookie) which is placed on their terminals when they visit certain partner websites.
Findings of CNIL
CNIL found five GDPR violations by Criteo:
- failure to demonstrate data subject consent (Article 7(1) of the GDPR);
- failure to comply with the obligation of information and transparency (Articles 12 and 13 of the GDPR);
- failure to respect the right of access (Article 15(1) of the GDPR);
- failure to comply with the right to withdraw consent and erasure of data (Articles 7(3) and 17(1) of the GDPR); and
- failure to provide for an agreement between joint controllers (Article 26 of the GDPR).
Specifically on consent, CNIL clarified that Criteo’s tracker used to target advertisements could not be placed on a user’s terminal without their consent. To this end, CNIL noted that although the collection of consent is the responsibility of Criteo’s partners, who are in direct contact with internet users, Criteo is still required to verify and be able to demonstrate that internet users gave their consent.
CNIL found that Criteo’s tracker was deposited by several partners in the terminal of internet users without their consent. CNIL also noted that at the time of the investigations, Criteo had not put in place any measures to ensure that its partners were validly collecting the consent of the internet users from whom it then processed data. Importantly, CNIL highlighted that the contracts concluded by Criteo and its partners did not contain any clause obliging them to provide proof of internet users’ consent.
In light of the above, CNIL imposed a fine of €40 million on Criteo for the aforementioned violations.
In determining the violations, CNIL explained that it considered, among other things, the fact that the processing concerned a very large number of people and that it collected a very large amount of data relating to consumption habits. In addition, it took into consideration the fact that the processing of individuals’ data without proof of their valid consent enabled Criteo to unduly increase the number of individuals concerned and thus the financial income it derives from its role as an advertising intermediary.