The French DPA issued a €60 million preliminary warning of a fine against the advertising technology company ‘Criteo’ for violations of the GDPR rules regulating processing practices through targeted advertising and user profiling.
When the EU’s General Data Protection Regulation (GDPR) went into effect in 2018, the digital rights advocacy group Privacy International filed an official complaint against the spying adtech giant. The sanction was announced today via a tweet from Privacy International.
It claims Criteo is running a “manipulation machine” through the use of a number of tracking tools and data processing procedures that are intended to profile web users so that behavioural ads may be targeted at them and advertisers can pay for “individual-level shopper predictions.”
According to Privacy International’s complaint, Criteo lacks an adequate legal reason for all this tracking and profiling to comply with the GDPR, and it looks like France’s authority is likely to agree.
A spokesperson for Privacy International stated that although they were informed of the development by the French authority they had not received a copy of the CNIL’s preliminary verdict.
A statement on Criteos website in which Ryan Damon, its chief legal officer, also writes:
We strongly disagree with the findings in the CNIL investigator’s report, both on the merits relating to the investigator’s assertions of non-compliance with GDPR and the quantum of the proposed sanction. We find the merits of this report to be fundamentally flawed, and the proposed sanctions to be incommensurate with the alleged non-compliant actions. We look forward to further dialogue with the CNIL as well as to defend our case to the ultimate arbitrator of a final decision. Criteo continues to uphold the highest privacy standards, and operates a fully transparent and regulatory-compliant global business. We will not have any further comment until these ongoing proceedings are resolved.
The fact that the CNIL doesn’t appear to have posted a notice of the decision on its own website suggests that it is still in the preliminary stages. (Even though EU DPAs don’t always make their decisions public.)
It is unclear if the authority would stand by its conclusions in the face of a strong pushback from a French adtech company.
