Iubenda logo
Start generating


Table of Contents

Lessons from CRITEO GDPR Fine

In a landmark decision, the French data protection authority, the Commission nationale de l’informatique et des libertés (CNIL), has fined CRITEO SA, a leading ad-tracking company, €40 million for several infringements of the General Data Protection Regulation (GDPR). This case serves as a stark reminder of the importance of obtaining valid consent and complying with transparency obligations under the GDPR. 

In this article, we will explore the details of the case and highlight how businesses avoid similar legal pitfalls.


CRITEO: Background

CRITEO specializes in ad-tracking activities, particularly behavioral retargeting. Through the placement of its tracker (cookie) on user devices when a user visits CRITEO partner websites, CRITEO collects vast amounts of data related to users’ online behavior and preferences. However, the CNIL found that CRITEO had violated provisions of the GDPR. 

How was the GDPR violated in the CRITEO case?

Failure to verify consent

One of the key violations cited by CNIL was CRITEO’s failure to verify whether individuals had given their consent for data processing, as required by Article 7(1) of the GDPR. CRITEO argued that its partners, who placed the tracking cookies, were responsible for obtaining consent. However, CNIL emphasized that CRITEO couldn’t rely solely on its partners and had an independent obligation to ensure consent was obtained. Additionally, CRITEO lacked mechanisms to confirm the validity of consent obtained by its partners. 

Lack of information and transparency

CNIL found that CRITEO’s privacy policy was incomplete and lacked clarity. The policy did not adequately inform users about the purposes of the processing, including the improvement of CRITEO’s technologies. Article 12 and Article 13 of the GDPR require businesses to provide transparent and comprehensive information to users regarding the collection and use of their personal data.

Are you concerned about the lack of transparency and information in your privacy policy?

Our Privacy and Cookie Policy Generator is the solution you need to ensure your business complies with the strict regulations set forth by the GDPR.

Try us now

Non-compliance with the right of access

CRITEO failed to fulfill users’ right to access their personal data, as mandated by Article 15(1) of the GDPR. While CRITEO provided some data upon request, it omitted information from certain tables in its database, thereby denying users complete access to their personal data.

CNIL’s Decision against CRITEO

CNIL initially imposed a fine of €60 million on CRITEO in a preliminary decision in August 2022. However, the final decision reduced the fine to €40 million. Despite the reduced penalty, CRITEO has decided to file an appeal, claiming that the fine is “vastly disproportionate.”

The CNIL’s decision was based on the following factors:
  • Large number of individuals affected: approximately 370 million identifiers across the European Union by CRITEO’s data processing activities.
  • Extensive collection of data: CRITEO gathered a significant amount of data concerning users’ consumption habits.
  • Potential re-identification risk: Despite not having users’ names, the collected data was accurate enough to potentially re-identify individuals, according to the CNIL.
  • Failure to obtain valid consent: CRITEO’s lack of valid consent allowed the company to expand its processing scope and increase financial gains as an advertising intermediary.

The CNIL’s decision reinforces the significance of obtaining valid consent and ensuring transparency in data processing activities. Businesses must verify that consent has been obtained in a compliant manner, even when collecting data through partners or third-party trackers. Relying solely on partners’ responsibilities does not absolve businesses of their obligations under privacy legislation.

CRITEO argued that its partners, as joint controllers, should be responsible for obtaining user consent. However, the CNIL clarified that CRITEO, as a data processor, is responsible for obtaining user consent in compliance with data protection regulations. The CNIL emphasized that CRITEO cannot shift the responsibility onto its partners as joint controllers. As a data processor, CRITEO is obligated to ensure that it obtains valid and informed consent from users for processing their personal data.

🗣 The CNIL’s clarification reaffirms the importance of accountability and transparency in data processing activities. It emphasizes that data processors like CRITEO must take responsibility for obtaining consent and ensuring that it is collected in accordance with the principles outlined in data protection laws.

The decision made by the CNIL emphasizes the need for CRITEO to ensure that it verifies consents obtained by its partners and establishes an audit mechanism for its partners. This requirement becomes particularly important considering that the cookie was not placed in the user’s devices directly by CRITEO, but rather by its partners. By emphasizing these aspects, the CNIL aims to safeguard individuals’ rights and privacy. This decision serves as a reminder to other data processors of their responsibility to fulfill their obligations by obtaining consent from users and implementing mechanisms to verify and audit consent processes conducted by their partners. The obligation for joint controllers to have agreements in place in terms of Article 26 of the GDPR was also equally highlighted by CNIL and CRITEO has since also abided by this obligation.

Cookies often process personal data, triggering record-keeping requirements under the GDPR. To address this, Data Protection Authorities across the EU have strengthened their regulations on cookies and trackers, aligning them with the GDPR guidelines.

Enhance your compliance with GDPR and effortlessly manage user consent preferences with our Cookie and Consent Preference Log feature.

The Cookie and Consent Preference Log is now available within our Privacy Controls and Cookie Solution. With just one click, you can seamlessly integrate this feature and conveniently store and manage GDPR proofs of your users’ consent preferences.

To unlock the power of the Cookie and Consent Preference Log, simply activated this feature in the Privacy Controls and Cookie Solution. Just click on “Log” under your Dashboard > [Your website/app] > Privacy Controls and Cookie Solution to get started.

💡 Unsure if the Cookie and Consent Preference Log is right for you? Take our 1-minute quiz to find out!

The significant fine imposed on CRITEO by CNIL serves as a reminder that businesses must prioritize compliance with the GDPR’s consent and transparency requirements. 

Demonstrate your commitment to privacy and data protection and avoid potential legal consequences

Try it today, risk-free