In a landmark decision, the French data protection authority, the Commission nationale de l’informatique et des libertés (CNIL), has fined CRITEO SA, a leading ad-tracking company, €40 million for several infringements of the General Data Protection Regulation (GDPR). This case serves as a stark reminder of the importance of obtaining valid consent and complying with transparency obligations under the GDPR.
In this article, we will explore the details of the case and highlight how businesses avoid similar legal pitfalls.
CRITEO specializes in ad-tracking activities, particularly behavioral retargeting. Through the placement of its tracker (cookie) on user devices when a user visits CRITEO partner websites, CRITEO collects vast amounts of data related to users’ online behavior and preferences. However, the CNIL found that CRITEO had violated provisions of the GDPR.
One of the key violations cited by CNIL was CRITEO’s failure to verify whether individuals had given their consent for data processing, as required by Article 7(1) of the GDPR. CRITEO argued that its partners, who placed the tracking cookies, were responsible for obtaining consent. However, CNIL emphasized that CRITEO couldn’t rely solely on its partners and had an independent obligation to ensure consent was obtained. Additionally, CRITEO lacked mechanisms to confirm the validity of consent obtained by its partners.
👀 See how to store proof of consent here →
CNIL found that CRITEO’s privacy policy was incomplete and lacked clarity. The policy did not adequately inform users about the purposes of the processing, including the improvement of CRITEO’s technologies. Article 12 and Article 13 of the GDPR require businesses to provide transparent and comprehensive information to users regarding the collection and use of their personal data.
CRITEO failed to fulfill users’ right to access their personal data, as mandated by Article 15(1) of the GDPR. While CRITEO provided some data upon request, it omitted information from certain tables in its database, thereby denying users complete access to their personal data.
CNIL initially imposed a fine of €60 million on CRITEO in a preliminary decision in August 2022. However, the final decision reduced the fine to €40 million. Despite the reduced penalty, CRITEO has decided to file an appeal, claiming that the fine is “vastly disproportionate.”
The CNIL’s decision reinforces the significance of obtaining valid consent and ensuring transparency in data processing activities. Businesses must verify that consent has been obtained in a compliant manner, even when collecting data through partners or third-party trackers. Relying solely on partners’ responsibilities does not absolve businesses of their obligations under privacy legislation.
CRITEO argued that its partners, as joint controllers, should be responsible for obtaining user consent. However, the CNIL clarified that CRITEO, as a data processor, is responsible for obtaining user consent in compliance with data protection regulations. The CNIL emphasized that CRITEO cannot shift the responsibility onto its partners as joint controllers. As a data processor, CRITEO is obligated to ensure that it obtains valid and informed consent from users for processing their personal data.
🗣 The CNIL’s clarification reaffirms the importance of accountability and transparency in data processing activities. It emphasizes that data processors like CRITEO must take responsibility for obtaining consent and ensuring that it is collected in accordance with the principles outlined in data protection laws.
The decision made by the CNIL emphasizes the need for CRITEO to ensure that it verifies consents obtained by its partners and establishes an audit mechanism for its partners. This requirement becomes particularly important considering that the cookie was not placed in the user’s devices directly by CRITEO, but rather by its partners. By emphasizing these aspects, the CNIL aims to safeguard individuals’ rights and privacy. This decision serves as a reminder to other data processors of their responsibility to fulfill their obligations by obtaining consent from users and implementing mechanisms to verify and audit consent processes conducted by their partners. The obligation for joint controllers to have agreements in place in terms of Article 26 of the GDPR was also equally highlighted by CNIL and CRITEO has since also abided by this obligation.
Cookies often process personal data, triggering record-keeping requirements under the GDPR. To address this, Data Protection Authorities across the EU have strengthened their regulations on cookies and trackers, aligning them with the GDPR guidelines.
Enhance your compliance with GDPR and effortlessly manage user consent preferences with our Cookie and Consent Preference Log feature.
The Cookie and Consent Preference Log is now available within our Privacy Controls and Cookie Solution. With just one click, you can seamlessly integrate this feature and conveniently store and manage GDPR proofs of your users’ consent preferences.
To unlock the power of the Cookie and Consent Preference Log, simply activated this feature in the Privacy Controls and Cookie Solution. Just click on “Log” under your Dashboard > [Your website/app] > Privacy Controls and Cookie Solution to get started.
💡 Unsure if the Cookie and Consent Preference Log is right for you? Take our 1-minute quiz to find out!
The significant fine imposed on CRITEO by CNIL serves as a reminder that businesses must prioritize compliance with the GDPR’s consent and transparency requirements.