AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Turn data subjects request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

CRITEO Fined €40 Million Over Targeted Advertising

GDPR fine Criteo

On June 15, 2023, the French Data Protection Authority (CNIL) imposed a €40 million GDPR fine on CRITEO, an online advertising company.

As an expert in “behavioral retargeting,” CRITEO tracks users’ online activities to deliver personalized advertisements.

The fine was primarily issued for failing to ensure that individuals had provided their consent for the processing of personal data, failing to sufficiently inform them, and enabling them to exercise their rights.

Understanding CRITEO’s Operations:

  1. Data Collection: CRITEO deploys cookies on e-commerce websites to gather user’s personal data and purchasing behavior.
  2. Real-Time Bidding: When partner websites, such as onlinepress.com, auction advertising space, CRITEO participates and proposes personalized advertisements to users based on the collected data.

Although the company did not have the name of the user, the CNIL considered that the data were sufficiently accurate to re-identify individuals in some cases.

Infringements Uncovered

Following complaints from Privacy International and NOYB, the CNIL conducted investigations into CRITEO and discovered several violations, including:

  1. Failure to Demonstrate Given Consent: CRITEO’s trackers were found on users’ devices without their consent, as the responsibility for obtaining consent lies with the company’s partners. However, this does not exempt CRITEO from its obligation to verify and be able to demonstrate that Internet users gave their consent. Additionally, CRITEO failed to implement measures to ensure valid consent collection by its partners.
  2. Lack of Information and Transparency: The company’s privacy policy did not provide necessary information about the data processing, and some statements were vague and unclear, hindering users’ understanding.
  3. Non-Compliance with the Right of Access: CRITEO failed to provide individuals with complete access to their personal data, omitting crucial information from certain database tables and lacking adequate explanations.
  4. Inadequate Withdrawal of Consent and Data Erasure: When users requested the withdrawal of consent or data deletion, CRITEO merely ceased displaying personalized ads without deleting the user’s identifier or related browsing history.
  5. Absence of Joint Controller Agreement: The agreement between CRITEO and its partners lacked provisions specifying their respective obligations as joint controllers, including data subject rights, data breach notification, and impact assessments.

Sanctions and Compliance Measures

CRITEO was fined €40 million, considering the extensive number of individuals affected by its data processing activities and the substantial amount of data collected.

To address the infringements, CRITEO has since implemented clauses in partner contracts to obtain proof of consent, updated its privacy policy for improved transparency, and committed to providing complete data in response to access requests.

It also established procedures for consent withdrawal and encouraged users to contact their Data Protection Officer for data erasure requests.

Conclusion

The CNIL’s decision to fine CRITEO for its violations emphasizes the importance of obtaining valid consent, ensuring information transparency, and respecting individual rights in personalized advertising practices.

CRITEO’s commitment to rectifying its processes and complying with data protection regulations will be crucial in rebuilding trust and upholding privacy standards within the industry.

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top