As an expert in “behavioral retargeting,” CRITEO tracks users’ online activities to deliver personalized advertisements.
The fine was primarily issued for failing to ensure that individuals had provided their consent for the processing of personal data, failing to sufficiently inform them, and enabling them to exercise their rights.
Understanding CRITEO’s Operations:
- Data Collection: CRITEO deploys cookies on e-commerce websites to gather user’s personal data and purchasing behavior.
- Real-Time Bidding: When partner websites, such as onlinepress.com, auction advertising space, CRITEO participates and proposes personalized advertisements to users based on the collected data.
Although the company did not have the name of the user, the CNIL considered that the data were sufficiently accurate to re-identify individuals in some cases.
- Failure to Demonstrate Given Consent: CRITEO’s trackers were found on users’ devices without their consent, as the responsibility for obtaining consent lies with the company’s partners. However, this does not exempt CRITEO from its obligation to verify and be able to demonstrate that Internet users gave their consent. Additionally, CRITEO failed to implement measures to ensure valid consent collection by its partners.
- Non-Compliance with the Right of Access: CRITEO failed to provide individuals with complete access to their personal data, omitting crucial information from certain database tables and lacking adequate explanations.
- Inadequate Withdrawal of Consent and Data Erasure: When users requested the withdrawal of consent or data deletion, CRITEO merely ceased displaying personalized ads without deleting the user’s identifier or related browsing history.
- Absence of Joint Controller Agreement: The agreement between CRITEO and its partners lacked provisions specifying their respective obligations as joint controllers, including data subject rights, data breach notification, and impact assessments.
Sanctions and Compliance Measures
CRITEO was fined €40 million, considering the extensive number of individuals affected by its data processing activities and the substantial amount of data collected.
It also established procedures for consent withdrawal and encouraged users to contact their Data Protection Officer for data erasure requests.
The CNIL’s decision to fine CRITEO for its violations emphasizes the importance of obtaining valid consent, ensuring information transparency, and respecting individual rights in personalized advertising practices.
CRITEO’s commitment to rectifying its processes and complying with data protection regulations will be crucial in rebuilding trust and upholding privacy standards within the industry.