• by Laurie Sullivan , Staff Writer @lauriesullivan, August 8, 2022

European Union data-protection regulators hit French ad-technology company Criteo with a $65 million (€60 million) sanction based on the General Data Protection Regulation (GDPR) is a set of consumer privacy rulings in Europe.

France’s national privacy watchdog made the preliminary decision following a multiyear investigation.

Privacy International, a digital rights advocacy group, filed the formal complaint against Criteo in 2018. Last week it tweeted “Nearly 4 years after our complaint and 2 after starting their investigation, the French data protection authority CNIL finds breaches in Criteo's activities, and proposes a fine of €60 million.”

At the time, final complaints also were published about Acxiom, Oracle, Experian, Equifax, Quantcast, Tapad, and others.  

The complaint accuses Criteo of operating as a “manipulation machine,” with help from tracking techniques and data-processing practices designed to profile web users, so the company can target consumers with ads.

"This will likely come as no surprise to their ad tech compatriots owing to the long-standing approach of Criteo to digital advertising,” Paul Dimmock, head of demand for EMEA at Alkimi Exchange, wrote in an email to Inside Performance. “Criteo’s scaled business model of passing user data, as a third party, between advertiser and publisher, in order to achieve outcome based KPIs, has been under increased scrutiny once the GDPR framework came into effect.”

He wrote that publishers and content owners have been scrambling to comprehend an ever-developing consensual framework since late 2016, so it was always going to be rocky terrain for an additional intermediary such as Criteo to navigate.

“The CNIL informed us on Tuesday 3 August as they have an obligation to keep complainants informed of the progress of their complaints,” a spokeswoman for Privacy International told TechCrunch. “It’s not a final decision yet, hence why it’s not public. … Criteo now has the opportunity to make representations and to implement corrective measures, after which there will be a hearing, followed by a final decision likely in 2023.”

The filing from Criteo, however, is not entirely clear on the exact complaints, stating only that on “August 3, 2022, the assigned rapporteur issued a report that claimed various GDPR violations and included a proposed financial sanction against Criteo of €60.0 million ($65.4 million).”