France's privacy regulator has fined ad-tech company Criteo nearly $44 million for allegedly failing to comply with European law by processing consumers' data for ad targeting purposes without
first obtaining proof that they had consented.
Criteo is known for powering “retargeting,” which often involves serving ads to people for products they previously viewed on
retailers' sites.
The French Commission Nationale de l’Informatique et des Libertés (CNIL) said in an opinion issued Thursday that Criteo violated the General Data Protection
Regulation in several ways, including by failing to verify that consumers had consented to the use of their data for ads.
While the European law tasks first parties -- such as online
retailers -- with obtaining consent, the law also requires third parties such as Criteo to take steps to verify consent, according to the CNIL's summary of its decision.
“At the time of the investigations, the company had not put in place any
measure to ensure that its partners were validly collecting the consent of the Internet users from whom it then processed data,” the CNIL wrote. “In addition, the company had not
undertaken any audit campaign of its partners prior to the initiation of the procedure by the CNIL.”
The regulator said Criteo has data related to around 370 million identifiers across
the EU.
“While the company did not have the name of the user, the CNIL considered that the data were sufficiently accurate to re-identify individuals, in some cases,” the agency
wrote.
The French agency also said Criteo's contracts now include a provision requiring partners to provide Criteo with proof of consumers' consent.
The CNIL added that Criteo's prior
privacy policy was vague and incomplete, and that the company failed to delete data after consumers attempted to withdraw their consent.
Criteo has now “completed its privacy policy
to include missing mentions and to use simple and understandable terms,” the agency wrote.
The CNIL's decision grew out of a complaint brought in 2018 by privacy advocates “nyob” (standing for none of your business) and Privacy
International.
Criteo chief legal officer Ryan Damon says the company plans to appeal, calling the fine “vastly disproportionate in light of the alleged breaches and misaligned with
general market practice in such matters.”
“The allegations made by the CNIL do not involve risk to individuals nor any damage caused to them,” he stated, adding that the
company “uses only pseudonymized, non-directly identifiable and non-sensitive data.”
Damon also stated that the ruling relates only to past matters and doesn't require Criteo to
change current practices.