France's privacy regulator has fined ad-tech company Criteo nearly $44 million for allegedly failing to comply with European law by processing consumers' data for ad targeting purposes without first obtaining proof that they had consented.
Criteo is known for powering “retargeting,” which often involves serving ads to people for products they previously viewed on retailers' sites.
The French Commission Nationale de l’Informatique et des Libertés (CNIL) said in an opinion issued Thursday that Criteo violated the General Data Protection Regulation in several ways, including by failing to verify that consumers had consented to the use of their data for ads.
While the European law tasks first parties -- such as online retailers -- with obtaining consent, the law also requires third parties such as Criteo to take steps to verify consent, according to the CNIL's summary of its decision.
“At the time of the investigations, the company had not put in place any measure to ensure that its partners were validly collecting the consent of the Internet users from whom it then processed data,” the CNIL wrote. “In addition, the company had not undertaken any audit campaign of its partners prior to the initiation of the procedure by the CNIL.”
The regulator said Criteo has data related to around 370 million identifiers across the EU.
“While the company did not have the name of the user, the CNIL considered that the data were sufficiently accurate to re-identify individuals, in some cases,” the agency wrote.
The French agency also said Criteo's contracts now include a provision requiring partners to provide Criteo with proof of consumers' consent.
The CNIL's decision grew out of a complaint brought in 2018 by privacy advocates “nyob” (standing for none of your business) and Privacy International.
Criteo chief legal officer Ryan Damon says the company plans to appeal, calling the fine “vastly disproportionate in light of the alleged breaches and misaligned with general market practice in such matters.”
“The allegations made by the CNIL do not involve risk to individuals nor any damage caused to them,” he stated, adding that the company “uses only pseudonymized, non-directly identifiable and non-sensitive data.”
Damon also stated that the ruling relates only to past matters and doesn't require Criteo to change current practices.