Criteo SA
Issued by Commission Nationale de l'Informatique et des Libertés (CNIL) on 2023-06-15
What happened
France's CNIL fined Criteo, one of the world's largest advertising technology companies, €40 million for multiple GDPR violations in its advertising targeting activities. The investigation, prompted by complaints from Privacy International, found that Criteo could not demonstrate that users whose data it processed had given valid consent. Criteo tracked users across websites using cookies and built extensive browsing profiles without a proper legal basis. The company also failed to adequately respond to data subjects exercising their rights of access and erasure, providing incomplete information and not deleting data upon request. The fine reflects the scale of Criteo's operations, processing data of millions of EU users for behavioral advertising.
Articles violated
Lessons learned
Ad-tech companies must maintain clear proof that consent was obtained before processing personal data for advertising. Relying on partners to collect consent is not sufficient — each controller must be able to demonstrate valid consent. Data subject rights (access, erasure) must be handled completely and promptly. The size of fines scales with the scope of data processing operations.
Source
View original decisionDisclaimer: This summary is for informational purposes only and does not constitute legal advice. Refer to the original decision for complete details.
Get enforcement alerts for Technology
We track GDPR fines across Europe. Enter your email to get notified about new enforcement actions.