Personalised advertising: CRITEO fined EUR 40 million

Background information

CRITEO specialises in “behavioral retargeting”, which consists of tracking the navigation of Internet users in order to display personalised advertisements. To this end, the company collects the browsing data of Internet users thanks to the CRITEO tracker (cookie) which is placed on their terminals when they visit certain CRITEO partner websites. Through this tracker, the company analyses browsing habits in order to determine which advertiser and for which product, it would be most relevant to display an advertisement to a particular user. Then, it participates in real time bidding and displays personalised advertising if it has won the bid.

Following complaints lodged by the organizations Privacy International and None of Your Business, the CNIL carried out several investigations into CRITEO.

During its investigations, the CNIL noticed several infringements concerning, in particular, the lack of evidence of the consent of individuals to the processing of their data, information and transparency as well as respect for the rights of individuals.

As a result, the restricted committee – the CNIL body responsible for imposing sanctions – imposed a fine of EUR 40 million on CRITEO. 

In order to determine the amount of the penalty, the CNIL took into account in particular the fact that the processing in question concerned a very large number of people (the company has data related to about 370 million identifiers across the European Union) and that the company collected a very large amount of data relating to the consumption habits of Internet users. While the company did not have the name of the user, the CNIL considered that the data were sufficiently accurate to re-identify individuals, in some cases. The CNIL also took into account the business model of the company which relies exclusively on its ability to display to Internet users the most relevant advertisements to promote the products of its advertiser customers and thus on its ability to collect and process a huge amount of data. Finally, the CNIL considered that the processing of individuals’ data without proof of their valid consent enabled the company to unduly increase the number of persons concerned by its processing and thus the financial income it derives from its role as an advertising intermediary.

Pursuant to the one-stop shop set up by the General Data Protection Regulation (GDPR), this decision was submitted to all the other 29 European supervisory authorities, since they were all concerned by this cross-border case and they all approved it.

Infringements sanctioned

The CNIL found five infringements of the GDPR by CRITEO.

Failure to demonstrate that the data subject gave its consent (Article 7.1 GDPR)

According to the law, the CRITEO tracker (cookie) used to target advertisements can't be placed on the user’s terminal without their consent. The collection of this consent is the responsibility of the company’s partners, who are in direct contact with Internet users. However, this does not exempt CRITEO from its obligation to verify and be able to demonstrate that Internet users gave their consent. Yet, it was found that the CRITEO tracker (cookie) was deposited by several partners of the company in the terminal of Internet users without their consent.

The restricted committee also noticed that at the time of the investigations, the company had not put in place any measure to ensure that its partners were validly collecting the consent of the Internet users from whom it then processed data. In that sense, it noted, in particular, that the contracts concluded with the partners did not contain any clause obliging them to provide proof of Internet users’ consent to CRITEO. In addition, the company had not undertaken any audit campaign of its partners prior to the initiation of the procedure by the CNIL.

Contracts with partners now include a clause relating to proof of consent, whereby the partner undertakes to promptly provide CRITEO, upon request and at any time, with proof that consent has been obtained from the data subject.

Failure to comply with the obligation of information and transparency (Articles 12 and 13 GDPR)

The company’s privacy policy was not complete since it did not include all the intended purposes by the processing. In addition, some of the purposes were expressed in vaguely and broad terms, which did not allow the user to understand precisely which personal data was being used and for which purposes.

Since then, the company has completed its privacy policy to include missing mentions and to use simple and understandable terms.

Failure to respect the right of access (Article 15.1 GDPR)

When individuals exercised their right of access, the company transmitted to them, in the form of tables, the data extracted from 3 of the 6 tables making up its database. However, the restricted committee noticed that personal data contained in 2 of the other 3 tables had to be communicated to individuals. Moreover, when the company transmitted these tables, it did not provide them with sufficient information to enable them to understand their content.

The company is committed to providing all the data at its disposal as part of its responses to access requests and to supplement the explanations it provides in its response to access requests.

Failure to comply with the right to withdraw consent and erasure of data (Articles 7.3 and 17.1 GDPR)

When a person exercised their right to withdraw consent or deletion of their data, the process implemented by the company only stopped the display of personalised advertisements to the user. However, the company did not delete the identifier assigned to the person or erase navigational events related to that identifier.

As regards the modalities of exercise of rights, the company put in place a procedure to allow individuals to exercise their right to withdrawal of consent directly by clicking a button “Deactivate Criteo services” present in the company’s privacy policy.

As regards the erasure of data, the company invites the users to send their requests by email to the Data Protection Officer (DPO). For each request, it is up to the company to determine and justify whether data concerning the user may continue to be processed for other purposes and on what legal basis such processing may be based.

Failure to provide for an agreement between joint controllers (Article 26 GDPR)

The agreement concluded by the company with its partners did not specify some of the respective obligations of controllers in relation to requirements contained in the GDPR, such as the exercise by data subjects of their rights, the obligation to notify the supervisory authority and data subjects of a data breach or, if necessary, the carrying out of an impact assessment under Article 35 of the GDPR.

The agreements concluded with the partners have been completed on joint responsibility to include the mentions required by Article 26.