To that, the CNIL found that processing people’s data without valid consent allowed the company to expand its user base and increase its revenue gains as an ad intermediary. Criteo made a revenue of $2.01 billion in 2022, according to the company’s latest financial reports.
Criteo will appeal this decision before the courts.
“A number of the CNIL’s interpretations and applications of the GDPR are not consistent with the European Court of Justice rulings and even with the CNIL’s own guidance,” Ryan Damon, chief legal officer at Criteo said in a statement to Adweek. “The decision relates to past matters and does not include any obligation for Criteo to change its current practices.”
How did we get here?
This decision follows a complaint filed by Privacy International and Austrian-based non-profit None of Your Business (NOYB) with CNIL in 2018, raising concerns about the data processing practices of Criteo and other players in the ad-tech industry.
The complaint centered around Criteo’s use of tracking and data profiling techniques to target users with targeted ads. Both parties argued that Criteo lacked a legal basis for such tracking.
What was the preliminary decision?
In response, CNIL launched an investigation in 2020 to address the issue and came out with its preliminary decision the same year. CNIL found that Criteo had indeed breached GDPR and imposed a hefty fine of approximately $69.6 million (€60 million).
However, Criteo has since made efforts to contest the fine and sought a reduction in the amount, arguing that its actions were unintentional and did not result in any harm, the company said via statement.
The company emphasized several factors to support its case, including the absence of evidence indicating harm caused by the breaches, the measures taken to mitigate potential harm, its cooperation with the supervisory authority, and the low intrusiveness of the personal data involved.
The CNIL seemingly took into account Criteo’s concerns and decided to reduce the fine by one-third, still, the sanction remains “vastly disproportionate” in light of the alleged breaches, according to Damon.