All organisations at some point need to handle their data privacy requirements
The French privacy regulator CNIL is fining Criteo sixty million euros. The adtech company allegedly collected behavior and characteristics of Internet users for advertising purposes without consent.
Criteo announced the fine late last week without providing too many further details. Dissatisfaction with the penalty is evident in the tone and type of reaction. Both the amount of the fine and the reasoning are said to be incorrect. Yet there is no talk yet of an appeal.
The English magazine The Drum points to a complaint by Privacy International two years ago as the source of the fine. At the time, complaints were also filed about six other companies operating in the European market. It is not known what the status of those is. In all cases, the accusation was that too much personal data from and about consumers was collected and processed without consent.
Criteo is in the process of a strategic shift from a company that helps place behavioral-based advertising to one that does so within privacy boundaries. Specifically, it is focusing on retail and marketplace companies. Those often work with logged-in users. Those shoppers, almost by definition, share personal data.
At the end of last week, Criteo also announced its quarterly results. Sales fell ten percent in that period to $495 million. At the bottom line, a net eighteen million remained, three million more than a year ago.
During this period, Criteo saw 725 million Internet users visit the sites it serves. In terms of media budgets received, the counter rose nine percent to 676 million dollars.
Investors did not react with much enthusiasm to the figures. During the course of Friday, the share price dropped almost five percent to below $26. Yesterday the share price was still more than one percent lower than before the publication of the figures.
As you tackle security requirements in your organization, focus on privacy by design. Everything that your business does should align with the regulations that apply to it – whether it is the GDPR, PIPEDA, or the CCPA, you must embed compliance at each step of the process.
In other words, don’t wait until after you set up business processes to consider data privacy requirements. Instead, you should design them with compliance in mind from the very beginning! This will help you avoid costly penalties and having to redesign your entire business practice.