On June 15, 2023, the French Data Protection Authority (CNIL) fined online advertising specialist CRITEO 40 million euros, notably for failing to ensure that the people whose data it processes have given their consent.
CRITEO specializes in “retargeting advertising”, which consists in tracking the browsing habits of Internet users in order to display personalized ads. To do this, the company collects browsing data from Internet users using the CRITEO cookie, which is deposited on their terminals when they visit certain CRITEO partner websites. Using this tracker, the company analyzes browsing habits to determine which advertiser and which product would be most relevant to display an advert to a particular surfer. It then participates in a real time bidding process, and if it wins the bid, displays the personalized ad.
Following complaints lodged by the associations Privacy International and None of Your Business, the CNIL carried out several inspections at CRITEO.
In the course of its investigations, the CNIL identified a number of shortcomings, in particular with regard to the lack of proof of people’s consent to the processing of their data, information and transparency, and respect for people’s rights.
As a result, the CNIL’s “formation restreinte” – the body responsible for imposing sanctions – imposed a fine of 40 million euros on CRITEO.
In determining the amount of the fine, the CNIL took into account the fact that the processing in question concerned a very large number of people (the company has data relating to some 370 million identifiers across the European Union) and that it collects a very large amount of data relating to the consumption habits of Internet users. The CNIL also took into account the company’s business model, which is based exclusively on its ability to display the most relevant advertisements to Internet users to promote the products of its advertising clients, and therefore on its ability to collect and process an immense quantity of data. Lastly, the CNIL considered that processing people’s data without valid proof of their consent enabled the company to unduly increase the number of people concerned by its processing and therefore the financial income it derived from its role as an advertising intermediary.
In application of the one-stop shop set up by the General Data Protection Regulation (GDPR), this decision was forwarded to all twenty-six other European supervisory authorities, all of which were concerned by this cross-border case, and all of which approved it.
About CookieFirst CMP
The CNIL found five breaches of the RGPD against CRITEO.
Failure to demonstrate consent (article 7.1 of the RGPD)
According to the law, the CRITEO tracker (cookie) used to target advertising cannot be deposited on the Internet user’s terminal without his or her consent. Gathering this consent is the responsibility of the company’s partners, who are in direct contact with Internet users. However, this does not relieve CRITEO of its obligation to verify and demonstrate that Internet users have given their consent. The CRITEO cookie was found to have been deposited by several of the company’s partners on Internet users’ terminals without their consent.
The panel also noted that, at the time of the investigations, the company had not put in place any measures enabling it to ensure that its partners had validly obtained the consent of Internet users whose data it then processed. In particular, the company noted that the contracts signed with its partners contained no clause requiring them to provide CRITEO with proof of Internet users’ consent. In addition, the company had not undertaken any audit of its partners prior to the initiation of the procedure by the CNIL.
Contracts signed with partners now include a clause on proof of consent, under which the partner undertakes to “promptly provide Criteo, upon request and at any time, with proof that consent has been obtained from the person concerned”.
A breach of the obligation to provide information and transparency (Articles 12 and 13 of the RGPD).
Failure to respect the right of access (article 15.1 of the RGPD)
When a person exercised his right of access, the company sent him, in the form of tables, the data extracted from 3 of the 6 tables making up its database. However, the panel noted that the personal data contained in 2 of the 3 other tables had to be communicated to the individual. Moreover, when the company transmitted these tables, it did not provide them with sufficient information to enable them to understand their content.
The company has undertaken to provide all the data available to it in its responses to requests for access, and to supplement the explanations it provides in its responses to requests for access.
Failure to respect the right to withdraw consent and delete one’s data (Articles 7.3 and 17.1 of the RGPD)
When a person exercised their right to withdraw consent or delete their data, the process implemented by the company only had the effect of stopping the display of personalized advertisements to the user. However, the company did not delete the user’s identifier, nor did it erase any browsing events linked to this identifier.
With regard to the deletion of data, the company invites users to send their request by e-mail to the Data Protection Officer (DPO). For each request, it is up to the company to determine and justify whether data concerning the user may continue to be processed for other purposes, and on what legal basis such processing may be based.
Failure to provide for an agreement between joint data controllers (Article 26 of the GDPR)
The agreement entered into by the company with its partners did not specify some of the respective obligations of the data controllers vis-à-vis requirements contained in the RGPD, such as the exercise by data subjects of their rights, the obligation to notify a data breach to the supervisory authority and to data subjects or else, if necessary, to carry out an impact assessment under Article 35 of the RGPD.
Agreements with partners have been supplemented in terms of joint liability to include the mentions required by Article 26.
As you tackle security requirements in your organization, focus on privacy by design. Everything that your business does should align with the regulations that apply to it – whether it is the GDPR, PIPEDA, or the CCPA, you must embed compliance at each step of the process.
In other words, don’t wait until after you set up business processes to consider data privacy requirements. Instead, you should design them with compliance in mind from the very beginning! This will help you avoid costly penalties and having to redesign your entire business practice.