Behavioral advertising firm Criteo fined €40M


French regulators have fined Criteo, which collects and analyzes people’s browsing habits. The company is said to have infringed GDPR regulations.

Criteo is a behavioral retargeting firm that tracks users’ browsing history to target them with personalized advertisements. It analyzes browsing habits to determine which advertiser and product is best suited to display ads for the user.

The National Commission on Informatics and Liberty (CNIL) said that Criteo had failed to verify which data on people’s browsing history was collected with their consent. CNIL found five infringements of the GDPR, namely:

According to CNIL, Criteo has data related to 370 million identifiers across the European Union, and it collected “a very large amount of data relating to the consumption habits of internet users”.

The watchdog said the data, while stored without names, was sufficient to re-identify individuals in some cases. When deciding on the value of the fine, the CNIL considered “the business model of the company, which relies exclusively on its ability to display to internet users the most relevant advertisements to promote the products of its advertiser customers and thus on its ability to collect and process a huge amount of data.”

Criteo intends to appeal

Criteo told Cybernews the CNIL reduced the final sanction from the original proposed amount of €60 million to now €40 million, but the company believes the sanction “remains vastly disproportionate in light of the alleged breaches and misaligned with general market practice in such matters.”

It also believes that a number of the CNIL’s interpretations and applications of the GDPR are not consistent with the European Court of Justice rulings. It said it would appeal the decision before the competent courts.

“We consider that the allegations made by the CNIL do not involve risk to individuals nor any damage caused to them. Criteo, which uses only pseudonymized, non-directly identifiable and non-sensitive data in its activities, is fully committed to protecting the privacy and data of users. The decision relates to past matters and does not include any obligation for Criteo to change its current practices; there is no impact to the service levels and performance that we are able to deliver to our customers as a result of this decision,” – Ryan Damon, Chief Legal Officer at Criteo, told Cybernews via email.