French ad tech giant Criteo loses €40M privacy fine appeal

Published: 16 March 2026
Privacy policy eye
Malte Mueller/Getty Images

French ad tech giant Criteo has lost its bid to overturn a €40 million privacy fine after France’s top administrative court sided with the country’s data protection watchdog.

The French advertising company provides “behavioral retargeting” services, which use previously collected data from internet users to display targeted advertisements.

To do this, Criteo installs tracking cookies on users' devices whenever they visit websites from Criteo’s partners. The advertising company analyzes the data collected to determine which products and services users are likely to buy.

ADVERTISEMENT

In December 2018, the Austrian privacy organization noyb and Privacy International filed a complaint against Criteo for failing to offer users the option to withdraw their consent.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

The Commission Nationale de l'Informatique et des Libertés (CNIL), France’s data protection authority, launched an investigation into the matter and found several GDPR infringements.

According to the CNIL, Criteo didn’t have users’ consent to process their data. Obtaining this consent is the responsibility of the advertising company’s partners. However, Criteo still has an obligation to demonstrate that internet users have given their consent. The investigation revealed that tracking cookies were placed without users’ consent.

In addition, the advertising company wasn’t transparent about the purposes for which the data was processed and failed to comply with users’ rights to access their data and to erasure.

For these violations, the CNIL imposed a €40 million fine.

Check if your data has been leaked

Find out if your email, phone number or related personal information might have fallen into the wrong hands.
18,611,353,922
Breached accounts
36,030
Breached websites

Criteo appealed the fine at the Conseil d’État, France’s highest administrative court. The advertising company contested the classification of pseudonymous identifiers as personal data, as it doesn’t entail the necessary information to re-identify a user from the assigned identifier.

ADVERTISEMENT

The administrative court has rejected Criteo’s argument, stating that data can only be considered anonymized if the risk of re-identification of a data subject is “insignificant, such identification being impracticable in practice.”

Considering that the purpose of the processing is to offer personalized ads, a very large amount of information can be cross-referenced for a given identifier.

Therefore, Criteo’s appeal has been declared unfounded, and the CNIL’s €40 million fine has been upheld.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Meta confirms: critical vulnerability in account recovery tool exposed over 20K Instagram users
UK to use AI to prepare for AI-induced employment challenges
Dark web drug vendor gets 26 years for selling fentanyl and meth
Meta escalates legal battle with Israeli spyware firm NSO over WhatsApp attacks
UK PM Starmer set to ban social media for Under-16s
OpenAI plans biggest ChatGPT overhaul ahead of listing
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked