Summary
Last week, former unicorn and publicly listed French adtech company Criteo was fined €40 million by the French Data Protection Authority (CNIL), for failing to ensure that publisher partners obtained user consent for the use of Criteo’s cookie.
The investigation stemmed from a complaint lodged by Privacy International and None of Your Business (noyb) in 2018.
"During its investigations, the CNIL noticed several infringements concerning, in particular, the lack of evidence of the consent of individuals to the processing of their data, information and transparency as well as respect for the rights of individuals." - Commission nationale de l'informatique et des libertés (Source: CNIL) |
The investigation by the French DPA uncovered five infringements of the GDPR by Criteo:
-
Failure to demonstrate that the data subject gave its consent (Article 7.1 GDPR)
-
Failure to comply with the obligation of information and transparency (Articles 12 and 13 GDPR)
-
Failure to respect the right of access (Article 15.1 GDPR)
-
Failure to comply with the right to withdraw consent and erasure of data (Articles 7.3 and 17.1 GDPR)
-
Failure to provide for an agreement between joint controllers (Article 26 GDPR)
As a result, Criteo was issued a fine of EUR 40 million, a decision the AdTech company is intending to appeal:
“As we stated previously, we consider that the allegations made by the CNIL do not involve risk to individuals nor any damage caused to them,” Damon said. “Criteo, which uses only pseudonymized, non-directly identifiable and non-sensitive data in its activities, is fully committed to protecting the privacy and data of users. The decision relates to past matters and does not include any obligation for Criteo to change its current practices; there is no impact to the service levels and performance that we are able to deliver to our customers as a result of this decision. We continue to uphold the highest standards in this area and operate a fully transparent and regulatory-compliant global business. We will be making no further statement at this stage.” - Criteo statement, via TechCrunch (source: TechCrunch) |
Meanwhile, noyb celebrates the decision in a recent press release:
“We are very happy about the decision the CNIL issued. It is a strong signal to the ad-tech industry that they will face dire consequences for breaking the law.” - Romain Robert, Data protection lawyer at noyb (source: noyb) |
Comments, opinions, and thoughts? Continue the conversation in the Yes We Trust community on LinkedIn: