General Data Protection Regulation (GDPR) , Governance & Risk Management , Privacy

French Ad Tech Firm Fined 40M Euros for GDPR Violations

French Regulator Fines Criteo for Website Cookie Tracking Tools
French Ad Tech Firm Fined 40M Euros for GDPR Violations

The top French privacy regulator has imposed a fine of 40 million euros against a Parisian advertising technology company for its use of website tracking cookies and failure to process users' personal data in compliance with privacy laws.

See Also: How Enterprise Browsers Enhance Security and Efficiency

Criteo specializes in behavioral advertising by tracking users' internet activities for ad personalization. An investigation by the National Commission on Informatics and Liberty - known as CNIL - found the company's cookie policy and its data processing requirements violated the General Data Protection Regulation.

The French agency began its investigation after receiving complaints from civil rights organizations Privacy International and None of Your Business about potential privacy violations by Criteo.

The agency's analysis found Criteo had dumped its cookies for tracking online activities on to its users' browsers without their consent.

The agency also found that the company had failed to inform its users how its cookies processed their user data. In cases where the company did provide information on data processing, CNIL found Criteo had failed to include all the necessary information and had only vaguely articulated how the user data was being processed.

Further, when users demanded to withdraw their consent, CNIL said Criteo stopped the display of personalized advertisements to the user, but it continued to deploy the tracking cookies and to process their personal data.

CNIL said Thursday the fine was calculated based on the magnitude of the company's violations, which are estimated to have affected 370 million users across Europe.

"The CNIL took into account the fact that the processing in question concerned a very large number of people and that the company collected a very large amount of data relating to the consumption habits of internet users" the agency said. "CNIL also considered the financial income Criteo derives from its role as an advertising intermediary."

In a statement released on Thursday, Criteo said it will be appealing the CNIL fine, saying that it uses "pseudonymized, non-directly identifiable and non-sensitive data in its activities." The company also said that the French regulatory agency's claim that the company had violated GDPR clauses is "not consistent with the European Court of Justice rulings and even with the CNIL’s own guidance."

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.