French data protection authorities fined Criteo €40m for GDPR breaches
Criteo, a major European online advertising company, has been fined €40 million by the French data protection authority for violating GDPR. The company’s failure to comply with data subjects’ rights and lack of transparency were among the issues identified during the investigation.
Criteo, one of Europe’s largest advertising and tracking companies, has been fined € 40 million by the French data protection authority (CNIL) as it is found that the company ‘did not comply with the rights of data subjects under the General Data Protection Regulation (GDPR) and could not demonstrate the collection of valid consent.’ The decision has also been endorsed by all of Europe’s other data protection authorities.
Criteo is a French company that provides ‘behavioral retargeting’ services to thousands of websites. It does this by tracking cookies on sites to analyze users’ browsing habits and identify the products and services they are most likely to purchase. The company has data on around 370 million people in Europe.
In December 2018, the European Center for Digital Rights (NOYB) and Privacy International filed a complaint against Criteo for failing to give users an adequate option to withdraw their consent. This complaint triggered an extensive investigation by the CNIL. The CNIL found further breaches of the GDPR. These included, among others, the absence of transparency, non-compliance with the right to be forgotten, and the right to access personal data.