The French Data Protection Authority has imposed a €40 million fine for GDPR infringements.

On 15 June 2023 the French Data Protection Authority (the CNIL), acting as Lead Supervisory Authority pursuant to the cooperation procedure under Article 60 GDPR, handed down a decision against the French adtech company Criteo SA (Criteo). The CNIL imposed a €40 million fine for five infringements of the GDPR, in particular for failing to verify that data subjects had consented to the processing of their personal data for the purpose of targeted advertising.

Founded in 2005 and headquartered in France, Criteo specializes in behavioral retargeting, which involves tracking browsing patterns through cookies placed on users’ devices to facilitate personalized advertisements. Criteo collects browsing data tied to a cookie that is being placed when users visit certain partner websites (the Criteo cookie), and then uses the data to generate personalized online ads. Criteo will then show these ads to users when they visit other partner or customer websites. According to its corporate website, Criteo serves 5 billion ads per day and partners with more than 19,000 customers.

Case Summary

The CNIL launched an investigation against Criteo in early 2019 in response to complaints submitted by privacy advocacy non-governmental organizations Privacy International and None of Your Business in 2018. The complaints alleged that Criteo (i) lacked a valid legal basis to process individuals’ data for advertising purposes, and (ii) had implemented an unduly burdensome procedure for data subjects to exercise their rights.

The CNIL conducted multiple online investigations, including an audit of Criteo’s partner websites, and an offline investigation of Criteo’s office, resulting in a report of the public rapporteur recommending a minimum €60 million fine against Criteo. After more than four years since the initial complaints and following contentious proceedings between Criteo and the CNIL’s restricted committee, CNIL adopted a draft decision on 16 May 2023 setting a fine of €40 million.

Since Criteo engaged in cross-border data processing involving all other EU Member States, the CNIL communicated its draft decision to all other EU data protection authorities. None of those relevant authorities required the matter to be submitted to the GDPR’s consistency mechanism.

Criteo has stated that it intends to appeal the CNIL’s decision as it deems the fine disproportionate and misaligned with market practice.

The decision clarifies the CNIL’s position regarding the adtech industry in general, and provides additional guidance on specific obligations related to consent, especially in context of joint controllerships.

The CNIL’s Decision

As a first line of defense, Criteo argued that it only processed technical browsing data that constituted pseudonymous data, as such data was not associated with the identity of an individual but only with an identifier assigned by Criteo. Criteo argued that its processing activities had a limited impact on individuals’ privacy as the data, being pseudonymous, only posed a very low risk of data subject reidentification.

However, the CNIL emphasized that, in addition to browsing patterns, Criteo collected personal data such as email addresses, identifiers generated by other entities, and IP addresses. According to the CNIL, such additional data, even if stored in hashed form, could facilitate the reidentification of data subjects. The CNIL recalled the European Court of Justice’s judgement in case C-582-/14, Patrick Breyer v. Bundesrepublik Deutschland, from October 2016, which had adopted a broad interpretation of the term “identifiable” by holding that data would be “identifiable” as long as they could be reidentified using legal means.

Consequently, the CNIL held that Criteo had failed to comply with the following five obligations under the GDPR:

• demonstrating data subject consent under Article 7(1);
• complying with information and transparency obligations under Articles 12 and 13;
• respecting data subject right of access under Article 15(1);
• complying with the right to withdraw consent and request erasure of data under Articles 7(3) and 17(1); and
• providing an agreement between joint controllers under Article 26.

Beyond the fine noted above, the CNIL set no additional penalties as Criteo had corrected all infringements by the time the decision was published.

Criteo’s Obligations to Demonstrate Data Subject Consent

Under Article 7(1) GDPR, “the controller must be able to demonstrate that the data subject has consented” to personal data processing where such processing is based on consent.

Pursuant to Article 5(3) of the ePrivacy Directive, the Criteo cookie must only be placed on users’ devices with their consent. In addition, the CNIL determined that Criteo must obtain consent in order to carry out subsequent processing operations under GDPR Article 6(1)(a).

According to the joint controller agreements between Criteo and its partners, Criteo’s partners are responsible for collecting user consent, as Criteo cookies are placed on user devices when they visit the partner websites. The CNIL found, however, that Criteo must still comply with the obligations under Article 7 GDPR, in particular the obligation to verify that users gave their consent, and also must be able to demonstrate this fact. The CNIL affirmed that this “double responsibility regime” ensured that each data controller complies with its obligations related to personal data collected through the monitoring of browsing patterns.

The CNIL found through its investigations that certain partners placed Criteo cookies on visitors’ terminals without their consent, and held that Criteo failed to implement adequate measures to ensure that its partners, acting as joint controllers, properly collected users’ consent before placing the Criteo cookie on user terminals. The CNIL recalled that Criteo plays a central role in the advertising ecosystem, as its core business consists in the transformation of raw browsing data into valuable and actionable information. The CNIL found that, given its role, Criteo must ensure that its processing activities comply with the applicable data protection regulations, regardless of the allocation of responsibilities stipulated in the joint controllership agreements.

Specifically, the CNIL found that it was not sufficient for Criteo to stipulate that partners’ policies include “information and methods for expressing choices” in conformity with applicable laws. The CNIL considered that, pursuant to Article 7(1) GDPR, Criteo should have ensured that consent was in fact validly collected by its partners by, for example, (i) requiring that partners provide proof of consent, and (ii) auditing its partners’ compliance with their contractual obligations (and terminating its relationship with them in the event of non-compliance).

Failure to Comply With Information and Transparency Obligations

The CNIL also found that Criteo had infringed its obligation to provide transparent information and facilitate the exercise of data subject rights pursuant to Articles 12 and 13 GDPR.

According to the CNIL, Criteo did not inform data subjects of all the purposes for which it processed personal data, namely that Criteo used personal data to improve its own technologies through machine learning, and that Criteo described its uses in generally vague and overbroad terms. It also noted that Criteo mentioned both consent and legitimate interest in its privacy policy, confusing users regarding the applicable legal basis and consequently their rights under GDPR.

Failure to Respect the Right to Access

According to Article 15(1) GDPR, data subjects have the right to obtain access to personal data concerning them, as well as additional information such as the purpose of processing, the categories of data processed, and the recipients of the data.

However, the CNIL found that Criteo did not provide all personal data that it was processing in response to data access requests. Moreover, it found that Criteo failed to provide sufficient information to enable data subjects to understand the content provided in response to their requests.

The CNIL reaffirmed that controllers must provide the entirety of personal data concerning the data subject who has made an access request, and ensure that sufficient information is provided so that data subjects can understand the exact nature of the relevant personal data.

Withdrawal of Consent and Erasure of Data

Pursuant to Article 7(3) GDPR, data subjects have the right to withdraw consent to data processing at any time. Article 17(1) further stipulates that when consent on which processing is based is withdrawn and no other legal ground for the processing exists, data subjects can demand erasure of their personal data.

In the case of Criteo, users could withdraw consent through a link provided in Criteo’s privacy policy. However, rather than erasing all personal data concerning them, Criteo merely stopped displaying ads to users who withdrew consent. Criteo argued that it had a legitimate interest in processing the personal data for machine learning purposes, and therefore erasure of such data was not required.

The CNIL held that Criteo could not conduct further processing based on legitimate interest as it did not have any proof that valid consent had been obtained from data subjects originally, and therefore it could not ensure that the data subjects had consented to the initial processing of their personal data. The CNIL did not rule on whether, in principle, it would be possible to rely on legitimate interest to process personal data collected based on consent for machine learning purposes.

Joint Controllers

Under Article 26 GDPR, when “two or more controllers jointly determine the purposes and means of processing,” they are considered joint controllers and must determine their respective responsibilities for GDPR compliance through an arrangement.

The CNIL found that Criteo had breached Article 26 GDPR, as the joint controllership agreements between Criteo and its partners did not fully comply with Article 26. Further, the agreements did not provide for the allocation of responsibilities between the joint controllers for a number of obligations, such as the obligation to answer data subjects’ requests, responsibilities in the event of a data breach, and the obligation to conduct impact assessments if necessary.

Although Article 26 GDPR does not explicitly list all of these obligations, the CNIL held that the joint controllership agreement must provide for the allocation of all such responsibilities.

Practical Implications

This decision affirms the CNIL’s enforcement focus on adtech and cookies practices, and sets high expectations for intermediaries in the adtech cycle. The main takeaways include the following:

• The processing of pseudonymous browsing and technical data does not reduce the obligations under GDPR. Pseudonymous data that can be reidentified are still considered personal data, therefore controllers must ensure that they comply with the full GDPR obligations.
• Adtech intermediaries relying on consent obtained by their partners should proactively audit and verify the validity of those consents even if they are not directly responsible for collecting consent.
• Industry practices may shift from relying solely on contractual commitments around consent and audits, to more comprehensive, active checks of publisher ads consent mechanisms. Companies should increasingly document such audit and verification controls and activities in a robust way.
• Privacy notices should clearly identify the legal basis for each specific processing purpose.
• Businesses must comply with Article 13 GDPR transparency requirements (rather than Article 14) even when they “passively” collect personal data by observation, such as through the use of cookies or other trackers, if such observation results in a direct collection of personal data.