CNIL fines adtech company Criteo €40 million – what are the key takeaways?

Criteo, which specialises in displaying online advertising was fined €40 million by the French Data Protection Authority (CNIL) following complaints lodged by two none for profit organisations (i.e. Privacy International and None of Your Business (NOYB)). The full text of the CNIL decision (in French) can be found here.

Why? The CNIL considers that Criteo failed to ensure that its partners (e.g. publishers) obtained consent from their users for the use of Criteo’s cookie. In practice, Criteo's partners are in charge of obtaining consent as they are in direct contact with the users, but the CNIL still holds Criteo accountable for verifying the obtention of such user consent. The penalty of €40 million is significant, representing around 2% of the company's worldwide turnover, although it was reduced in light of the CNIL rapporteur's original proposal who had initially suggested a €60 million fine.

Illustration: How does Criteo’s cookie work in practice?

Key takeaways include (non exhaustive list)

1. Proof of consent: a clause in the contract is key
   

   Criteo was one of the first adtech companies to put in place a joint controller agreement with its partners under article 26 of the GDPR. In its agreement, partners are required to obtain consent from their users. The CNIL did not challenge the legal qualification of the parties.

   However, the CNIL found that Criteo had not implemented any measures to ensure that the personal data it processes is limited to data for which valid GDPR consent has been obtained by its partners from the users.  The CNIL’s reasoning is based on article 7, paragraph 1, of the GDPR which says that: “where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data”. The CNIL’s decision states that 12 websites operated by Criteo’s partners were investigated and that several of them did not obtain valid consent. Although the CNIL investigated only a reduced number of Criteo’s partners, it inferred that Criteo was processing “a large volume of browsing data for which Internet users had not given valid consent”.

   At the beginning of the CNIL’s investigation, the agreement between Criteo and its partners provided that partners should provide consent mechanisms compliant with applicable laws. However, the CNIL considered that this was not sufficient in light of article 7, paragraph 1, of the GDPR, and pointed out that Criteo never in practice (i) terminated a contract for breach of this clause or (ii) ensured compliance with this clause.

   The CNIL notes in its decision that Criteo has now complied by incorporating a new clause on proof of consent in its contracts with its partners. Partners are now required to "promptly provide Criteo, upon request and at any time, with proof that the consent of the data subject has been obtained by the partner".

   The CNIL does not touch upon how Criteo should verify that its partners are complying and collecting valid consent from users. However, it underlines that Criteo has since put an end to its contractual relationship with one partner that failed to obtain valid consent for cookies. This suggests that adtech companies are expected to monitor compliance and terminate contracts with non-compliant partners. 
   
   

2. Which legal bases under ePrivacy and GDPR
   

   The CNIL notes that while the placing of the Criteo cookie in the device of a user visiting a partner's website, which enables Criteo to assign a unique identifier to that user, is subject to article 82 of the French Data Protection Act (i.e., implementing article 5(3) of the ePrivacy directive), the subsequent processing of personal data for advertising purposes, which is carried out on the basis of the personal data collected via this cookie, is subject to the provisions of the GDPR (i.e. notably article 6 as a minimum).

   Under ePrivacy rules, operations involving the reading or writing of information on a user's device cannot be implemented without the user's prior consent (unless exemptions such as the one applicable to strictly necessary cookies apply).

   Under the GDPR, various legal bases under articlert 6 of the GDPR are available (e.g. consent, legitimate interests). However, as Criteo told the CNIL during the investigation that it was relying on users’ consent (which is also mentioned in its privacy notice) for the GDPR part of the journey, the CNIL did not discuss the other available legal bases.
   
   

3. Insufficient transparency
   

   The CNIL considers that using personal data for improving its technologies should be clearly stated in the company’s privacy notice. According to the CNIL, Criteo should have provided complete information with respect to this activity, which is a distinct purpose based on legitimate interests under article 6 of the GDPR.

   The company argued that it did not need to specify the purpose of improving its technologies since it served a similar purpose as personalised advertising. However, the CNIL found that this was a distinct purpose that should have been brought to the attention of the affected users.

   Criteo made updates to its privacy notice during the CNIL proceedings to address these deficiencies. Overall, the CNIL concluded that the company failed to fulfil its transparency and information obligations, although it acknowledged the company's subsequent efforts to comply. It is worth noting that Criteo required publishers to make a reference to Criteo’s privacy notice in the publishers’ privacy notices.
   
   

4. Failure to respect the right of access
   

   Criteo had personal data in six tables but was only communicating three of them to individuals who exercised their right of access, as it considered that the other tables were not relevant. Besides, Criteo only gave a summary description of the purpose of each table, without providing explanations of the purpose of each of the columns in these tables, or of their contents.

   The CNIL found that two of the remaining tables should have been communicated to the individuals as these tables contain personal data which may be combined with other data and, in particular, with the identifier assigned to each user.
   
   

5. Right to erasure: all information has to be deleted?
   

   Criteo has also been found to fall short in fulfilling its obligations under article 17 GDPR by failing to effectively delete personal data upon individuals' requests for erasure, because the company only stopped displaying personalised ads without effectively deleting the personal data of the requestors.

   The CNIL noted that in cases where Criteo was in any event unable to ensure that the user who had made the request had validly consented to the processing of his or her data by the company, it could not continue to process this user's data for subsequent purposes based on legitimate interest arguments under article 6 of the GDPR.
   
   

6. Pay attention to the content of your joint-controller arrangements
   

   In light of article 26 of the GDPR, the CNIL reminds joint-controllers of the importance of making sure that arrangements put in place between the parties “cover all the obligations laid down by the GDPR in order to determine, for each of these obligations, which of the joint data controllers will be responsible for it” (emphasis added).

   In the case at hand, some obligations such as (i) the exercise by data subjects of their individual rights, (ii) the obligation to notify the supervisory authority and data subjects of a personal data breach or (iii) the completion of a data protection impact assessment (DPIA) under article 35 of the RGPD where applicable, were missing in the original joint-controller arrangement used by Criteo.

   This CNIL decision is a reminder for joint-controllers (in the adtech sector or not) to ensure that their arrangements cover all GDPR controller obligations from A to Z, and to do the necessary allocation of responsibilities for each obligation.
   
   

7. A significant fine: 2% of the company's worldwide turnover

The imposed fine of €40 million is significant as it accounts for approximately 2% of the company's worldwide turnover. Interestingly, the CNIL rapporteur went so far as to propose a €60 million fine, equivalent to roughly 3% of the company's worldwide turnover.

Criteo pointed out that previous fines imposed on other companies for similar cookie-related violations amounted to 0.07% and 0.06% of their worldwide turnover.

The CNIL justifies the amount by the nature and scale of the processing (approximately 370 million user identifiers across the European Union and around 50 million in France alone) and the fact that the company benefited financially from collecting and processing personal data without valid consent, leading to an unjustifiable increase in the number of individuals affected by its processing and its financial revenues.

However, the CNIL did not provide more details on the rationale for the quantum of its fine. This does not seem to be in line with the EDPB guidelines 04/2022 on the calculation of administrative fines under the GDPR, which promote a more sophisticated approach for calculating fines.