CNIL (France) - SAN-2023-009
|CNIL - SAN-2023-009
|Article 7(1) GDPR
Article 7(3) GDPR
Article 12 GDPR
Article 13 GDPR
Article 15(1) GDPR
Article 17(1) GDPR
Article 26 GDPR
None of Your Business (NYOB)
|National Case Number/Name:
|European Case Law Identifier:
|Appealed - Confirmed
|Légifrance (in FR)
The French DPA fined the online advertising group Criteo €40 million for violations relating to the processing of personal data, in particular for failing to check that data subjects have given their consent.
English Summary[edit | edit source]
Facts[edit | edit source]
On 15 June 2023, the French DPA (CNIL) fined the online advertising company Criteo - the controller - €40,000,000. The DPA’s decision followed complaints lodged by the NGOs Privacy International and None of Your Business (noyb).
Criteo used a behavioural targeting approach that tracked data subjects’ online activities to display personalised advertising. By collecting browsing data through its tracking tool (the cookie "Criteo") Criteo analysed data subjects’ browsing habits to determine the most relevant ads for each data subject. Online advertising companies participated then in real-time bidding and displayed personalised ads if they won the bid.
Holding[edit | edit source]
The DPA found five breaches of the GDPR against the controller:
- Regarding the failure to demonstrate consent, the DPA held that Criteo failed to ensure that data subjects gave their consent to the placement of the tracker on their devices in violation of Article 7(1) GDPR. The DPA discovered instances in which the controller’s tracker was used by several of the controller's commercial partners without data subjects’ consent. According to the DPA, obtaining consent from Internet users for the processing of data concerns both Criteo and its commercial partners pursuant to Article 7 GDPR. The DPA insisted on a dual system of responsibility (joint controllership) to ensure an effective right to consent at every stage of the processing.
- As to the failure to comply with the right of access, the DPA established that Criteo did not adequately fulfil data subjects’ right of access in breach of Article 15(1) GDPR. When data subjects requested access to their personal data, Criteo only provided data from a subset of its database tables and did not disclose the information from other relevant tables.
- As to the failure to respect the right to withdraw consent and delete data, the DPA found a violation of Articles 7(3) and 17(1) GDPR. When data subjects exercised their right to withdraw consent or requested deletion of their data, Criteo stopped displaying personalised ads but failed to remove the identifier assigned to the data subject or delete the related browsing events.
- Lastly, the DPA highlighted the lack of agreement between the joint controllers in breach of Article 26 GDPR. The agreements between Criteo and its commercial partners did not contain specific obligations in relation to the requirements of the GDPR, such as data subjects' rights, data breach notification or impact assessments.
Comment[edit | edit source]
However the controller notified the DPA of its intention to appeal to the decision. It considers, inter alia, that the violations found by the DPA did not involve any risk for individuals or any harm caused to them. Criteo states that it only uses pseudonymised data that is not directly identifiable and is not sensitive in its activities. Criteo also believes that the penalty remains disproportionate to the alleged breaches and out of line with general market practices in this area.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the French original. Please refer to the French original for more details.