CNIL Proposes €60 Million Fine Against AdTech Company Criteo

🚨 NEWS 🚨

Later today, our 5 year long complaint against the AdTech company @Criteo will be heard at the @CNIL, the French data protection authority.

The CNIL is proposing a €60 million fine.

Why? Read on 👇

— Privacy International (@privacyint) March 16, 2023

Back in 2018, we filed complaints against 7 data brokers (@Acxiom, @Oracle), AdTech companies (@Criteo, @Quantcast, @Tapad) and credit referencing agencies (@Equifax, @Experian). https://t.co/NFXjnH6znu

— Privacy International (@privacyint) March 16, 2023

We filed with various data protection authorities:
🇮🇪 The Irish DPC picked up on Quantcast
🇬🇧 The UK ICO on Equifax and Experian
🇫🇷 The French CNIL on Criteo

— Privacy International (@privacyint) March 16, 2023

This was just after the EU's General Data Protection Regulation (GDPR) had come into force, imposing a number of legality and transparency requirements on companies processing people's personal data.

— Privacy International (@privacyint) March 16, 2023

Our complaints were based on over 50 Data Subject Access Requests to these companies, as well as information they provided in their marketing materials and privacy policies - likely representing only the tip of the iceberg. ⛰️

— Privacy International (@privacyint) March 16, 2023

Criteo claimed at the time to capture the identity and interest data of 72% of all online shoppers globally, and to have “insights on over 1.4 billion active monthly shoppers”. 😬

— Privacy International (@privacyint) March 16, 2023

Our investigations showed, amongst others, that Criteo didn't have a legal basis for processing these HUGE amounts of sensitive personal data, and that they weren't transparent about it - just like the rest of the AdTech industry.

— Privacy International (@privacyint) March 16, 2023

The AdTech industry is a complex ecosystem where our data is collected through thousands of online trackers, used to infer profiles about us (are you “Wealthy Worldly and Wise” or a “Dependent Grey”?) and sold around so marketers can manipulate us into buying things.

— Privacy International (@privacyint) March 16, 2023

The industry also feeds data brokers - who don't just sell our profiles to marketers, but to a whole range of private and public actors to feed into decisions about our access to credit, insurance, employment, or welfare benefits.

— Privacy International (@privacyint) March 16, 2023

This data market plays with our personal information, and can lead to real distress - such as when Bounty, a company marketing baby products to pregnant & new mothers, was found to have illegally shared data of 14+ million mums & babies with 39 companies. https://t.co/y4BAad6pWr

— Privacy International (@privacyint) March 16, 2023

We'll be at today's hearing, hoping for the CNIL to stand by its €60 million fine and lead the way against this harmful industry that serves profit not people.

👀 Stay tuned to find out what happens next. 👀

— Privacy International (@privacyint) March 16, 2023

Hearing over.

The CNIL maintains its proposed €60 million fine, and agreed with all of our complaint’s arguments. It found, amongst others, a lack of assurance by Criteo that the data they collect were provided with valid consent.

— Privacy International (@privacyint) March 16, 2023

Criteo’s main line of defence was that it wasn’t their responsibility to collect valid consent, but that of their partners (+40,000 websites today).

— Privacy International (@privacyint) March 16, 2023

We don’t think that’s a valid argument, but whether it is or not, it’s the fundamental problem at the core of the AdTech industry - every actor relies on the previous actor in the chain to comply with GDPR and to have a valid basis for data collection.

— Privacy International (@privacyint) March 16, 2023

What happens with the data up and down the chain, in other words, is nobody’s business. And so people’s personal data is collected, sold and re-used in a complete Wild West fashion.

— Privacy International (@privacyint) March 16, 2023