CRITEO, a French ad-tech giant, was recently fined €40 million by the French data protection authority, the CNIL, in particular for its failings to ensure valid consent from users for targeted advertising.
The fine comes off the back of an investigation by the CNIL, ignited by complaints from Privacy International and NYOB in 2018 and 2019 respectively.
Background
CRITEO uses a cookie (placed on a user’s terminal when they visit the websites of CRITEO’s advertiser partners (e.g. brands)) to analyse the user’s browsing habits to determine which advertiser or product it would be most useful to display to the user in an advert. CRITEO will then use this information to assist it in determining what bids to place when bidding on behalf of advertisers for adspace via RTB (real time bidding), to ensure the advert is as targeted or as relevant as possible.
CRITEO is not unique in the way in which it collects and processes this user information, and therefore this decision has been eagerly awaited by the adtech community as it not only has significant consequences for CRITEO, but also all DSPs and DMPs (and likely many SSPs) who operate in this space.
Infringements and key takeaways
It was found that CRITEO committed 5 infringements of the GDPR:
1. Failure to demonstrate the data subject gave consent – Article 7
- The CRITEO cookie can’t be placed on a user’s terminal without their consent. Although the collection of such consent is the responsibility of the company’s partners – who have direct contact with the user – the CNIL found this doesn’t exempt CRITEO from its obligation to verify and be able to demonstrate that users have given their consent.
- A contractual obligation on the partner to obtain consent (which CRTEO had in its agreements) did not go far enough – the CNIL found CRITEO hadn’t put any contractual assurances in place requiring partners to provide CRITEO proof of such consent on request, and hadn’t undertaken any audit of its partners to stress test the consent they claimed to obtain.
- It’s good practice for agreements with such partners to include an undertaking from the partner that they will promptly provide proof that valid consent has been obtained from data subjects. The expectation that intermediaries who rely on consent, such as CRITEO, will actively verify the validity of such consent collected by its partners is a high standard for compliance.
2. Failure to comply with the obligation of information and transparency – Articles 12 and 13
- Although CRITEO tried to argue that the obligations under Article 13 didn’t apply to it as it received the data from someone else, the CNIL’s conclusion was that the operation of the CRITEO cookie results in a direct collection of personal data, meaning the obligations of Article 13 apply.
- The CNIL found CRITEO had infringed transparency requirements as its privacy policy was incomplete (and didn’t include all of the intended purposes of the processing), and muddled and lacking in clarity (with it being difficult to determine which personal data was being processed and for what purpose).
- In particular, CRITEO didn’t explain in its privacy policy that it uses personal data for improving its technologies – the CNIL viewed this as a distinct purpose that should have been highlighted to users.
- These findings align with the shift we’re seeing towards tabular privacy policies, which allow controllers to set out clearly the relationship between data categories, the purposes, and the lawful basis. Privacy policies should be accessible by the data subjects to whom they relate, including being easy to understand.
3. Failure to respect the right of access – Article 15
- The CNIL found that CRITEO took an unduly restrictive approach in responding to DSARs - when sending individuals their data, it didn’t provide them with sufficient information to enable them to understand the content, and it didn’t send data from its database which, in the CNIL’s view, should have been communicated.
- When it comes to DSARs, it seems regulators are expecting data subjects to understand the data being provided to them – this can be difficult in a technical and complex area like adtech, but the burden seems to be falling to controllers, to help users to understand by providing as much context and background as possible.
4. Failure to comply with the right to withdraw consent and erasure of data – Articles 7.3 and 17.1
- When data subjects exercised their right to withdraw their consent, or to the deletion of their data, CRITEO only stopped the display of personalised ads to the user, and didn’t delete the identifiers assigned to the individual, or erase other navigational events related to that identifier.
- The CNIL found that where CRITEO couldn’t ensure that the user making the request had consented validly to the processing of their data by CRITEO, it couldn’t rely on legitimate interests to continue processing that data for further purposes.
- By not deleting the data when required to do so, and using that data to improve its technology, CRITEO also benefited financially and increased its competitiveness in the targeted advertising market.
5. Failure to provide for an agreement between joint controllers
- The CNIL found that CRITEO was a joint controller with its publisher and advertiser clients.
- The agreements between CRITEO and its partners were found to be lacking in the joint controller provisions; in particular the agreements didn’t allocate responsibility for the fulfilment of core obligations such as data breach notification, the exercise of data subject rights, and the completion of DPIAs.
- Agreements between joint controllers should include some allocation of responsibility when it comes to core issues such as data subject rights (even if only to say that both parties should be responsible for the rights requests they receive).
In addition to the above findings, one of the points of contention was the extent to which CRITEO’s activities fall within the scope of the GDPR, on the basis that it was not actually processing personal data. CRITEO tried to argue that the risk of re-identification of individuals from the data it processed (which includes internet browsing history, IP addresses, a CRITEO unique ID and in some cases a hashed email address) was low. The CNIL was not convinced by this argument, and instead found that the richness of the data collected by CRITEO was likely to make re-identification reasonably likely.
Penalty
In determining the amount of the penalty (which amounts to nearly 2% of CRITEO's worldwide turnover), the CNIL gave weight to the large number of individuals whose data CRITEO processed (approx. 370 million EU users), and the large amount of data it collected.
Notably, the CNIL also took into account the company’s business model; in its view the processing of individuals’ data without proof of their consent allowed the company to “unduly increase the number of persons concerned by its processing”, and in turn, its financial income as an advertising intermediary.
Final thoughts
Although this decision is not unsurprising given the data compliance challenges faced by the adtech ecosystem, this will have relatively large ramifications across the industry. In particular, many players in the ecosystem will need to carefully consider how they contract with their advertising partners (or agencies acting on their behalf), how they obtain and monitor consent, and generally reconsider the data protection posture if they do not wish to suffer a similar fate.
While this final decision was handed down by the CNIL, unlike many other notable CNIL decisions, the CNIL actually went through the GDPR one-stop shop process and its draft decision was submitted to, and approved by, all other 29 European supervisory authorities – this demonstrates that the findings in this case are shared amongst EU regulators, so there really is nowhere to hide.