The French data protection authority, the CNIL, has imposed a €40 million fine on CRITEO, one of the leading players in the display advertising space. The CNIL’s investigation followed complaints by the privacy advocacy groups Privacy International and None of Your Business and led to a finding of several infringements, including a failure by CRITEO to verify that its partners had obtained consent from their users for the use of the CRITEO cookie. The CNIL also found that CRITEO had not stated all of its processing purposes in its privacy notice and that insufficient information had been provided to individuals in response to right of access requests. In some instances, CRITEO had responded to erasure requests by stopping the display of advertising to individuals but had failed to delete their data.
In imposing the substantial fine, which was equivalent to 2% of CRITEO’s worldwide turnover, the CNIL took into account that the processing concerned a large number of people (CRITEO has data on about 370 million identifiers relating to individuals across the European Union) and that the processing of data without consent had allowed CRITEO to significantly increase the income it received through its role as an advertising intermediary.
The CNIL also noted the importance of ensuring that joint controller arrangements cover all of the obligations laid down in the GDPR. In this case, CRITEO’s agreements with its partners did not include some of the controller obligations such as the exercise by data subjects of their rights, the obligation to notify the supervisory authority and data subjects of a data breach and the requirement to carry out a data protection impact assessment, where necessary.
The CNIL decision can be found here.