French regulators have imposed a €40 million fine on Criteo, a behavioral retargeting firm, for violating GDPR regulations. The National Commission on Informatics and Liberty (CNIL) found that Criteo failed to adequately verify user consent for collecting and analyzing browsing history, identifying five infringements of GDPR. Criteo, which tracks users’ online behavior to deliver personalized advertisements, was storing data related to 370 million identifiers across the European Union.
CNIL highlighted the potential for re-identifying individuals from the collected data. While Criteo intends to appeal, it contends that the fine is disproportionate and disagrees with some of CNIL’s interpretations and applications of GDPR. Criteo, known for its business model relying on displaying relevant advertisements by processing vast amounts of user data, expressed dissatisfaction with the fine imposed by CNIL. The company claimed that the CNIL reduced the initial proposed fine of €60 million to €40 million but argued that the sanction is still disproportionate. Criteo emphasized its commitment to protecting user privacy, stating that it uses only pseudonymized and non-sensitive data.
The firm believes that CNIL’s allegations pose no risk to individuals and plans to challenge the decision in competent courts, asserting that it does not impact its current practices or service levels. Ryan Damon, Chief Legal Officer at Criteo, emphasized that the decision pertains to past matters and does not mandate changes in the company’s current practices.
