A giant of the adtech industry in France has recently been fined for breaching the European Union data protection regulation. A multi year investigation has been conducted by France’s national privacy watchdog, and they have found that Criteo have breached their privacy laws, and have issued them a $65 million fine.

Criteo is an advertising company established in 2005., and the fine concerns their use of ‘tracking ads’. Privacy International, a digital rights privacy advocate group, lodged a complaint in 2018 about Criteo. 

The group accuses Criteo of using various data collection and tracking mechanisms which aim to profile users to facilitate the use of highly targeted ads, which can then be sold to advertisers to provide them with predictions which are user specific. Privacy International’s argument is that Criteo have collected data using tracking techniques and have profiled users in a manner that goes way beyond what they have a legal basis for, and therefore aren’t GDPR compliant.

A spokeswoman for Privacy International has been quoted as saying:

“The CNIL informed us on Tuesday 3 August as they have an obligation to keep complainants informed of the progress of their complaints. It’s not a final decision yet, hence why it’s not public,” she told TechCrunch. “They can’t even share it with us. Criteo now has the opportunity to make representations and to implement corrective measures, after which there will be a hearing, followed by a final decision likely in 2023.”

Techcrunch have reached out to the regulator as well, and have received the following comments:

“The CNIL has received complaints from Privacy International and [privacy advocacy group] noyb against Criteo; as part of the investigation of these complaints, checks were carried out.”

“Without confirming or denying the notification of a penalty report to Criteo, the CNIL specifies that such a document is only a document subject to contradictory exchanges and does not prejudge the decision that the restricted group adopts at the end of a penalty procedure,” 

A filing by the Criteo themselves has spoken about the fine, and says that;

“The report includes a proposed financial sanction against the Company of €60.0 million ($65.4 million). Under the CNIL sanction procedures, Criteo has the right to respond in writing to the report, both with respect to the GDPR findings and the value of the sanction, following which there will be a formal hearing before the CNIL Sanction Committee. The CNIL Sanction Committee will then issue a draft decision that will be submitted for consultation to other European data protection authorities as part of the cooperation mechanism mandated by GDPR. Any final decision on resolution and potential financial penalties would likely not occur until 2023,”

Various high profile privacy cases in recent years has highlighted the misuse of user privacy and their data by companies who are looking to create as detailed a digital footprint as possible so that they can sell to advertisers for vast amounts of money. The pushback from privacy advocates and GDPR regulators across Europe is key in preventing these organisations from continuing their harvesting of user data for the means of achieving record breaking profits. The processes and mechanisms they use aim to rid users of any privacy that they have online. The more data that they can collect on your activity, the more they can predict your behaviour and sell advertising that is highly targeted. The stakeholders involved in keeping these organisations in check by way of bans, restrictions and fines are key in maintaining any level of privacy and security that we have whilst being online.

Read Techcrunch’s full article on the Criteo fine by clicking here, where they also detail other examples of recent data breaches by various organisations.