CRITEO – €40,000,000 Fine (France, 2023)
France's data protection authority fined CRITEO €40 million for tracking users without their consent. This matters because it shows that companies must be clear about how they collect and use personal data. Website operators should ensure they have proper consent mechanisms in place.
What happened
CRITEO tracked users across the internet using cookies without obtaining valid consent.
Who was affected
Internet users whose browsing behavior was tracked by CRITEO's advertising tools.
What the authority found
The authority found that CRITEO failed to prove users had consented to be tracked, violating GDPR rules on consent and transparency.
Why this matters
This case highlights the responsibility of companies to obtain clear consent from users for tracking. It sets a precedent that could impact how online advertising practices are regulated in the future.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The French DPA has imposed a fine of EUR 40 million on CRITEO. The controller is specialized in 'retargeting advertising'. This involves the company tracking the surfing behavior of Internet users via so-called Criteo trackers (cookies) in order to show them personalized advertising. In the course of its investigation, the DPA found numerous deficiencies in data processing. First, the DPA found that the controller failed to prove that Internet users had given their consent to be tracked using the Criteo trackers. Also, the controller failed to ensure that its partners obtained consent from the Internet users of whose data it was processing. The DPA further found that the controller's privacy policy was not complete, as it did not list all the purposes for which it was processing data. In addition, some of the purposes were not clearly defined. In addition, the controller failed to adequately respond to a data subject's requests for information regarding their personal data. The DPA also found that when data subjects requested withdrawal of their consent or deletion of their data, the controller merely ensured that users were no longer shown personalized advertising. However, the controller did not delete the personal data of the data subjects. Finally, the DPA found that the agreement between the controller and a joint controller was incomplete. In determining the amount of the fine, the DPA considered the fact that a large number of individuals were affected as an aggravating factor. ---UPDATE--- The controller appealed against the decision to the Council of State. The court confirmed the violations and upheld the fine, dismissing the appeal.
Violations (4)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
The cookie banner or cookie policy provides vague, incomplete, or unclear information about what cookies are used and why.
Art. 12, 13 GDPR
No accessible mechanism exists for users to withdraw previously given cookie consent.
Art. 7(3) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for CRITEO in FR
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
15 June 2023
Authority
Commission Nationale de l'Informatique et des Libertés
Fine Amount
€40,000,000
Enforcement Tracker ID
ETid-1912
About this data
Cite as: Cookie Fines. CRITEO - France (2023). Retrieved from cookiefines.eu
Last updated: