Criteo SA – Court Ruling (Netherlands, 2024)

The controller is Criteo SA, a global technology company operating in media and entertainment that does consultancy, provides software and services in relation to digital marketing, media advertising and real time ads bidding. The controller places tracking cookies for targeted advertising on computers and mobile devices of users visiting certain third party websites. The controller uses the Real Time Bidding (RTB) System to recognise a user within seconds and to show personalised ads. In another case against the controller on 15 June 2023 , the French DPA ("CNIL") fined the controller €40 million for violating various articles of the GDPR, in particular for failing to verify that the persons from whom it processed data had given their consent. On 8 August 2023, the data subject wrote to the controller that the placing of tracking cookies on the data subject’s devices without the data subject’s consent, violates [https://www.google.com/search?client=firefox-b-d&q=telecommunicatiewet+11.7a Article 11.7a(1) Dutch telecommunications law] (“Telecommunicatiewet – TW”) and Articles 5(1)(a), 6(1), 7, 13 and 14 GDPR. The controller responded that it is the responsibility of the third party websites to obtain consent. The data subject filed an urgency procedure (“kort geding”) under Dutch civil law at the Amsterdam District Court (“Rechtbank Amsterdam”) against the controller. The court prohibited the controller from placing tracking cookies on the devices of the data subject and imposed a penalty of €250 for every day they fail to comply with the decision (with a maximum of €25.000). The controller appealed this decision on 30 October 2023. The Court of Amsterdam (“Gerechtshof Amsterdam”) found that tracking cookies were placed by the controller and that the data subject’s personal data was processed in violation of the GDPR. The court therefore prohibited the controller from placing tracking cookies and upheld the imposed penalty of the District Court after the judgem