Background information
- Date of decision: 15 June 2023
- Cross-border case or national case: Cross-border case
- LSA: France
- CSAs: All EU SA’s
- Legal references: Article 7 (Conditions for consent), Article 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject), Article 13 (Information to be provided where personal data are collected from the data subject), Article 15 (Right to access by the data subject), Article 17 (Right to erasure (‘right to be forgotten’)), Article 26 (Joint controllers)
- Decision: Administrative fine
- Key words: Cookies, E-Commerce, Advertising, Consent, Information request
Summary of the Decision
Origin of the case
CRITEO specialises in “behavioral retargeting”, which consists of tracking the navigation of Internet users in order to display personalised advertisements. To this end, the company collects the browsing data of Internet users thanks to the CRITEO tracker (cookie) which is placed on their terminals when they visit certain CRITEO partner websites. Through this tracker, the company analyses browsing habits in order to determine which advertiser and for which product, it would be most relevant to display an advertisement to a particular user. Then, it participates in real time bidding and displays personalised advertising if it has won the bid.
Following complaints lodged by the organizations Privacy International and None of Your Business, the CNIL carried out several investigations into CRITEO.
Key Findings
The French SA found five breaches of the GDPR:
- Failure to demonstrate that the person has given consent (Article 7.1 GDPR)
- Failure to comply with the obligation of information and transparency (Articles 12 and 13 GDPR)
- Failure to respect the right of access (Article 15.1 GDPR)
- Failure to comply with the right to withdraw consent and erasure of data (Articles 7.3 and 17.1 GDPR)
- Failure to provide for an agreement between joint controllers (Article 26 GDPR)
The French SA imposed a fine of EUR 40 million on CRITEO.
Pursuant to the one-stop shop set up by the General Data Protection Regulation (GDPR), this decision was submitted to all the other 26 European supervisory authorities, since they were all concerned by this cross-border case and they all approved it.
For further information:
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.