French Data Protection Authority (CNIL)-CRITEO (6/15/2023)

The controller is specialized in ‘retargeting advertising’. This involves the company tracking the surfing behavior of Internet users via so-called Criteo trackers (cookies) in order to show them personalized advertising.

In the course of its investigation, the DPA found numerous deficiencies in data processing.

First, the DPA found that the controller failed to prove that Internet users had given their consent to be tracked using the Criteo trackers. Also, the controller failed to ensure that its partners obtained consent from the Internet users of whose data it was processing.

The DPA further found that the controller’s privacy policy was not complete, as it did not list all the purposes for which it was processing data. In addition, some of the purposes were not clearly defined.

In addition, the controller failed to adequately respond to a data subject’s requests for information regarding their personal data.

The DPA also found that when data subjects requested withdrawal of their consent or deletion of their data, the controller merely ensured that users were no longer shown personalized advertising. However, the controller did not delete the personal data of the data subjects.

Finally, the DPA found that the agreement between the controller and a joint controller was incomplete.

In determining the amount of the fine, the DPA considered the fact that a large number of individuals were affected as an aggravating factor.