EU regulators are proposing a EUR 60m fine on French ad tech company Criteo for consumer tracking, profiling and targeting activities said to breach GDPR. The company 'strongly disagrees' with the findings, has time to respond in detail, and a final decision is likely to be taken in 2023.
A complaint from advocacy group Privacy International in 2018 said Criteo, along with a number of other big names including Acxiom, Oracle, Experian, Equifax, Quantcast and Tapad, was acting as a 'manipulation machine' in the way it collected, linked, used and shared consumer data. France's national privacy watchdog CNIL announced a preliminary decision last week after a two-year investigation.
Tweeting about the news on Friday (https://twitter.com/privacyint/status/1555572602273406976), Privacy International said Criteo acted unlawfully by creating 'highly invasive, granular profiles of people without telling them'; that it knows 'exactly who people are' despite claiming its process of 'pseudonymising' data stops this, because they focus on 'individual shopper level' prediction; supplement cross-device tracking with data from other brokers, 'developing an incredibly fine-grained view of most of an individual's activities through the day'; and that they 'don't tell people who they share all these data and profiles with - and obviously don't even try to ask people for their consent'.
The regulatory process means that Criteo now has the opportunity to make representations and take steps to correct things, after which there will be a hearing and then a final decision in 2023. In an exchange filing (form 8-K/A) Criteo acknowledged that the regulator was citing 'certain GDPR violations, in particular relating to the Company's contractual relationships with its advertisers and publishers with respect to consent collection oversight'. In a statement on its web site Criteo's Chief Legal Officer Ryan Damon says: 'We strongly disagree with the findings in the CNIL investigator's report, both on the merits relating to the investigator's assertions of non-compliance with GDPR and the quantum of the proposed sanction. We find the merits of this report to be fundamentally flawed, and the proposed sanctions to be incommensurate with the alleged non-compliant actions. We look forward to further dialogue with the CNIL as well as to defend our case to the ultimate arbitrator of a final decision. Criteo continues to uphold the highest privacy standards, and operates a fully transparent and regulatory-compliant global business. We will not have any further comment until these ongoing proceedings are resolved'.
Criteo is led by CEO and former Nielsen exec Megan Clarken, brought in former Xaxis Global CEO Brian Gleason as Chief Revenue Officer in February this year, and announced in December that it would acquire programmatic ad tech firm IPONWEB for $380m, allowing it to position itself as the 'commerce media partner of choice for the post third-party cookie and identifier world'.
Web sites: www.cnil.fr/en/home and www.criteo.com .
All articles 2006-22 written and edited by Mel Crowther and/or Nick Thomas unless otherwise stated.