Adtech firm Criteo is under the gun for alleged privacy violations. But the company denies that it has violated Europe’s data privacy laws.
It’s a tenuous time to be walking the data privacy tightrope. Just ask Criteo, the publicly-traded adtech company that said in a financial filing today that it has been hit with a proposed fine of roughly $65.4m for alleged breaches of the EU’s sweeping General Data Protection Regulation (GDPR).
The news comes some two years after France’s data privacy body Commission Nationale de l'Informatique et des Libertés (CNIL) launched an investigation into the company’s data practices.
While specific details concerning the investigation and the reasons behind the proposed fine remain under wraps, Criteo’s chief legal officer Ryan Damon today issued a statement saying that the firm “strongly disagrees” with the report’s findings, “both on the merits relating to the investigator's assertions of non-compliance with GDPR and the quantum of the proposed sanction.” He went on to say: “We find the merits of this report to be fundamentally flawed, and the proposed sanctions to be incommensurate with the alleged non-compliant actions.”
The investigation was kicked off after Privacy International — a nonprofit UK-based data privacy advocacy group — in 2018 filed a complaint with a handful of European authorities over the data processing practices of seven adtech firms, including Criteo. Specifically, Privacy International raised concerns over whether Criteo was processing internet users’ data — including sensitive, special category data — with the appropriate user consent frameworks in place.
Privacy International also alleged that certain high-level GDPR principles such as fairness, transparency, data minimization, accuracy, integrity and purpose limitation were not being met by Criteo and other adtech companies.
Criteo has the right to respond to the investigation’s findings in writing and is preparing for a formal hearing before the CNIL Sanction Committee. Following this hearing, the Committee will issue a draft decision that will then be reviewed by other European data authorities. A final decision on the case — as well as associated fines — likely won’t be finalized until some time next year, according to Criteo.
“We look forward to further dialogue with the CNIL as well as to defend our case to the ultimate arbitrator of a final decision,” said Damon in his statement. “Criteo continues to uphold the highest privacy standards, and operates a fully transparent and regulatory-compliant global business.”
The news serves as a cautionary tale for other advertising and technology companies that traffic in consumers’ personal information, especially as privacy efforts around the world ramp up.
“If [Criteo is] guilty of violating GDPR, it's likely that most non-consumer-facing adtech companies — and many of the consumer-facing ones — are also guilty,” says Shiv Gupta, managing partner at U of Digital, a digital marketing education firm. At this point, he says, it’s unclear whether CNIL and other European data authorities are using Criteo as an example to warn others or whether this could be “the start of a series of hefty fines against ad tech companies.”
Considering this is among the first high-profile adtech companies to be hit with high GDPR penalties, Gupta predicts that the case is likely to be “dragged out and re-litigated many times over” — because “precedent will be really important” moving forward.