CNIL fines Criteo €40m for adtech breaches

The French data protection authority, the CNIL, has issued a fine of €40m against French adtech giant Criteo. The penalty is in respect of alleged breaches of the GDPR concerning consent, transparency, access rights and joint control.

The final penalty represents a reduction from the originally proposed €60m. It seems that the CNIL took heed of Criteo’s representations on the scale of the fine (at least in part).

For those who want to dig into the details, you can read my longer case summary here.

However, my key takeaway points are:

• There is a very high bar set by the CNIL when it comes to verification and audit of partner consent practices. The expectation is that intermediaries who rely on consent must actively check the validity of such consents.
• Similarly, when it comes to transparency the CNIL was not satisfied with muddled wording on lawful bases which did not allow data subjects to discern which basis applied to which purpose. Partly as a result of this regulatory posture (which we have also seen elsewhere), there is an increasing trend towards tabular privacy notices, which can be helpful in setting out the interaction between data categories, purposes and lawful basis.
• In some cases the CNIL refers to improvements made by Criteo (e.g. a new privacy notice and a new approach to auditing publishers). There is always a risk in enforcement proceedings that improvements can be used against controllers as a means of demonstrating earlier non-compliance. We usually look to push back hard against this type of regulatory position by maintaining (if possible) that the earlier approach was appropriate at that time and that “continuous improvement” is an ongoing obligation for all controllers.
• When it comes to DSARs, regulators are clearly expecting data subjects to be able to understand the data provided to them. This can be extremely difficult in an adtech context where sometimes the data is only intelligible with a broader understanding of how the ecosystem operates. However, the onus is on controllers to try and go further in being helpful to data subjects by providing as much background and context as possible.
• Joint control does seem to be found here, there and everywhere when it comes to adtech. Even if controllers don’t want to acknowledge joint control in their agreements, such agreements should include some allocation of responsibility when it comes to core issues such as data subject rights (even if only to say that both parties should be responsible for the rights requests they receive).