Retargeting giant Criteo is being investigated by the French data protection authority following a complaint by an international privacy group about the collection and exploitation of consumers’ data by adtechs.
Which-50 has confirmed the investigation with both the French authority and Criteo in what could be a landmark case for advertising technology companies in the context of GDPR.
In November 2018 Privacy International, a global charity that promotes data rights, filed complaints to several data regulators in Ireland, the UK and France about the practices of seven data brokers, adtechs and credit agencies; including adtechs Criteo, Quantcast, and Tapad.
The privacy group says the adtechs are making “systematic infringements of data protection law” including GDPR, Europe’s data regulations which carry hefty penalties of up to €10 million, or 2 per cent of the worldwide annual revenue of the prior financial year, whichever is higher.
Privacy International says its complaints triggered investigations in the UK and Ireland in 2019, and the latest by France’s data protection authority, CNIL, which began in January this year but remained unreported until highlighted by the group this week.
The French authority confirmed overnight it has begun a formal investigation into Criteo but declined to say anything more.
Criteo told Which-50 it is cooperating with the investigations and said the original complaint “was not specifically targeted at Criteo or its specific practices”. The company said it had disclosed the investigation to investors in early February when it released its annual report.
That report states: “In January 2020, CNIL opened a formal investigation into Criteo in response to this complaint. There can be no assurance that action will not be required as a result.”
Criteo, a NASDAQ-listed French company, uses consumer data and tracking to serve “personalised” online advertising based on information about consumers. The company told Which-50 it does this using “privacy by design” and works constructively with several data protection authorities in different markets.
But privacy groups argue the practice, common amongst adtechs, relies on infringing on consumers’ privacy, who don’t understand data collection and processing, an exploitation GDPR is designed to combat.
“These are not the only companies involved in questionable data practices,” Privacy International’s 2018 complaint states of the three adtechs.
“The problems that each of these companies illustrate are systematic in the data broker and adtech ecosystems which are made up of hundreds of companies. Thus, for this and the reasons detailed in this submission together with the other joined complaints it is imperative that Data Protection Authorities … not only investigates these specific companies, but also take action in respect of other relevant actors in these industries and / or their general business practices.”
Criteo’s full statement:
We confirm that in January 2020, the CNIL opened a formal investigation into Criteo in response to a complaint filed by Privacy International back in November 2018. The complaint was not specifically targeted at Criteo or its specific practices, but instead was spread across 7 companies and 3 DPAs (Data Protection Authorities), challenging in a general manner the practices of data brokers, ad tech firms, and credit scoring firms. The CNIL is Criteo’s supervisory authority as a French company, so this is a normal procedure that we’ve already publicly disclosed. We are currently collaborating with the CNIL in their review and remain completely confident in our privacy practices.
Since our founding in Europe in 2005, we have developed our technology with the principle of Privacy by Design guiding us, while helping our clients meet shopper expectations with advertising that is personalised and relevant. As a global company with major offices in multiple EU countries, we are used to complying with country-level requirements across the world.
Moreover, Criteo regularly collaborates and consults with the CNIL (French DPA), which is our home DPA and supervisory authority under the GDPR, on privacy matters relating to Criteo and our industry.