On June 15, 2023, Criteo, a prominent digital advertising company specializing in behavioral retargeting, was fined EUR 40 million by CNIL for alleged non-compliance with certain provisions of the General Data Protection Regulation (GDPR) regarding personalized advertising practices.
The CNIL identified several GDPR infringements:
- Criteo failed to demonstrate consent as required by Article 7.1 of the GDPR. While the responsibility of obtaining consent lies with Criteo’s partners (publishers and e-commerce websites) who directly interact with end users, the CNIL found that Criteo had not taken sufficient measures to ensure proper consent collection by its partners. The absence of contractual provisions enabling Criteo to receive evidence that consent was obtained, as well as lack of actual auditing and monitoring, contributed to this non-compliance.
- Criteo did not comply with the disclosure and transparency obligation (Articles 12 and 13 of the GDPR), ad the Criteo privacy policy (which by now was corrected) did not adequately disclose all intended purposes of data processing, and some purposes were described in vague and broad terms, making it difficult for users to understand which personal data was being used and for what purposes.
- Criteo failed to respect the right to access (Article 15.1 of the GDPR), when users exercised their right to access their personal data, Criteo did not provide all the data processed by the company. The CNIL emphasized that controllers should furnish users with all available data and provide necessary explanations and supplemental information for users to comprehend the collected data and its purposes. De-facto, this means that in addition to the many requirements under Article 15, a controller needs to also provide an executive summary explaining to uses what they are receiving, in ad-tech context this means to explain the ad-calls, logs and other data in a “user friendly” manner.
- Criteo did not comply with the right to withdraw consent and erase data (i.e., “deletion requests” as required under Articles 7.3 and 17.1 of the GDPR). Upon receiving requests for deletion or withdrawal of consent, Criteo only ceased displaying personalized advertisements to users, meaning they removed the connection between the user ID and the “raw data” or profile associated with it, without deleting the unique identifier and associated “raw data” that could identify the individual. The CNIL contended that Criteo’s actions did not meet the requirements of Article 17 of the GDPR regarding deletion requests since they only disconnected the identifier without erasing it or the related browsing events. Merely discontinuing identifiers and user tracking after such requests did not fulfill the requirements for complete deletion.
- Criteo failed to establish a proper data processing agreement, the agreement between Criteo and its partners lacked specifications regarding the respective obligations of controllers, including requirements such as notification in case of data subject requests or data breaches, as well as providing assistance in conducting data processing impact assessments.
This case highlights the importance and obligations of all parties involved in the advertising industry to ensure proper consent collection from users (not just the website or app owners’ responsibility).
Companies are expected to actively ensure that their partners collect and store consent logs, review and audit consent logs, rather than relying solely on general statements from website owners and to have in place applicable privacy policies and data processing agreements with their partners.
These requirements are similar to the new requirements set forth by Google, which on June 16th announced that businesses that utilize Google Ads (Adsense, AdManager, AdMob and Google Search), to target audiences in Europe or the UK, shall ensure they maintain certified consent solution in place. Google will be assessing various CMPs and will publish in the next few months the approved, certified list of such. Businesses are required to use only the approved CMP or otherwise receive limited advertisement.
Most websites integrate a valid CMP on websites, however, Google clarified, and has already sent app-developers notices, that a CMP is also required for any App displaying ads, personalized ads, in the EU. This UI is not as common and we believe we will be seeing an impact when this will be enforced.
Google’s announcement was made to ensure compliance with IAB TCF new version TCF V 2.2 which eliminated “legitimate interest” as a lawful bases for personalized ads or content, and has required vendors to be more active in ensuring consent signals are passed lawfully. Requirements which include monitoring and auditing CMPs (through a tool provided by the IAB) and contractually obligating consent logs are provided, if needed, to demonstrate consent.
Further, the new TCF V 2.2 requires vendors to update the GVL, and disclose the purpose and use of each the data set collected (including adding examples and illustrations per each data set), adding the retention period of each. The IAB further added obligations on the various CMPs to provide more details on the collection and use of personal data.
All of these updates are in addition to the Colorado and Connecticut Regulations enforced next week, making the cookie banner disclosures and opt-out option from sharing or selling personal information for targeted advertising, a legal requirement in 4 US states (California, Virginia, Colorado and Connecticut).
Which lead of course to the IAB Global Privacy Platform “GPP” which we will elaborate in our next update regarding the upcoming US legislation.
We are happy to help all our clients in these implementations, all of which are connected one to another.
Regards,
APM Technology and Regulation Team.