In the latest strike against a macabre “tracking ad” complex, French ad tech giant Criteo has been found to have violated European Union data protection rules and is subject to a €60 million (~$65 million) sanction by the country’s national privacy watchdog. preliminary decision after many years of investigation.
Digital rights group Privacy International, which filed a formal complaint against the ad tech giant for surveillance back in 2018 when the General Data Protection Regulation (GDPR) went into effect, tweeted news about the sanctions today.
He accuses Criteo of using what he calls a “manipulation machine” through a suite of tracking and data processing techniques that are designed to profile web users so they can be targeted for behavioral ads, with advertisers paying for an “individual level” . customer forecasts.
Privacy International’s complaint alleges that Criteo does not have a proper legal basis for all of this tracking and profiling to be GDPR compliant, and the French supervisory authority appears to agree.
A spokesperson for Privacy International stated that they did not receive a copy of the CNIL’s preliminary decision, but were informed of developments by the French watchdog in accordance with the standard complaints procedure.
“CNIL informed us on Tuesday, August 3, as they are obliged to inform the applicants about the progress of their complaints. It’s not final yet, so it’s not public,” she told TechCrunch. “They can’t even share it with us. Criteo now has the opportunity to make a submission and take corrective action, followed by a hearing followed by a final decision, likely in 2023.”
We have also contacted CNIL.
Criteo’s August 3 filing confirms CNIL’s preliminary finding of what is described on Form 8-K/A as “certain breaches of the GDPR, in particular with respect to the Company’s contractual relationship with its advertisers and publishers in relation to oversight of obtaining consent.”
“The report includes proposed financial sanctions against the company in the amount of 60.0 million euros (65.4 million US dollars). In accordance with the CNIL sanctions procedures, Criteo has the right to respond in writing to the report both in relation to the findings of the GDPR and in relation to the amount of the sanction, after which a formal hearing will be held in the CNIL Sanctions Committee. The CNIL Sanctions Committee will then publish a draft decision, which will be submitted for consultation to other European data protection authorities under the cooperation mechanism provided for by the GDPR. A final decision on the permit and potential financial penalties will likely not be made until 2023,” Criteo said in a statement.
We contacted Criteo for further comments on the sanctions and a spokesperson pointed us to statement on his website, where Ryan Damon, General Counsel, also writes:
We strongly disagree with the conclusions contained in the CNIL investigator’s report, both on the merits of the investigator’s allegations of non-compliance with the GDPR and on the amount of sanctions proposed. We believe that the merits of this report are fundamentally misguided and that the proposed sanctions are not commensurate with the alleged non-compliant actions. We look forward to further dialogue with the CNIL, as well as the defense of our case before the final arbitrator for a final decision. Criteo continues to maintain the highest privacy standards and conducts a fully transparent and compliant global business. We will have no further comment until these ongoing proceedings are resolved.
CNIL does not appear to have posted a notice of the decision on its own website, likely because it is preliminary. (Although EU DPAs don’t always publish decisions either.)
It remains to be seen if the watchdog will stick to his stance as the French advertising tech giant is aggressively resisting his findings.
But the preliminary ruling is just the latest blow (in Europe) to the so-called “ad surveillance” ecosystem, which in previous years of regulatory hibernation on data protection, has made it its mission to strip web users of their privacy in an attempt to optimize advertisers’ ability to manipulate people’s attention.
A string of privacy and data scandals has drawn attention to what some critics are calling biggest data breach of all time – leading to a rough awakening around the mainstream Adtech creepy, no consent working methodwhich in turn leads to regulatory and legislative double counting (even though many still ahead).
Previously this yearThe Belgian DPA has confirmed an earlier preliminary opinion on the advertising industry body, IAB Europe, and its flagship cross-industry standard for collecting information on user choices for ad tracking, called the Transparency and Consent Framework/TCF. The IAB set a hard six-month deadline for reforming the structure to bring it into line (although privacy experts have suggested that nothing short of a fundamental reconfiguration of these systems will come to fruition).
In recent years, the French CNIL has also issued several major sanctions against tracking cookie violations – in accordance with the legislation of the block on electronic privacy – and Earlier this year Google (one of the tech giants under sanctions) has released an updated cookie banner in Europe that finally offers users a clear choice to opt out of being tracked. Quite a victory.
This yearEU legislators also agreed on the prohibition of the use of confidential data and data of children used for targeted advertising in incoming digital regulations. While decision this weekThe bloc’s highest court appears to be intent on strengthening this inbound restriction by enshrining a non-narrow definition of what constitutes sensitive data.
Credit: techcrunch.com /