Criteo, an ad tech company that tracks users activity, has been hit with a proposed €60 Million fine for GDPR violations.
The multi-year success story of Europe’s General Data Protection Regulation (GDPR) is carrying on. Criteo, an ad tech company that tracks user activity across the web, could be slapped with a €60 Million fine for failing to properly obtain consent of the users they tracked. The fine was handed out by French Data Protection Authority (DPA), CNIL. From TechCrunch:
Digital rights advocacy group Privacy International, which lodged a formal complaint against the surveillance adtech giant back in 2018, when the bloc’s General Data Protection Regulation (GDPR) came into application, tweeted news of the sanction today
BREAKING: Nearly 4 years after our complaint and 2 after starting their investigation, the French data protection authority CNIL finds breaches in Criteo's activities, and proposes a fine of €60 million.
Why did this happen and why does it matter? 👇 https://t.co/0DGq1nhj9E
— Privacy International (@privacyint) August 5, 2022
It accuses Criteo of operating what it dubs a “manipulation machine”, via the application of a suite of tracking techniques and data processing practices which are designed to profile web users so they can be targeted with behavioral ads and advertisers pay for “individual-level shopper predictions”.
Privacy International’s complaint argues Criteo does not have proper legal bases for all this tracking and profiling to be compliant with the GDPR — and it appears France’s watchdog is minded to agree.
A spokeswoman for Privacy International said they have not received a copy of the CNIL’s preliminary decision but were informed of the development by the French watchdog following standard complaint handling procedure.
“The CNIL informed us on Tuesday 3 August as they have an obligation to keep complainants informed of the progress of their complaints. It’s not a final decision yet, hence why it’s not public,” she told TechCrunch. “They can’t even share it with us. Criteo now has the opportunity to make representations and to implement corrective measures, after which there will be a hearing, followed by a final decision likely in 2023.”
The latest fine, however preliminary it may be, appears to be the latest success story to come from the GDPR. It was only last month, that controversial facial recognition company, Clearview.ai, was hit with a €20 million fine in Greece.
Indeed, the GDPR system is not perfect. After all, there have been calls for the European Commission to harmonize enforcement of DPAs, but that doesn’t necessarily mean that the system is broken. In fact, the system is still churning out success stories on a fairly regular basis. It’s these success stories that show that the GDPR is truly a gold standard in privacy laws on the international stage – even with its flaws.
Drew Wilson on Twitter: @icecube85 and Facebook.