Advertising Company CRITEO fined €40 Mio

Data Subject Rights
 /  22 June 2023

The French Data Protection Authority (CNIL) fined Criteo, a major online advertisement and tracking company in Europe, €40 million for violating the GDPR. This decision is based on complaints filed by noyb and Privacy International in December 2018. The CNIL found that the company failed to comply with data subject rights under the GDPR and could not prove that they obtained valid consent.


Criteo – prominent ad-tech player. The French company Criteo provides “behavioral retargeting” services on thousands of websites. To do so, the company places tracking cookies on websites in order to analyze browsing habits and determines which products and services a user is likely to buy. The company has data on about 370 million people in Europe.

Complaint led to further investigation. In December 2018, more than 4.5 years ago, noyb and Privacy International filed complaints against Criteo for not providing users with a proper option to withdraw consent. This complaint triggered an extensive investigation by the CNIL, the competent data protection authority for Criteo. The CNIL also broadened the scope to other areas and found additional infringements of the GDPR: among others the lack of transparency, failure to comply with the right to erasure and the right to access.

Romain Robert, data protection lawyer at noyb: “We are very happy about the decision the CNIL issued. It is a strong signal to the ad-tech industry that they will face dire consequences for breaking the law.

Major blow to Criteo’s business model. The French Data Protection Authority has concluded a deeper investigation into Criteo’s business model. It revealed numerous violations of the GDPR. Since a very large number of people are concerned by those infringements and huge amounts of data are collected and processed, the CNIL decided on a substantial fine of 40 mio Euros. The decision was also approved by all other DPAs in Europe.