The French Data Protection Authority (CNIL) fined Criteo, a major online advertisement and tracking company in Europe, €40 million for violating the GDPR. This decision is based on complaints filed by noyb and Privacy International in December 2018. The CNIL found that the company failed to comply with data subject rights under the GDPR and could not prove that they obtained valid consent. The Conseil d’Etat rejected CRITEO's appeal and upheld the fine.
- Original Press Release by CNIL (EN)
- Original complaint filed in December 2018 by noyb and Privacy International
- Letter by the CNIL to noyb (FR)
- Conseil d’Etat decision
Criteo – prominent ad-tech player. The French company Criteo provides “behavioral retargeting” services on thousands of websites. To do so, the company places tracking cookies on websites in order to analyze browsing habits and determines which products and services a user is likely to buy. The company has data on about 370 million people in Europe.
Complaint led to further investigation. In December 2018, more than 7 years ago, noyb and Privacy International filed complaints against Criteo for not providing users with a proper option to withdraw consent. This complaint triggered an extensive investigation by the CNIL, the competent data protection authority for Criteo. The CNIL also broadened the scope to other areas and found additional infringements of the GDPR: among others the lack of transparency, failure to comply with the right to erasure and the right to access.
Romain Robert, former data protection lawyer at noyb: “The decision is a strong signal to the ad-tech industry that they will face dire consequences for breaking the law.”
Major blow to Criteo’s business model. The French Data Protection Authority has concluded a deeper investigation into Criteo’s business model. It revealed numerous violations of the GDPR. Since a very large number of people are concerned by those infringements and huge amounts of data are collected and processed, the CNIL decided on a substantial fine of 40 mio Euros. The decision was also approved by all other DPAs in Europe.
Update:
Criteo appealed the decision with the Conseil d’Etat.
In March 2026, the Conseil d’Etat rejected the appeal and confirmed the CNIL decision. This decision comes at a key moment in the debate surrounding the European Commission’s legislative reform proposal called the “Digital Omnibus”. The proposal includes a new definition of personal data, which would narrow the concept of what constitutes “personal” data, making it dependent on the subjective circumstances of the respective controller. This significant reduction of the GDPR’s scope of application, which might be exploited by companies engaged in behavioral on-line tracking is widely critisised by experts and privacy advocates.
In the case brought before the Conseil d’Etat, Criteo contested the classification of pseudonymous identifiers as personal data, which were attributed in connection with the IP addresses of data subjects and other browsing data. The company argued that it did not have all the information necessary to re-identify the data subject from the assigned identifier. The Conseil d’Etat disagreed, stating that data can only be considered anonymized if the risk of re-identification of a data subject is “insignificant, such identification being impracticable in practice.” In the case of Criteo, considering that the purpose of the processing is to offer advertisements, a very large amount of information can be cross-referenced for a given identifier. In addition, Criteo itself confirmed that the identification of certain data subjects is not technically impossible. The Council of State therefore considered that these identifiers constituted personal data.
