The French data protection authority (DPA) has proposed a fine of 60 million euros (U.S. $61.4 million) against the adtech company Criteo for failing to comply with the General Data Protection Regulation of the European Union (GDPR).
The CNIL opened an investigation into Criteo's data processing practices related to targeted advertising and user profiling in January 2020, and the company disclosed the proposed fine in a regulatory filing on Friday.
Although the company was informed of the proposed fine on August 3, it was stated that it was unlikely that a final decision—including any financial sanctions—would be approved until 2023.
As part of the cooperation mechanism under Article 60 of the GDPR, Criteo has the right to comment on the CNIL's conclusions and the suggested punishment prior to a draft decision being sent to other EU DPAs.
On the situation, the CNIL has not made any public remarks. The European Center for Digital Rights, led by privacy activist Max Schrems, and the London-based privacy rights charity Privacy International both filed complaints against Criteo in 2018 as part of this investigation.
Six additional businesses—credit reference agencies Experian and Equifax, data brokers Acxiom and Oracle, and adtech companies Tapad and Quantcast—were singled out in the Privacy International complaint for the way they collected, used, and sold personal data for ad revenue without the people's knowledge or consent.
While the U.K.'s Information Commissioner's Office (ICO) is still looking into Acxiom, Experian, and Equifax, the Irish Data Protection Commission confirmed in May 2019 that it is looking into Quantcast.
Privacy International referred to Criteo's business model as "a manipulation machine" on Twitter. The document claimed that the business's online advertising platform "sp[ies] on people's online browsing behavior to try and predict their propensity to engage with specific products and the types of ad design they would best respond to."
"We strongly disagree with the findings in the CNIL investigator's report, both on the merits relating to the investigator's assertions of non-compliance with GDPR and the quantum of the proposed sanction," said Criteo's Chief Legal Officer Ryan Damon in a statement posted on the company's website.
The proposed fine was "incommensurate with the alleged noncompliant actions," he continued, and the report's merits were "fundamentally flawed."
According to Damon, the business will defend its position and looks forward to "further dialogue with the CNIL." He continued, "Criteo continues to uphold the highest privacy standards and operates a fully transparent and regulatory-compliant global business."
Under the GDPR, the adtech sector has recently come under more scrutiny. The Belgian DPA fined the European division of the Interactive Advertising Bureau €250,000 ($286,000) in February for violating data privacy laws related to its Transparency and Consent Framework, which was designed to ensure GDPR compliance in the adtech industry.
The ICO called on Google and other online businesses to eliminate privacy risks brought on by the adtech sector in November when it released a set of data protection requirements businesses must adhere to when creating new advertising technologies.
By fLEXI tEAM