Loud and Clear! CNIL sends strong privacy with new €40 million fine of CRITEO


French Data Protection Authority, the CNIL, has fined advertising company CRITEO €40 million for improper conduct in handling users’ personal data. This is one of the largest fines of its kind, and perhaps a sign of a new era.

In a significant development highlighting the growing concerns around data privacy, the French data protection authority, the Commission nationale de l'informatique et des libertés (CNIL), has imposed a substantial fine of €40 million on CRITEO, a major online advertising company. The penalty comes as a result of CRITEO's failure to comply with the European Union's General Data Protection Regulation (GDPR) in its practices related to personalized advertising. This decision has far-reaching implications not only for CRITEO but also for the broader landscape of data privacy worldwide.

A privacy failure from CRITEO

The CNIL's investigation into CRITEO was prompted by numerous complaints lodged against the company by internet users, accusing it of non-compliance with GDPR principles and improper handling of users' personal data. After a thorough examination, the CNIL found that CRITEO had violated several provisions of the GDPR, including the lack of valid consent, insufficient transparency, and inadequate data retention practices. The CNIL determined that CRITEO's personalized advertising practices did not meet the standards required to protect individuals' privacy rights.

As a result of its findings, the CNIL has imposed the substantial fine of €40 million, sending a clear message that data protection authorities are committed to enforcing GDPR regulations and holding companies accountable for their data privacy practices.

A message that can be heard beyond French borders

The CNIL's decision has significant implications for data privacy worldwide. Firstly, it demonstrates the commitment of European data protection authorities to ensure compliance with the GDPR, which sets globally respected standards for the protection of personal data. The fine serves as a strong deterrent for companies operating within Europe, emphasizing the importance of robust data protection measures and respect for individuals' privacy.

Secondly, this decision sets a precedent that may influence data privacy practices beyond European borders. As data flows are increasingly global, companies operating internationally must recognize the importance of aligning their practices with the GDPR's principles. Non-compliance can lead to severe financial penalties, damage to reputation, and potential legal consequences.

Furthermore, the CNIL's decision serves as a wake-up call for businesses worldwide to reevaluate their data privacy practices. It underscores the need for organizations to prioritize transparency, obtain valid consent, and implement appropriate security measures when handling personal data. Compliance with data protection regulations is no longer a choice but a necessity to maintain customer trust and avoid regulatory action.

Sister-decisions on the rise globally

As data privacy continues to be a pressing concern, many regulatory authorities are beginning to hold companies accountable for their handling of personal data, ultimately safeguarding the privacy rights of individuals in an increasingly data-driven world. While this case is highlighted by the CNIL’s agenda to send a message to non-complying companies, this is not just a matter concerning French companies, as many state authorities, whether European or not, are beginning to crack down on data privacy violations and publish similar decisions to the CNIL’s. We have seen this with the UK Data Protection Regulator, who has fined Tiktok over €13 million for privacy violations, but also with the Swedish Authority for Privacy, who has fined Spotify over €5 million for GDPR breaches. These decisions, along with the CNIL’s latest one, reinforce the importance of complying with the GDPR's rigorous standards and sends a clear message to companies operating in the digital advertising industry. This decision underscores the need for organizations worldwide to prioritize data privacy, adopt robust compliance measures, and ensure the protection of individuals' personal information.


Article provided by INPLP member: Charlotte Gerrish (Gerrish Legal SARL, France)



Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.