France’s highest administrative court has upheld a €40 million fine imposed on Criteo, a Paris-based online advertising company, for breaches of European Union data protection rules. The decision confirms a penalty issued by the Commission Nationale de l’Informatique et des Libertés, France’s data protection authority responsible for enforcing the General Data Protection Regulation. The regulator found that Criteo failed to comply with several requirements related to how user data is collected and processed.
Criteo provides advertising services that rely on tracking users’ browsing activity to deliver targeted advertisements. The company uses cookies placed on partner websites to collect data about user behavior and determine which products or services may be relevant to individual users.
The investigation found that tracking cookies were placed on users’ devices without valid consent. Under GDPR rules, companies must obtain clear and informed permission before processing personal data. The regulator also concluded that Criteo could not demonstrate that users had given such consent, even though some responsibility for obtaining it lies with partner websites.
Authorities also identified additional violations. According to the findings, the company did not provide sufficient transparency about how personal data was used and failed to comply with user rights, including access to data and the ability to request deletion.
The case originated from complaints filed in 2018 by privacy organizations noyb and Privacy International. These complaints triggered an investigation by the French regulator, which expanded to examine multiple aspects of the company’s data processing practices.
Criteo appealed the fine, arguing that the identifiers it used for tracking were pseudonymous and should not be considered personal data. The company stated that these identifiers did not directly reveal a user’s identity.
The court rejected this argument. It ruled that data can only be treated as anonymous if re-identification is practically impossible. The judges found that Criteo’s system allows large volumes of data to be combined, meaning users could potentially be identified, and therefore, the data falls within the scope of GDPR protections.
Following the ruling, the €40 million fine remains in place. Authorities have not announced additional penalties or enforcement measures related to the case. The decision confirms the regulator’s findings and concludes the company’s legal challenge against the penalty.