The CNIL's Decision: A €40 Million GDPR Fine on CRITEO
Criteo, a global advertising technology company, has been fined EUR 40 million by the French data protection authority for violating the General Data Protection Regulation (GDPR). This is one of the largest GDPR fines ever imposed, and it sends a strong message to businesses that they must comply with the law.
On June 22, 2023, the French data protection authority, the CNIL, fined Criteo EUR 40 million for violating the General Data Protection Regulation (GDPR). The fine is one of the largest ever imposed under the GDPR and sends a strong message to businesses that they must comply with the law.
Criteo is a global advertising technology company that collects and uses personal data to target ads to users.
What was the violation?
The CNIL found that Criteo had violated the GDPR in several ways, including:
- Failing to obtain users' consent to collect and use their personal data.
- Not providing users with clear and concise information about how their data was being collected and used.
- Not giving users the right to access, rectify, and erase their personal data.
- Not taking appropriate security measures to protect users' data.
What was the decision?
As mentioned earlier, CNIL filed Criteo EUR 40 million for the violations under GDPR. In addition to the fine, the CNIL also ordered Criteo to take steps to comply with the GDPR, including:
- Implementing a new consent management platform that complies with the GDPR.
- Providing users with more information about how their data is being collected and used.
- Giving users the right to access, rectify, and erase their personal data more easily.
- Taking additional security measures to protect users' data.
The CNIL's decision is a significant victory for privacy advocates and a warning to other businesses that they must comply with the GDPR. It is also significant because it provides further guidance on how businesses can comply with the GDPR. The CNIL's decision makes it clear that businesses must:
- Obtain users' consent to collect and use their personal data in a clear and concise way.
- Provide users with access to their personal data and the right to rectify or erase it.
- Take appropriate security measures to protect users' data.
This decision is a major development in the field of data privacy and will have a significant impact on businesses that collect and use personal data. Businesses that fail to comply with the GDPR face the risk of significant fines and other penalties.
Criteo has said that it will appeal the CNIL's decision. However, the fine and the CNIL's order send a clear message to businesses that they must comply with the GDPR or face the consequences.
How can you avoid GDPR fines?
To avoid GDPR fines, you should take the following steps:
- Obtain valid consent from users to collect and use their personal data. The consent must be clear, concise, and freely given. This means that users must be able to understand what they are consenting to, and they must not feel pressured to consent.
- Provide clear and concise information about how their data is being collected and used. This information should be easy to understand and should be accessible to users. The information should include the following:
undefinedundefinedundefinedundefinedundefined - Give users the right to access, rectify, and erase their personal data. Businesses should make it easy for users to exercise these rights. This may involve providing a way for users to download their data, correct any inaccuracies, or request that their data be deleted.
- Take appropriate security measures to protect users' data. This includes measures to prevent unauthorized access to or disclosure of data. This may involve using encryption, firewalls, and other security measures.
In addition to the steps listed above, you should also:
- Conduct regular data audits to identify and address any compliance gaps.
- Implement a data protection management system to document and track your compliance efforts.
- Train employees on data protection best practices.
- Have a plan in place to respond to data breaches.
Specifically, to address the violations in the article above, you should:
- Make sure that your consent mechanism is clear and concise, and that it gives users a meaningful choice about whether to consent to the processing of their data.
- Provide users with clear and concise information about how their personal data is being collected and used. This information should be easy to understand and should be accessible to users.
- Make it easy for users to access, rectify, and erase their personal data. This may involve providing a way for users to download their data, correct any inaccuracies, or request that their data be deleted.
- Implement appropriate security measures to protect users' data. This includes measures to prevent unauthorized access to or disclosure of data.

Automating CCPA Risk Assessments and Cybersecurity Audits: Complying with Draft Regulations
The issued draft regulations on CCPA risk assessments and cybersecurity audits by the California Privacy Protection Agency (CPPA) give you an idea of how to comply with imminent obligations
- Data Protection
- USA

India Digital Personal Data Protection Act 2023 - All You Need to Know
Discover the India Digital Personal Data Protection Act (DPDPA) 2023 – India's first comprehensive data protection law. Learn how it affects businesses, data principals, and more. Stay informed about the latest data privacy regulations.
- Data Protection

International Privacy Authorities Issue Joint Statement on Data Scraping
Learn about the joint statement issued by global privacy authorities on August 24, 2023, addressing the risks of data scraping to privacy. Discover its implications for businesses and mitigation strategies
- Data Protection