The CNIL's Decision: A €40 Million GDPR Fine on CRITEO

On June 22, 2023, the French data protection authority, the CNIL, fined Criteo EUR 40 million for violating the General Data Protection Regulation (GDPR). The fine is one of the largest ever imposed under the GDPR and sends a strong message to businesses that they must comply with the law.

Criteo is a global advertising technology company that collects and uses personal data to target ads to users.

What was the violation?

The CNIL found that Criteo had violated the GDPR in several ways, including:

• Failing to obtain users' consent to collect and use their personal data.
• Not providing users with clear and concise information about how their data was being collected and used.
• Not giving users the right to access, rectify, and erase their personal data.
• Not taking appropriate security measures to protect users' data.
  

What was the decision?

As mentioned earlier, CNIL filed Criteo EUR 40 million for the violations under GDPR.  In addition to the fine, the CNIL also ordered Criteo to take steps to comply with the GDPR, including:

• Implementing a new consent management platform that complies with the GDPR.
• Providing users with more information about how their data is being collected and used.
• Giving users the right to access, rectify, and erase their personal data more easily.
• Taking additional security measures to protect users' data.

The CNIL's decision is a significant victory for privacy advocates and a warning to other businesses that they must comply with the GDPR. It is also significant because it provides further guidance on how businesses can comply with the GDPR. The CNIL's decision makes it clear that businesses must:

• Obtain users' consent to collect and use their personal data in a clear and concise way.
• Provide users with access to their personal data and the right to rectify or erase it.
•  Take appropriate security measures to protect users' data.

This decision is a major development in the field of data privacy and will have a significant impact on businesses that collect and use personal data. Businesses that fail to comply with the GDPR face the risk of significant fines and other penalties.

Criteo has said that it will appeal the CNIL's decision. However, the fine and the CNIL's order send a clear message to businesses that they must comply with the GDPR or face the consequences.

How can you avoid GDPR fines?

To avoid GDPR fines, you should take the following steps:

1. Obtain valid consent from users to collect and use their personal data. The consent must be clear, concise, and freely given. This means that users must be able to understand what they are consenting to, and they must not feel pressured to consent.
2. Provide clear and concise information about how their data is being collected and used. This information should be easy to understand and should be accessible to users. The information should include the following:
   - The purpose for collecting the data
   - The types of data being collected
   - How the data will be used
   - Who the data will be shared with
   - The rights of users to access, rectify, and erase their data
3. Give users the right to access, rectify, and erase their personal data. Businesses should make it easy for users to exercise these rights. This may involve providing a way for users to download their data, correct any inaccuracies, or request that their data be deleted.
4. Take appropriate security measures to protect users' data. This includes measures to prevent unauthorized access to or disclosure of data. This may involve using encryption, firewalls, and other security measures.

In addition to the steps listed above, you should also:

• Conduct regular data audits to identify and address any compliance gaps.
• Implement a data protection management system to document and track your compliance efforts.
• Train employees on data protection best practices.
• Have a plan in place to respond to data breaches.

Specifically, to address the violations in the article above, you should:

• Make sure that your consent mechanism is clear and concise, and that it gives users a meaningful choice about whether to consent to the processing of their data.
• Provide users with clear and concise information about how their personal data is being collected and used. This information should be easy to understand and should be accessible to users.
• Make it easy for users to access, rectify, and erase their personal data. This may involve providing a way for users to download their data, correct any inaccuracies, or request that their data be deleted.
• Implement appropriate security measures to protect users' data. This includes measures to prevent unauthorized access to or disclosure of data.