COOKIES. CONSENT. COMPLIANCE
Schedule a Demo
secure privacy badge logo
Regulations
EUROPE
GDPR (EU) UK DPA (United Kingdom) FADP (Switzerland) NewDPA (Norway)

View All

North America
PIPEDA (Canada) CCPA/CPRA (California) CPA (Colorado) VCDPA (Virginia)

View All

Middle East
PDPL (UAE) DIFC DPA (Dubai) PDPL (Saudi Arabia) KVKK (Turkey)

View All

Asia
PIPA (South Korea) NewPIPL (China) Data Privacy Act 2012 (Philippines) PDPA (Singapore)

View All

Central and South America
LGPD (Brazil) DPL (Colombia) Personal Data Protection Law (Argentina) LSPDP (Panama)

View All

Africa
POPIA (South Africa) Law no.09-08 (Morocco) LPDP (Egypt) DPA (Kenya)
Oceania
APP (Australia) Privacy Act (New Zealand)
Features
Cookie BannersPreference CenterCookie & Website ScannerConsent LoggingData Subject Request FormsCookie PolicyPolicy CenterLegal Templates70+ Language Support
Cookie Banners
Integrations
HubspotWordpressMagentoAdobe Tag ManagerWixShopifyDrupalGoogle Tag ManagerWeeblySquarespaceWebviewSitecoreUmbracoJoomlaBigcommerceGoogle Consent ModeAdobe LaunchTealium IAB TCF v2.2
Hubspot badge
Pricing
Partner
Resources
BlogSupportContact UsRequest DemoTraining & CertificationGDPR Website Scanner
August 23, 2023

The CNIL's Decision: A €40 Million GDPR Fine on CRITEO

Criteo, a global advertising technology company, has been fined EUR 40 million by the French data protection authority for violating the General Data Protection Regulation (GDPR). This is one of the largest GDPR fines ever imposed, and it sends a strong message to businesses that they must comply with the law.

On June 22, 2023, the French data protection authority, the CNIL, fined Criteo EUR 40 million for violating the General Data Protection Regulation (GDPR). The fine is one of the largest ever imposed under the GDPR and sends a strong message to businesses that they must comply with the law.

Criteo is a global advertising technology company that collects and uses personal data to target ads to users.

What was the violation?

The CNIL found that Criteo had violated the GDPR in several ways, including:

  • Failing to obtain users' consent to collect and use their personal data.
  • Not providing users with clear and concise information about how their data was being collected and used.
  • Not giving users the right to access, rectify, and erase their personal data.
  • Not taking appropriate security measures to protect users' data.

What was the decision?

As mentioned earlier, CNIL filed Criteo EUR 40 million for the violations under GDPR.  In addition to the fine, the CNIL also ordered Criteo to take steps to comply with the GDPR, including:

  • Implementing a new consent management platform that complies with the GDPR.
  • Providing users with more information about how their data is being collected and used.
  • Giving users the right to access, rectify, and erase their personal data more easily.
  • Taking additional security measures to protect users' data.

The CNIL's decision is a significant victory for privacy advocates and a warning to other businesses that they must comply with the GDPR. It is also significant because it provides further guidance on how businesses can comply with the GDPR. The CNIL's decision makes it clear that businesses must:

  • Obtain users' consent to collect and use their personal data in a clear and concise way.
  • Provide users with access to their personal data and the right to rectify or erase it.
  •  Take appropriate security measures to protect users' data.

This decision is a major development in the field of data privacy and will have a significant impact on businesses that collect and use personal data. Businesses that fail to comply with the GDPR face the risk of significant fines and other penalties.

Criteo has said that it will appeal the CNIL's decision. However, the fine and the CNIL's order send a clear message to businesses that they must comply with the GDPR or face the consequences.

How can you avoid GDPR fines?

To avoid GDPR fines, you should take the following steps:

  1. Obtain valid consent from users to collect and use their personal data. The consent must be clear, concise, and freely given. This means that users must be able to understand what they are consenting to, and they must not feel pressured to consent.
  2. Provide clear and concise information about how their data is being collected and used. This information should be easy to understand and should be accessible to users. The information should include the following:
    - The purpose for collecting the data
    - The types of data being collected
    - How the data will be used
    - Who the data will be shared with
    - The rights of users to access, rectify, and erase their data
  3. Give users the right to access, rectify, and erase their personal data. Businesses should make it easy for users to exercise these rights. This may involve providing a way for users to download their data, correct any inaccuracies, or request that their data be deleted.
  4. Take appropriate security measures to protect users' data. This includes measures to prevent unauthorized access to or disclosure of data. This may involve using encryption, firewalls, and other security measures.

In addition to the steps listed above, you should also:

  • Conduct regular data audits to identify and address any compliance gaps.
  • Implement a data protection management system to document and track your compliance efforts.
  • Train employees on data protection best practices.
  • Have a plan in place to respond to data breaches.

Specifically, to address the violations in the article above, you should:

  • Make sure that your consent mechanism is clear and concise, and that it gives users a meaningful choice about whether to consent to the processing of their data.
  • Provide users with clear and concise information about how their personal data is being collected and used. This information should be easy to understand and should be accessible to users.
  • Make it easy for users to access, rectify, and erase their personal data. This may involve providing a way for users to download their data, correct any inaccuracies, or request that their data be deleted.
  • Implement appropriate security measures to protect users' data. This includes measures to prevent unauthorized access to or disclosure of data.
logo

Get Started For Free with the
#1 Cookie Consent Platform.

tick

No credit card required

Sign-up for FREE

Image

CPRA's 12-Month Purge: Syncing Salesforce and Zendesk Without Losing Your Mind

That 12-month data retention clock is ticking. If you're juggling customer data between Salesforce and Zendesk, California's privacy law has handed you a major technical challenge: purge personal information consistently across both platforms without disrupting operations or missing anything that could trigger a violation.

  • Legal & News
  • Data Protection
Image

EU AI Act Compliance: What Small Developers Need to Know Now

As a small developer or startup founder, you're stuck with a tough balancing act: meeting strict regulations without the deep pockets of tech giants. This breakdown cuts through the legal noise to focus on what actually matters for small shops under these new rules.

  • Legal & News
  • Data Protection
Image

Climate Data Privacy Risks and Litigation: Critical Developments for Organizations

Recent legal battles over climate data have triggered unprecedented questions about transparency, privacy protections, and stakeholder access rights. If your organization collects, uses, or depends on climate-related information, these emerging legal trends demand your immediate attention.

  • Legal & News
  • Data Protection