Why the GDPR investigation into Criteo could be a ‘line in the sand’ for ad tech
Europe’s General Data Protection Regulation has been enforceable since May 2018, yet there are still wildly different interpretations among ad tech companies as to what counts as user consent for the various methods they use to target and track users. Some industry onlookers are hopeful the outcome of a new GDPR enforcement investigation might shed more light on the issue.
Earlier this week, U.K.-based campaign group Privacy International claimed victory after discovering CNIL, the French data protection authority, had in January opened an investigation into French ad tech company Criteo. Privacy International filed complaints with the CNIL and Ireland and U.K. data protection authorities about Criteo and six other ad tech companies in November 2018, claiming the firms did not have a legal basis for the way they use consumer data.
“I can confirm that the CNIL has opened up an investigation into Criteo,” said a CNIL spokesman via email. “We are in the trial phase, so we can’t communicate at this stage.”
A Criteo spokeswoman also confirmed the investigation, which was earlier reported by TechCrunch, in a statement. (Criteo had also disclosed the investigation earlier this month in its latest 10-K financial filing with the SEC.)
“We are currently collaborating with the CNIL in their review and remain completely confident in our privacy practices,” said the Criteo spokeswoman. “Since our founding in Europe in 2005, we have developed our technology with the principle of ‘privacy by design’ guiding us, while helping our clients meet shopper expectations with advertising that is personalized and relevant.”
It’s unclear how long the investigation will take to meet a conclusion or what the outcome might be. Penalties for GDPR breaches can reach up to €20 million or 4% of annual global turnover, whichever is higher.
In January 2019, the CNIL issued Google a €50 million ($57 million) penalty notice over GDPR infractions, which the search giant said it would appeal. The prior year, the CNIL issued warnings to three location ad tech vendors — Teemo, Fidzup and Vectaury. Those investigations were closed and the company avoided fines. A number of investigations into other ad tech businesses are also ongoing across Europe.
Yet despite the flurry of regulator activity around the ad tech space, “there is still no case law yet in Europe to define what constitutes legitimate interest, or informed consent,” said Richard Kramer, senior analyst at Arete Research.
The more contentious of the two is “legitimate interest.” Under the GDPR’s legitimate interest lawful basis for processing data, businesses must prove they have undergone a lengthy test internally and checked that their interest in collecting the data outweighs the interest of the individual for not having the data collected. It must also be made easy for users to revoke that consent. Since GDPR was introduced, companies have been running the gamut on those definitions and how to correctly apply consent notices — particularly in the area of real-time-bidding, in which data is passed between scores of players in the ad tech daisy chain in the milliseconds before an ad loads on a page.
The 2018 Privacy International complaint, which also called out ad tech companies Tapad and Quantcast, explored how Criteo relied on user consent passed from its advertising and publisher partners to process user information for its wider shopper data business. According to the complaint, Criteo claimed it had what is known as a “legitimate interest” lawful basis under the GDPR to process such data in order to meet the contractual demands of its partners, which Privacy International said was insufficient.
The complaint called out for particular concern three Criteo products: Shopper Graph, which holds data on “more than 35 billion” online and offline shopping transactions; the Criteo Engine, which uses browsing and other data signals to predict a user’s likelihood to engage with an ad; and its Dynamic Retargeting ad product, which tracks shoppers who have shown interest in a product to target them with ads.
The CNIL’s final decision holds the potential to be “game-changing” for Criteo and the wider ad tech industry, said Wayne Blodwell, CEO at The Programmatic Advisory. “
“[Criteo] aren’t the company that gains consent, yet they are the ones being investigated for use,” Blodwell added. “Their position and liability in the process will be a flag in the ground for ad tech.”
Consent notices remain a big cause of contention in the European ad tech and publishing space. Criteo initially took a stance that if a user continued to browse a site after a consent notice had been displayed, they had showed implied consent, said Ratko Vidakovic, founder of ad tech consultancy AdProfs.
“[It] just shows how chaotic the whole interpretation and enforcement of GDPR is right now,” said Vidakovic.
News of the CNIL investigation comes early into the tenure of Criteo’s new CEO Megan Clarken, who joined the company in November with a remit to turnaround the business. Last month, Clarken unveiled her plan for Criteo to diversify revenue beyond its core retargeting capabilities by growing new business lines, such a its retailer ad network and its app-advertising product.
“I expect the topic of consent and data usage had already been the subject of multiple back and forth previous discussions between the CNIL and Criteo,” said Arete Research’s Kramer “It doesn’t make Megan’s task any easier, but is mostly a distraction.”
‘Boomer spring break’: Alaska Airlines is creating its own hype house for boomer influencers
With boomers being many of the first people vaccinated in the United States, the ability to get back to travel is more prevalent for that audience. So too was the pent up demand, according to Natalie Bowman, director of marketing for Alaska Airlines.
‘Culture is our number one export’: How an Atlanta-based marketing collective is pushing for tangible diversity gains
After a year of calls for radical change in the name of George Floyd, a collective of Atlanta advertising professionals is calling on the industry to put its money where its mouth is.
‘Inflection point’: Microsoft’s GM of Global Advertising Business on privacy, ad business growth
Digiday caught up with Steve Sirich, to hear how the company is pitching advertisers today and how work-from-home has impacted the company’s ad business.
SponsoredHow The Company Store is reimagining customer experiences for pandemic-era growth
Throughout the pandemic, some retail categories have been inherently successful. Home furnishings and décor are among them; with consumers spending so much more time at home, updates and renovations flourished. Criteo data from the first half of 2020 showed sales for items like outdoor furniture sets up 434% year over year, with other home items […]
Facebook is ‘not a researchers-friendly space’ say academics encountering roadblocks to analyzing its 2020 election ad data
As governments aim to regulate social media to assuage problems with misinformation and election meddling, researchers are skeptical of restrictions in new political ad data from Facebook.
Member ExclusiveMarketing Briefing: Marketers message around slowly returning to normalcy this summer after ‘the collective experiences we’ve lost’
As the vaccination rate continues to rise in the United States, marketers here are feeling comfortable messaging around a return to normalcy.