The French Data Protection Authority has imposed a €40 million fine for GDPR infringements.

By Myria Saarinen and Charlotte Guerin

On 15 June 2023 the French Data Protection Authority (the CNIL), acting as Lead Supervisory Authority pursuant to the cooperation procedure under Article 60 GDPR, handed down a decision against the French adtech company Criteo SA (Criteo). The CNIL imposed a €40 million fine for five infringements of the GDPR, in particular for failing to verify that data subjects had consented to the processing of their personal data for the purpose of targeted advertising.

Founded in 2005 and headquartered in France, Criteo specializes in behavioral retargeting, which involves tracking browsing patterns through cookies placed on users’ devices to facilitate personalized advertisements. Criteo collects browsing data tied to a cookie that is being placed when users visit certain partner websites (the Criteo cookie), and then uses the data to generate personalized online ads. Criteo will then show these ads to users when they visit other partner or customer websites. According to its corporate website, Criteo serves 5 billion ads per day and partners with more than 19,000 customers.

Following recent setbacks, the FTC seeks a foothold for monetary remedies in the online advertising space.

By Jennifer C. Archie, Antony “Tony” Kim, Michael H. Rubin, and Marissa R. Boynton

On October 13, 2021, the Federal Trade Commission (FTC) sent a Notice of Penalty Offenses Concerning Endorsements and Testimonials to more than 700 businesses (the Notice). The Notice does not identify any alleged violations of law. Rather, it reminds recipients that fake online reviews and misleading endorsements

Despite progress, the online advertising industry and UK regulators are still at odds over the “legitimate interest” definition under the GDPR.

By Olga Phillips and Elizabeth Purcell

Following publication of the UK Information Commissioner’s Office’s (ICO’s) report on adtech and real time bidding in June 2019, the ICO has been working closely with the online advertising industry to improve data protection practices by the end of the year.

Simon McDougall, the ICO’s Executive Director for Technology Policy and Innovation, reportedly stated at the recent AdTech London event that the ICO has made progress with the industry, including through workshops with Google and the Interactive Advertising Bureau Europe (IAB), which were both featured in the June report. However, McDougall noted that there is still “a very big difference” in how the online advertising industry and the ICO view the “legitimate interest” legal basis for processing personal data under the General Data Protection Regulation (GDPR). The ICO has yet to be convinced of the use cases in which the industry is seeking to rely on the legitimate interest basis.