Earlier this week, the CNIL levied a 40M euro fine on Criteo for violating the ePrivacy Directive & GDPR through the use of its cookies. This is 2% of annual turnover and one of (if not the) highest fines for cookie-related violations. Below are 5 key takeaways from this action:  

1. Proof of Consent Required -  The CNIL noted that Criteo's cookies could not be placed on a user's terminal without their consent. Although the collection of consent is the responsibility of Criteo's partners, who are in direct contact with the website users, the CNIL found that Criteo is still required to verify and be able to demonstrate that these users gave their consent. The CNIL required Criteo to incorporate a new clause on proof of consent in its contracts. Partners must "promptly provide Criteo, upon request and at any time, with proof that the consent of the data subject has been obtained by the partner."  I am interested to see whether the CNIL will come back to Critero to see if this clause has been exercised.  Accountability is the new king.  Adtech companies will need a solution for auditing and demonstrating accountability in the U.S. and EU, as regulators in both jurisdictions are no longer willing to allow companies to rely on paper assurances.  
2. The Right to Access Data Means all Data - When individuals exercised their right of access, Criteo only returned data from 3 of the 6 tables in its database. In addition, Criteo did not provide sufficient information to enable someone to understand the content of the tables. Criteo has said it will address both issues by providing all data in its databases and supplementing its descriptions of what is being provided. 

Consent Can Be Given and Taken Away - 

The CNIL alleged that when a person exercised their right to withdraw consent, the process implemented by the company only stopped the display of personalized advertisements to the user; it did not stop all processing activities. Criteo addressed this by putting in place a procedure to allow individuals to exercise their right to withdraw consent directly by clicking the button “Deactivate Criteo services” in the company’s privacy policy.

Data Must Be Deleted Upon Request 

-  In response to an erasure request, Criteo is alleged to have only stopped the display of personalized ads. It did not delete the identifier assigned to the person or erase the events related to that identifier. In light of Criteo's inability to demonstrate that it had obtained consent to process the personal data of each user, it could not rely on legitimate interests to continue to process data following a deletion request.  The takeaway here is that if you are going to hold on to data following a deletion request, you will need a well-reasoned position and a lawful basis to do so. 

Joint Controller Agreements work for AdTech 

- The CNIL did not challenge the joint controller agreements Criteo had in place with partners, but they got dinged for not specifying all of the respective obligations of controllers under the GDPR, such as the exercise by data subjects of their rights, the obligation to notify the supervisory authority and data subjects of a data breach or, if necessary, the carrying out of an impact assessment under Article 35 of the GDPR.